FSA Details Data Security Requirements Taking Effect June 9 -- Campus Technology

Breaking News

FSA Details Data Security Requirements Taking Effect June 9

These 9 Elements Must Be Implemented in Institutions' Written InfoSec Program

By Kristal Kuykendall
02/22/23

The U.S. Department of Education’s Federal Student Aid office recently published detailed information security requirements for higher education institutions that previously or currently service, administer, or aid in the administration of a Federal Student Aid program, noting that IHEs participating in FSA programs fall under the Gramm-Leach-Bliley Act and must comply with its mandates by June 9, 2023.

In a notice dated Feb. 9, FSA explained that final changes to the act’s Standards for Safeguarding Customer Information published by the Federal Trade Commission — which oversees compliance with the Gramm-Leach-Bliley Act — are applicable to educational institutions’ FSA-related “customer information,” which is defined as “information obtained as a result of providing a financial service to a student (past or present). Institutions or servicers provide a financial service when they, among other things, administer or aid in the administration of the Title IV programs; make institutional loans, including income share agreements; or certify or service a private education loan on behalf of a student.”

The FTC’s amendedrequirements under GLBA’s Safeguards Rule spell out the exact elements of a cyber risk management protocol that covered agencies and businesses must implement to protect personal identifiable information processed by or stored on the organizations’ digital systems. Prior to the updates to the Safeguards Rule, the requirements for protecting PII contained general language requiring institutions to “develop, implement and maintain a comprehensive, written information security program containing administrative, technical, and physical safeguards.”

In its Feb. 9 notice, FSA detailed the updated GLBA Safeguards Rule requirements, how they impact post-secondary institutions, and how ED will enforce the requirements. “Institutions should coordinate with their leadership and appropriate staff to implement the requirements by June 9,” FSA advised.

Updated GLBA Requirements Applicable to Higher Ed

FSA said the purpose of updated GLBA rules is “to ensure the security and confidentiality of student information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student (16 C.F.R. 314.3(b)).” FSA recommended that higher ed IT and data governance leaders seeking additional information should refer to the text of the Safeguards Rule itself and GLBA guidance provided by the FTC.

Every IHE participating in FSA programs must have each of the following elements implemented as part of its written information security program starting June 9, verbatim from the FSA notice:

Element 1: Designates a qualified individual responsible for overseeing and implementing the institution’s or servicer’s information security program and enforcing the information security program (16 C.F.R. 314.4(a)).
Element 2: Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution or servicer) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 C.F.R. 314.4(b)).
Element 3: Provides for the design and implementation of safeguards to control the risks the institution or servicer identifies through its risk assessment (16 C.F.R. 314.4(c)). At a minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 C.F.R. 314.4(c)(1) through (8).
Element 4: Provides for the institution or servicer to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 C.F.R. 314.4(d)).
Element 5: Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 C.F.R. 314.4(e)).
Element 6: Addresses how the institution or servicer will oversee its information system service providers (16 C.F.R. 314.4(f)).
Element 7: Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program (16 C.F.R. 314.4(g)).
Element 8: For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the establishment of an incident response plan (16 C.F.R. 314.4(h)).
Element 9: For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the requirement for its Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program (16 C.F.R. 314.4(i)).

E-Mail this page

Printable Format

Featured

Rubrik Upgrades Data Protection Platform for Speedier Threat Hunting

Data security specialist Rubrik is upgrading its data protection platform to allow for quicker recoveries in the familiar backup & recovery process.
Educause Horizon Report: Sustainability Pressures Lead to Increased Cybersecurity Risks

Educause recently released the 2024 Cybersecurity and Privacy Edition of its Horizon Report series, forecasting key trends, technologies, and practices shaping the future of cybersecurity and privacy in higher education.
Study: 1 in 10 AI Prompts Could Expose Sensitive Data

Nearly one in 10 prompts used by business users when interacting with generative artificial intelligence tools may inadvertently disclose sensitive data, according to a study released today by data protection startup Harmonic Security Inc.
Digital Leadership Must-Haves for 2025: A CDO's Picks

Now that he's more than a year and a half into his chief digital officer role at NJIT, we've asked Ed Wozencroft to reflect on his areas of concentration: What work must digital leaders "own" in 2025?

CAMPUS TECHNOLOGY NEWS

Email Address*Country*Select primary job title/function*

Please type the letters/numbers you see above.