Columbia Advisory Group
GLBA audit findings will affect an institution’s participation in Title III and Title IV programs
On December 9, 2021, the Federal Trade Commission (F.T.C.) issued final regulations (Final Rule) to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an essential component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting consumers’ privacy and personal information. Changes to the Safeguards Rule were effective on June 9, 2023.
The regulations use the terms “customer” and “customer information.” For an institution’s compliance with GLBA, customer information is obtained from providing a financial service to a student (past or present). Institutions or servicers offer a financial service when they, among other things, administer or aid in administering the Title IV programs, make institutional loans, including income share agreements, or certify or service a private education loan on behalf of a student.
The Department of Education conducts compliance audits, including the Gramm-Leach-Bliley Act (GLBA). GLBA audit findings will affect an institution’s participation in Title III and IV programs as any other determination of non-compliance. Failure to comply with GLBA will require resolution through a Corrective Action Plan (C.A.P.).
To reduce risk, an institution’s written information security program must include the following nine elements: Columbia Advisory Groups Governance, Risk, Compliance, and vCISO Security Services are equipped to handle all 9 Elements:
Element 1: Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program
Element 2: Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks
Element 3: Provides for the design and implementation of safeguards to control the risks the institution or servicer identifies through its risk assessment.
Element 4: Provides for the institution or servicer to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented.
Element 5: Provides for implementing policies and procedures to ensure that personnel can enact the information security program.
Element 6: Addresses how the institution or servicer will oversee its information system service providers.
Element 7: Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program.
Element 8: For an institution or servicer maintaining student information on 5,000 or more consumers, establishing an incident response plan should be addressed.
Element 9: An institution or servicer maintaining student information on 5,000 or more consumers addresses the requirement for its Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program
For additional information, please review the final regulation:
Please let us know your questions, comments, or concerns. We would be more than happy to
set up a meeting to discuss how Columbia Advisory Group. Security Services addresses each
element.
About Columbia Advisory Group
Founded in Dallas in 2012, Columbia Advisory Group LLC (CAG) is an established IT consulting firm renowned for delivering cost-effective, meaningful, and practical IT solutions that solve complex business problems. Our seasoned teams offer comprehensive insight across diverse regulatory and economic environments, providing unbiased, straightforward analysis and recommendations. We pride ourselves on our deep understanding of IT while remaining software and hardware-agnostic. Regardless of your organization’s growth trajectory or economic landscape, we at CAG are adept at adapting to your unique needs and complexity, offering tailored solutions to drive your success.
Contact us at info@columbiaadvisory.com.