I’ve seen a slow and steady increase the past decade in cyber security requirements included in my organization’s annual financial audit (The Gramm-Leach-Bliley Act (GLBA) audit). Moving from 2022 to 2023 we are about to see a huge jump in potential GLBA audit objectives.
Disclaimer
Now that we’re getting into audit topics, I will re-iterate my disclaimer. All opinions on this blog are my own and not those of my employer. And I’m not a lawyer and cannot give legal advice. I recommend everyone check with their legal council when appropriate. I share my experiences and observations from my work and collaborations throughout my career. Always talk to your auditors about what they want to see from your organization.
Why is there a change?
The extremely short version is, the FTC Safeguards rule has been revised to be more specific in what it required of covered institutions. Higher education institutions that receive Title IV federal financial aid are audited against the FTC Safeguards rule. The rule is written for financial institutions so this proves challenging for higher education. Institutions are expected to comply with the updated rule by December 9, 2022. In practicality, these new audit objectives will come into play in the summer of 2023 audit.
What resources are available to help navigate this change?
On this blog I plan to go through the changes section-by-section in blog posts. That’s probably not the most thrilling reading ever. However, I want to share what I’ve come to understand after spending the last 9 months studying this. These regulations require interpretation as regulations always do.
Beyond this blog, here are some key resources I use.
- Code of Federal Regulations eCFR of the rule – this site has the published regulations in a format that allows you to link to an individual sub-section and search by keywords.
- Original Federal Register publication of the rule – this is the PDF of the published regulations which is text-heavy and in 3 columns.
- EDUCAUSE analysis from December, 2021 – This was my starting point in unpacking the regulations and a very helpful article.
You can, of course, use your internal audit, security, or policy experts or your security vendors. Most security vendors I talk to are familiar with these changes and can assist.
Image by Jorge Guillen from Pixabay