Higher education institution leaders are faced with ever-changing security environments, risk, and staffing issues, so maintaining a firm grasp on regulatory compliance can fall to the bottom of the priority list. While this is understandable, it’s important to understand the security requirements and repercussions that an institution can face for lack of compliance.
This short Gramm-Leach-Bliley Act (GLBA) and Federal Trade Commission (FTC) 16 CFR Part 314 compliance quiz may help you identify some weak areas that simply need a little more attention. The correct answers will be shown upon completion of the quiz. If you feel you need help, we have a dedicated higher education cybersecurity team at FORVIS ready to assist you.
Answers
- True – Due to the type of information collected from students to provide certain financial services, the FTC has deemed institutions of higher learning to be financial institutions.
- False – The GLBA addresses customer (student) information as any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form.
- A risk assessment – The Safeguards Rule in Section 314.4 (b) states you will “base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security.”
- December 9, 2022 – The original date was set for December 9, 2022; however, an update from the FTC moved this date out to June 6, 2023. But note, while the compliance date was pushed out, hackers are still actively working to take advantage of your weaknesses.
- False – While encrypting sensitive information in transit is imperative, encrypting all data is a requirement. This includes any data “held or transmitted” by the institution, including data at rest.
- For any individual accessing any information system – MFA has become an incredibly valuable tool to address unauthorized access, especially in the event of stolen or lost login credentials. The rule now requires MFA to be enabled for all users.
- False – Section 314.4(f) addresses taking reasonable steps to select and retain service providers to ensure they are capable of maintaining needed security standards. This will include a periodic assessment of the service provider to validate that it maintains agreed-upon security requirements.
- Penetration testing – A new and very important aspect of the Safeguards Rule addresses the requirement for penetration testing. Internal and external penetration testing is expected to be completed at least annually and vulnerability scanning every six months.
- Logging and monitoring user activity – A recent change to the rule states: Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
- False – The Safeguards Rule relates more to governance than technical controls. It does address getting the board involved at least on an awareness basis: “Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body.”