In an age of digital transformation, more and more institutions of higher education continue to incorporate new technology, migrate to cloud-based solutions, and expand their online learning curricula. With these growing changes, the need for bolstered practices around student privacy and data security has become paramount. The Gramm-Leach-Bliley Act (GLBA) is a federal law that requires financial institutions to have information security and privacy provisions that protect consumer financial data. This Act has recently been amended to strengthen data security requirements for nonbank financial institutions, including colleges and universities that provide financial aid to students.
Dr. Dawn Dunkerley, Edge’s Principal Virtual Chief Information Security Officer (vCISO), says following security standards addressed in the GLBA is important and any necessary changes were required to be completed by June 9, 2023. “Throughout my years of experience in supporting higher education, I’ve seen the letters that are sent out that indicate if your organization is not in compliance. They state that if you do not make updates to your security practices, the ability to process financial aid will be terminated. Many of the GLBA provisions are also current or anticipated insurance carrier requirements, so GLBA compliance oftentimes aligns with maintaining a good standing with your insurance carrier.”
The GLBA has two components, the Privacy Rule and the Safeguards Rule. Under the Privacy Rule, institutions are required to ensure confidentiality of Nonpublic Personal Information and comply with the Family Educational Rights and Privacy Act (FERPA). As part of the recent amendments, the Safeguards Rule outlines several key elements that must be included in an institution’s information security program.
Key Changes Affecting Institutions
By complying with the GLBA, organizations lower their risk of reputational damage and penalties for unauthorized sharing or loss of student data. According to the Safeguards Rule, colleges and universities must secure and ensure the confidentiality of private and financial information by adhering to the following provisions.
Designate an individual who is responsible for implementing an information security program. According to the new amendment, a single qualified individual must have the sole responsibility of overseeing and enforcing an institution’s information security program. “The definition of ‘qualified’ has not been specified, but there are no particular requirements for education, experience, or certificates for this role,” explains Dunkerley. “This person is often the IT director or chief information officer who has the ability to enforce these safeguards.”
Integrate risk assessment into information security programs. The Safeguard Rule states that the individual assigned to implement their organization’s information security program must submit annual risk assessments in writing. “Assessments must include criteria to assess the confidentiality, integrity, and availability of customer information,” shares Dunkerley. “Customer information defined in the updated GLBA goes beyond financial information like credit card and bank account details. This can also include personal health and personal identifiable information, so I encourage institutions to explore what systems might include this information. Risk assessments are now required to be in writing and must describe how identified risks will either be accepted or mitigated. When Edge conducts risk assessments for example, we look at the risks to customer information and identify the impact. For instance, does the risk have a confidentiality impact? This means that if an organization had a data breach of sensitive information, would this cause harm to the customer and cause harm to the institution?”
“Risk will never be zero,” continues Dunkerley, “But once we’ve applied controls, we’re accepting a level of risk and trying to mitigate it further. We must remember that risk assessments need to be reviewed and updated at least annually. If an institution changes systems or implements a new strategy, they must understand how their risks have changed and reassess the controls associated with them. Risk assessments are living documents and must grow and change as our environment changes.”
“Customer information defined in the updated GLBA goes beyond financial information like credit card and bank account details. This can also include personal health and personal identifiable information, so I encourage institutions to explore what systems might include this information. Risk assessments are now required to be in writing and must describe how identified risks will either be accepted or mitigated. When Edge conducts risk assessments for example, we look at the risks to customer information and identify the impact. For instance, does the risk have a confidentiality impact? This means that if an organization had a data breach of sensitive information, would this cause harm to the customer and cause harm to the institution?”
– Dr. Dawn Dunkerley
Principal Virtual Chief Information Security Officer (vCISO)
“Implementing multi-factor authentication can be time consuming and expensive, but now there is a mandate that requires this security measure to be put in place,” says Dunkerley. “We’re also seeing some insurance carriers not renewing policies unless and institution has MFA. In regards to inventorying and classifying data according to sensitivity, each organization must know the location and sensitivity of their data, especially to effectively create access controls for customer information. Not every faculty member needs to have access to every piece of student information, and not all staff members need to have access to financial aid or the human resources information. We must take the principles of least privilege and apply access controls to include physical storage.”
“If your institution has a room where they house servers and store information, there must be physical controls on those doors to limit access,” continues Dunkerley. “The security control, encryption of customer information in transit, refers to the data flowing between an institution and external entities and having encrypted connections. Customer information at rest, meaning it’s not being processed or transmitted, must also be encrypted in an organization’s internal systems. Institutions must also use a secure change management process for both adding new software and making changes within their environment. If they are adding a new system into the environment, for example, they must make sure they have reviewed that system and the security associated with a new piece of software. Again, each institution must know and have inventoried the location of their data; understand what is on their network; and have controls in place that protect sensitive information.”
Logging and system monitoring practices allows an organization to review logs and monitor traffic in and out of their network. “If someone breaches or attempts to breach your institution, you need to have a system in place that alerts you. Edge has been working with organizations to implement these measures, including annual penetration testing and vulnerability assessments. Vulnerability assessments differ from vulnerability scans, where external scans should be conducted at least monthly, and assessments are much larger and encompass the actual vulnerabilities associated with an organization. Edge conducts these assessments quite regularly and they include a closer look at people, processes, and technology, including documentation requirements and network traffic, not just a vulnerability scan.”
As part of the newly revised GLBA, institutions must also have requirements outlined for disposing of customer information. “We must consider what we do with information after a student graduates, or if a student steps away from school for a few years and then comes back,” says Dunkerley. “This requirement is causing a lot of challenges in higher education, because in many cases, there are policies stating not to get rid of that information. The GLBA document indicates that if you are not going to dispose of this information, you must have procedures in place that protect this information and policy details that explain the reasoning for keeping this information past the stated time frame.”
Ongoing security training for personnel. GLBA already requires security training for staff, but the new provision adds that training be continually updated to include relevant and timely information. “If you do not have a training and awareness program in place, you must now train your personnel at least on an annual basis,” explains Dunkerley. “Sometimes getting leadership and faculty and staff on board with this training can be challenging, but by providing sufficient training, an institution can address relevant security risks and ensure they have the most up-to-date knowledge necessary to successfully maintain their information security program.”
Oversight of service providers. Institutions must now “periodically assess” their service providers on an ongoing basis based on the risk they present and the continued adequacy of their safety measures. “When assessing new service providers that are brought on board, an organization must ensure the contracts have the same level of safeguards for the customer information they will be storing and processing,” says Dunkerley. “An institution must also periodically assess the risk being brought to them. Has the service provider had a breach in the past? If so, did they follow their requirement to alert us? To follow best practices, I would suggest these assessments be conducted at least quarterly.”
Tapping into Security Expertise
Many institutions seek to create a holistic security approach, but have difficulty finding expertise that aligns with their needs and budget. Edge offers security services to IT leaders that can help them set programmatic goals, identify and address vulnerabilities, and improve security outcomes. Depending on an organization’s current security profile and risk management needs, Edge’s team of vCISOs can help guide the improvement of cybersecurity planning, integrate proactive assessment and remediation practices, and ensure an institution meets GLBA compliance requirements.
To learn more about strengthening information security at your institution and creating risk management strategies, visit njedge.net/solutions-overview/cybersecurity.
“Edge has been our trusted partner for over two decades. It was an easy decision to move one of our commodity internet 100Gb links to Edge. The cutover was seamless, and the move resulted in annual savings.”
– Adrienne Esposito
Director of Network Operations and Architecture
EdgeNet’s direct connection to AWS can help speed migrations to the Cloud, allow a smooth and efficient flow of research data, and deliver a secure transit of data connections. To minimize service disruptions, all traffic entering the Edge network is monitored and any issues are mitigated to ensure the EdgeNet core and all connected members remain protected.
The transition from a commodity internet provider to EdgeNet and the network’s advanced layer 3 service capability allow for member-to-member connectivity and will support institutions like FDU and Rutgers as they continue to grow and enhance their education and research initiatives. In addition to meeting the growing data and network demands of students and faculty, the need for high-speed research and collaboration continues to rise across the higher education community. Having a network that facilitates these national and global connections will be an essential factor in driving innovation and discovery forward and giving current and incoming students a superior educational experience.
To learn more about how the high-performance network, EdgeNet, can help your institution step into the future, visit njedge.net/solutions-overview/network-connectivity-and-internet2.