OMB Introduces New Information Security Audit Objectives for Higher Education Institutions

OMB Introduces New Information Security Audit Objectives for Higher Education Institutions

The United States Office of Management and Budget (“OMB”) recently issued a Compliance Supplement for 2019 that includes, for the first time, audit objectives for colleges and universities concerning compliance with the Safeguards Rule of the Gramm-Leach-Bliley Act (“GLBA”).  The 2019 Compliance Supplement, which is effective for audits of fiscal years beginning after June 30, 2018, identifies important compliance requirements that the federal government expects to be considered as part of an audit required by the Single Audit Act of 1984 and its 1996 amendments.  The newly added GLBA audit objectives are significant because they are the first time that compliance with information security requirements has been expressly included as part of the Title IV audit process.

Why do higher education institutions need to comply with the Gramm-Leach-Bliley Act?

The GLBA and its Safeguards Rule, 16 C.F.R. § 314, require “financial institutions” to protect sensitive data.  As explained in the OMB’s 2019 Compliance Supplement, the Federal Trade Commission considers higher education institutions that receive Title IV funds to be “financial institutions” subject to the GLBA.  Program Participation Agreements signed between higher education institutions and the Department of Education also incorporate the Safeguards Rule and require institutions to protect student financial aid information—particularly information provided to the institution by the Department.

What are the new audit objectives?

The Compliance Supplement’s newly introduced audit objectives are intended to determine whether an institution has developed, implemented, and maintained an adequate information security program under the Safeguards Rule.  The Compliance Supplement instructs auditors to verify that colleges and universities have:  

  1. Designated an individual to coordinate the information security program.
  2. Performed a risk assessment covering employee training and management, networks and information systems, and incident response, and
  3. Documented a safeguard for each identified risk.

In responding to the audit objectives, institutions will not have to address the specific content of their information security programs. Instead, they are only required to establish that they have implemented the three core elements of the Safeguards Rule as listed above.  The objectives also do not specify what documentation is required and in what format the documentation demonstrating compliance should be supplied.  Nevertheless, institutions should start working internally to prepare for the audit process in FY19.

How should higher education institutions prepare to meet the audit objectives?

As laid out by the objectives, institutions should have an employee or employees who have been designated to coordinate their information security programs.  Institutions also need to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of their student financial aid information that could result in the unauthorized disclosure, misuse, alteration, destruction, or compromise of such information.  Institutions should design and implement safeguards to control the identified risks, and they must regularly test or monitor the effectiveness of those safeguards.  Institutions also should oversee their service providers that are given access to this information using due diligence and contractual measures.  Finally, institutions should regularly evaluate and adjust their information security programs in light of the results of the testing and monitoring of their safeguards, any material changes to their operations, or any other circumstances that have a material impact on the programs.

Saul Ewing Arnstein & Lehr LLP’s higher education and cybersecurity and privacy attorneys regularly assist in determining whether institutions are taking appropriate steps to develop, implement, and maintain an adequate information security program.  For guidance on how best to prepare for the new audit objectives, contact the authors or the attorney at the Firm with whom you are regularly in contact.

The 2019 Compliance Supplement can be downloaded here: https://www.whitehouse.gov/wp-content/uploads/2019/07/2-CFR_Part-200_Appendix-XI_Compliance-Supplement_2019_FINAL_07.01.19.pdf

View Document(s):