OMB Introduces New Information Security Audit Objectives for Higher Education Institutions

Saul Ewing Arnstein & Lehr LLP

Saul Ewing Arnstein & Lehr LLP

The United States Office of Management and Budget (“OMB”) recently issued a Compliance Supplement for 2019 that includes, for the first time, audit objectives for colleges and universities concerning compliance with the Safeguards Rule of the Gramm-Leach-Bliley Act (“GLBA”).  The 2019 Compliance Supplement, which is effective for audits of fiscal years beginning after June 30, 2018, identifies important compliance requirements that the federal government expects to be considered as part of an audit required by the Single Audit Act of 1984 and its 1996 amendments.  The newly added GLBA audit objectives are significant because they are the first time that compliance with information security requirements has been expressly included as part of the Title IV audit process.

Why do higher education institutions need to comply with the Gramm-Leach-Bliley Act?

The GLBA and its Safeguards Rule, 16 C.F.R. § 314, require “financial institutions” to protect sensitive data.  As explained in the OMB’s 2019 Compliance Supplement, the Federal Trade Commission considers higher education institutions that receive Title IV funds to be “financial institutions” subject to the GLBA.  Program Participation Agreements signed between higher education institutions and the Department of Education also incorporate the Safeguards Rule and require institutions to protect student financial aid information—particularly information provided to the institution by the Department.

What are the new audit objectives?

The Compliance Supplement’s newly introduced audit objectives are intended to determine whether an institution has developed, implemented, and maintained an adequate information security program under the Safeguards Rule.  The Compliance Supplement instructs auditors to verify that colleges and universities have:  

  1. Designated an individual to coordinate the information security program.
  2. Performed a risk assessment covering employee training and management, networks and information systems, and incident response, and
  3. Documented a safeguard for each identified risk.

In responding to the audit objectives, institutions will not have to address the specific content of their information security programs. Instead, they are only required to establish that they have implemented the three core elements of the Safeguards Rule as listed above.  The objectives also do not specify what documentation is required and in what format the documentation demonstrating compliance should be supplied.  Nevertheless, institutions should start working internally to prepare for the audit process in FY19.

How should higher education institutions prepare to meet the audit objectives?

As laid out by the objectives, institutions should have an employee or employees who have been designated to coordinate their information security programs.  Institutions also need to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of their student financial aid information that could result in the unauthorized disclosure, misuse, alteration, destruction, or compromise of such information.  Institutions should design and implement safeguards to control the identified risks, and they must regularly test or monitor the effectiveness of those safeguards.  Institutions also should oversee their service providers that are given access to this information using due diligence and contractual measures.  Finally, institutions should regularly evaluate and adjust their information security programs in light of the results of the testing and monitoring of their safeguards, any material changes to their operations, or any other circumstances that have a material impact on the programs.

The 2019 Compliance Supplement can be downloaded here:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing Arnstein & Lehr LLP | Attorney Advertising

Written by:

Saul Ewing Arnstein & Lehr LLP

Saul Ewing Arnstein & Lehr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.