Protecting student, staff, and faculty data – and ensuring the ongoing continuity of an institution’s operations – eclipses almost every other institutional priority of a university’s IT services department.
An important regulation that universities must comply with to protect sensitive financial information is the Gramm-Leach-Bliley Act (GLBA), particularly its Safeguards Rule. Compliance with this regulation is a mandatory requirement to remain eligible to administer Title IV federal student aid. It is also required to ensure a university’s overall cybersecurity compliance profile. The deadline for compliance with the Safeguards Rule is June 9, 2023.
I recommend working towards Safeguards Rule compliance by aligning your institution’s information security program with a cybersecurity framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF is a widely accepted framework that provides a structured approach to managing cybersecurity risks and achieving compliance with regulatory requirements like the GLBA Safeguards Rule. The framework is designed to be flexible and adaptable to the unique needs of an organization, making it an invaluable tool for achieving GLBA compliance.
The NIST CSF consists of five (5) core functions: identify, protect, detect, respond, and recover. These functions provide a holistic view of an organization’s cybersecurity posture and can be readily mapped to the requirements of the GLBA Safeguards Rule.
Identify: The “identify” function of the NIST CSF involves understanding the university’s assets, vulnerabilities, threats, and impacts. It aligns with the requirement of the GLBA Safeguards Rule that financial institutions conduct regular risk assessments to identify potential vulnerabilities in their information security systems, investigate the likelihood and impact of potential threats, and implement appropriate controls to mitigate the risks.
Protect: The “protect” function covers implementing safeguards to prevent, detect, and correct security violations. It aligns with the GLBA Safeguards Rule’s requirement that financial institutions develop and implement a written information security program that includes administrative, technical, and physical safeguards to implement access controls, encryption systems, and other security measures to protect sensitive financial information.
Detect: The “detect” function informs the ongoing monitoring of an institution’s systems and networks for security violations. It addresses the GLBA Safeguards Rule’s requirement that financial institutions conduct regular risk assessments to identify and address potential vulnerabilities in their information security systems to monitor for and respond to security incidents, such as unauthorized access to sensitive financial information.
Respond: The “respond” function of the NIST CSF involves taking appropriate actions to contain the impact of a security violation. This function addresses the GLBA requirement that financial institutions train their employees on information security risks and the importance of protecting customer information, developing incident response plans and training employees on how to recognize and report suspicious activity.
Recover: Finally, the “recover” function of the NIST CSF covers restoring normal operations as quickly as possible following a security violation. This function fulfills the Safeguards Rule’s requirement that financial institutions develop and implement a written information security program that includes administrative, technical, and physical safeguards that can be used to develop and implement disaster recovery plans so that critical systems and services can be restored quickly following a security incident.
While implementing a cybersecurity framework like the NIST Cybersecurity Framework is an essential tool for universities looking to comply with the GLBA Safeguards Rule, doing so is not sufficient in and of itself to become 100% compliant. A designated qualified individual within your organization is required to implement and supervise your information security program. That individual must report to your institution’s Board to be in complete compliance with the Safeguards Rule.
Even so, aligning your information security program within an established cybersecurity framework can enable you to effectively manage your cybersecurity risk profile and ensure that the confidentiality, integrity, and availability of your institution’s sensitive financial information remains intact and secure.
Remember, attaining cybersecurity nirvana and regulatory compliance is a process, and not a destination. Seek progress over perfection.
At Apogee, we bring over two decades of experience solely serving higher education and secure network computing. To learn more how partnering with Apogee can help your institution with its cybersecurity and compliance practices, we invite you to talk to one of our higher education experts by filling out this form.