Gramm-Leach-Bliley Act (GLBA) applies to higher education institutions because they participate in certain types of financial activities that are defined in banking law. Administering federal student loans is one of the main activities that pull institutions under GLBA compliance regulations. However, because colleges and universities don’t entirely fit the traditional model of a financial institution, the FTC has provided some flexibility on the privacy side.
The Privacy Rule regulations enacted by the FTC specifically state that colleges and universities are in compliance with the rule if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). Thus, colleges and universities do not have to bear the unique burdens of the Privacy Rule in addition to those they must already address under FERPA.
Higher education compliance with the Safeguards Rule Standards, released in 2002, however, was not similarly exempted. Under those regulations, financial institutions (including higher education institutions) must
…develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.
Therefore, colleges and universities must meet the GLBA Safeguard Rule’s requirements, which aim to:
Insure the security and confidentiality of customer records and information
Protect against any anticipated threats or hazards to the security or integrity of that customer data
Protect against unauthorized access to or use of customer data, which could result in substantial harm or inconvenience to customers
Data Security Checklist and Best Practices for Compliance
Policy and Governance
Develop a comprehensive data governance plan that outlines organizational policies and standards regarding data security and individual privacy protection. The plan should clearly identify staff responsibilities for maintaining data security and empower employees by providing tools they can use to minimize the risks of unauthorized access to Personally Identifiable Information (PII).
Make computing resources physically unavailable to unauthorized users. This includes securing access to any areas where sensitive data (i.e., data that carry the risk for harm from an unauthorized or inadvertent disclosure) is stored and processed, such as buildings and server rooms. An unlocked server room is an invitation for malicious or accidental damage. Monitor access to these areas to prevent intrusion attempts (e.g., by administering identification badges and requiring staff and visitors to log in prior to entering the premises or accessing the resources).
Inventory of Assets
The inventory should include both authorized and unauthorized (including personal) devices used in your computing environment. These devices are often scanned and discovered by automated programs (continuously searching the internet for vulnerabilities) and if unsecured devices are discovered they can be compromised. Inventorying and network mapping will give your organization a better understanding of the security requirements needed to protect your assets.
Create an Acceptable Use Policy that outlines appropriate and inappropriate uses of the Internet (public network), Intranet (private part of the internet), and Extranet (private network accessible by outsiders) systems. Incorporate security policies in job descriptions and specify employee responsibilities associated with maintaining compliance with these policies. Conduct regular checks and training to ensure employee understanding of the terms and conditions of their employment. Confirm the trustworthiness of employees through the use of personnel security screenings, policy training, and binding confidentiality agreements.
Network mapping provides a critical understanding of the enterprise (servers, routers, etc.) and its connections. Furthermore, network mapping can capture applications and associated data. A robust mapping capability will show the dependencies between applications, data, and network layers, and highlight potential vulnerabilities. Performing an Internal Vulnerability Scan can provide this list.
The ways in which someone may be authenticated fall into three categories: something you know, something you have, or something you are. Multi-factor authentication (MFA) combines two of these elements and provides more security than a user name and password. Consider MFA any application that offers it and especially for email or access to systems that contain PII.
When sensitive data is stored on mobile devices, such as laptops or smartphones, the data should be encrypted.
Securing data access includes requiring strong passwords and multiple levels of user authentication, setting limits on the length of data access (e.g., locking access after the session timeout), limiting logical access to sensitive data and resources, and limiting administrative privileges. Role-based access is essential for protecting PII and sensitive data; defining specified roles and privileges for users is a required security procedure. Sensitive data that only a few personnel have access to should not be stored on the same server as other types of data used by more personnel without additional protections for the data.
Routine Vulnerability Scanning (Internal and External)
When new vulnerabilities (to hardware, operating systems, applications, and other network devices) are discovered, hackers immediately scan networks for these vulnerabilities. Scanning your network and systems on a regular basis will minimize the time of exposure to known vulnerabilities.
Audit and Compliance Monitoring
Compliance Audits / Risk Assessments should be done to ensure ongoing compliance and effectiveness of your security controls and program.
Provide a Layered Defense
Employ a “Defense in Depth” architecture that uses a wide spectrum of tools arrayed in a complementary fashion. The most common layers to protect are hosts (individual computers), applications, networks, and perimeters. There are specific security controls that are suited for use at each of these layers.
It is a best practice not to put any hardware or software onto your network until it has been security tested and configured to optimize its security. Continuous scanning to ensure system components remain in a secure state is a critical capability that will enhance data security protection. Proactive management of security risks also involves establishing a comprehensive change management program to analyze and address security and privacy risks introduced by new technology or business processes.
Firewalls with Intrusion Detection / Prevention Systems (IDPS)
An IDPS is a monitoring device that is designed to detect malicious activity on the network. Although some automatically take remediation action, most report suspicious activity to a central monitoring point for further analysis.
Making sure security patches are applied to OS (Operating Systems) and third-party apps (Java, Web Browsers, Office apps, PDF reader) in a timely manner.
Emailing Confidential Data
Emailing unprotected PII or sensitive data should use email encryption to ensure data privacy.
When an incident does occur, it is critical to have a process in place to both contain and fix the problem. Procedures for users, security personnel, and managers need to define the appropriate roles and actions. Having the correct procedures in place initially will minimize the impact and damage when outside experts complete forensic investigations.