GLBA Compliance in Higher Ed: Helping to Protect Student Financial Data
Listen to this episode on
This is CyberSound. Your simplified and fundamentals-focused source for all things cybersecurity, with your hosts, Jason Pufahl and Steven Maresca.
Jason Pufahl 00:11
Welcome to CyberSound. I’m your host Jason Pufahl, joined by Steve Maresca and guest star today, Brian Kelly, Cybersecurity Program Director of EDUCAUSE. Brian, longtime friend, it’s great to have you here.
Brian Kelly 00:25
Thanks for having me in the studio, and I’ve been called a lot of things, but guest star, guest star, guest speaker, just guest I think is fine.
Jason Pufahl 00:33
I actually I like that you call this a studio that, that in and of itself makes it feel pretty impressive.
Brian Kelly 00:37
It’s very impressive production quality here.
Jason Pufahl 00:39
There we go. So I think I want to start right, so we’re going to talk today about the federal student aid requirements to comply with NIST 800-171. Really, what does all this mean to our higher ed community? I think a date that jumps out is December 9th of ’21. I’d say that’s the most recent date relative to this topic, Steve, maybe you can you sort of bounce back, what the Wayback Machine seven years ago?
Steven Maresca 01:09
Sure. So, higher ed in general has been expected to fulfill their Title IV accreditation to receive federal funds to comply with NIST 800-171 since 2015. Dear Colleague letter from the FSA was released to, you know, encourage self assessment relative to the standard. Now the goal ultimately is to safeguard controlled, unclassified information, which really means in practice here, data coming from the Department of Ed to help produce student loans, to help facilitate student loans. Fast forward to 2020, another letter came out, basically clarifying, making it more obvious that no truly, we do expect this. If you’ve not made any sort of progress toward that self assessment goal, it’s time to start. The December 9th ’21 reference is an amendment to the rulemaking and safeguards rule for the Gramm-Leach-Bliley-Act. Now, ultimately, that means that there are new and changing expectations of financial institutions, which for these purposes, higher ed actually is you know, that they’re in that category. What that means in practice is that those organizations that have not performed self assessments, that have not made improvements relative to the standards, are frankly, behind the eight ball. And the FSA has changed their tone, they are now beginning to actually make requests for institutions to attest to their compliance and demonstrate what progress they’ve made over time.
Brian Kelly 02:45
Right, I think that history of the letter, right, the Dear Colleague letter from 2015, I think part of that is where those letters went, right? They were sent to financial aid administrators and our colleges and universities that might not have made it over to the Information Security Office, right, or that person is responsible for protecting that CUI, that controlled unclassified information. And for the last seven years, we’ve been trying to bridge those gaps. And you all may see this when you go in meet with customers and clients is that sometimes those folks that are responsible for protecting that CUI, don’t know who their Chief Information Security Officer is, they don’t know. And we’re still having those conversations, in fact, just this week with the Federal Student Aid administration, trying to help bridge those audiences, right, so making sure that the self assessments are happening, the folks know what’s going on, right, what are we trying to protect is really, really important.
Steven Maresca 03:40
Right and I would say that the right participants are still, in many institutions, not in the same room together, the key issue, and they can make attestations if they want, but they may not reflect reality.
Jason Pufahl 03:51
And this is evolved, right? So in 2015, I think there’s a pretty significant outcry by higher ed. And I think there is some hope that, you know, FSA might retract some of these, or at least pull back on some of what the requirements are and they did, somewhat, right. I think people felt a little bit like they could hold until some more, maybe more generalized rulings came out. And then 2020 came and they realized, alright, like, alright five years passed, and here we are, again. Now only one year has passed. So I think we’re starting to see here, we’re starting to see this now really set in.
Steven Maresca 04:27
I’d say there still remains ambiguity, you know, the campus security framework that the FSA promised never really got developed because of pandemic interrupting everything. And, you know, the regulatory landscape is changing.
Brian Kelly 04:40
Yeah, and I think ambiguity, you know, we talk about discretion, right? So as you look at it at some of my notes, right, how this is interpreted is a matter of discretion, for that covered entity, which is the college and university and it’s based on, you know, the size and the complexity. So you know, from your experience that different institutions are going to handle that differently, right? It’s not a one size fits all. So FSA and Department of Education sort of take a, well, you have to figure this out, right, and they give some basic principles, some highlights around what their guidance for those implementations are, but there’s a lot of latitude there.
Steven Maresca 05:18
And I think in a positive way, in some respects, the most recent rulemaking lowers the barrier to some degree, no longer is there explicit requirement for a Chief Information Security Officer, for example, that was a big ask for many organizations of smaller scale.
Brian Kelly 05:33
Right and I mean, that’s, you know, the three bullets that I have is right, the institution has appointed a person or a team to coordinate its information security program, to your point, it has conducted a relevant risk assessment, and then the most probably important part, is it has developed information security controls based on those identified risks. And I think what we’re also hearing, I think that first bullet around the person or the team, we’ve always sort of thought about it as either or, it’s either someone in the financial aid area or someone in IT or information security on campus. And I think having someone that straddles both of that, right, that has sort of maybe responsibility for that CUI in the financial aid office, but maybe reports in a dotted line to the Chief Information Security Officer, or something along those lines will help bridge those conversations that aren’t always happening.
Steven Maresca 06:28
Right. And, you know, even making that more attainable for some organizations, the qualified individual language at the moment, now opens the door for third parties to actually fulfill that role. As long as the program is developed and overseen by an entity that is sufficiently qualified, the basic requirement has been met. But I’d like to return to the assessment aspect of it. I think that there has been a good faith effort made by many institutions of higher ed to perform a self assessment. That takes many forms, some of them have been truly self assessments, not necessarily performed by people who have innate familiarity with standards. And that’s it. That means it’s a tall order, in many cases.
Brian Kelly 07:13
And that’s one of the things that EDUCAUSE has, we have an Information Security Program Assessment Toolkit. Jason, I think you’re familiar with it over the years that, you know, it hasn’t evolved much, but it is used by many of our members. But again, without someone else looking at it, right, validating your answers, helping you with those discovered deficiencies. It’s just what it is, it’s just a self assessment. And you need to take it to that next level. That’s where having someone with the experience more broadly can help, and having expertise in those areas can certainly help.
Steven Maresca 07:47
One of the major pieces of input that I’d say here is that the financial auditors that are explicitly evaluating GLBA requirements are making clear now that self assessments need to include risk analyses, actual impact analysis, and that’s been the piece missed by many organizations because you may have controlled, unclassified information, efficiently defended. If you can make that assertion by performing a risk analysis, you’ve met the obligation, it really helps to go through that thought process.
Brian Kelly 08:21
Yeah, absolutely. And I think your experience in seeing that and sort of reacting to the letters, reacting to the auditors, and helping your customers through that, really, then helps the next person in line, right, and that’s what we keep, how do we share lessons learned in higher ed, how do we and that’s what EDUCAUSE is working with from an FSA perspective is trying to say, at the end of those Dear Colleague letters, at the end of those engagements, those audits, what can you bring back to us that can be anonymized or shared in a way that every institution can benefit from it and learn, not just sort of how the impact was to those institutions you were currently at, but you know, more broadly, what can we do so that we can raise all ships, right?
Steven Maresca 09:04
So to that end, on that point, what are the common issues that you’ve seen in your interactions with many schools?
Brian Kelly 09:13
You know, I think we talked a little bit about it’s really that sort of communication between the financial aid administration, you know, administration of financial aid on campus, the Department of Education and FSA, and then IT and IT security on the campus, right. It’s sort of a three legged stool, there’s not always that good interaction, right. So understanding to your point, who’s doing the work? Who’s mitigating following up? Those are the conversations that we’re hearing from members, right, is like, how do we, that ambiguity that you mentioned in sort of the rule leads to different interpretations of that, right. So one of the things that we formed at EDUCAUSE is there’s a NIST 800-171 community group. It’s got a couple hundred members in it, they’re meeting monthly, just to try to bring people together to have those conversations and share ideas and that originally came out of another, you know, the CMMC craziness that was going on and how it was going to impact our large R1’s. But at the heart of CMMC is 800-171. So you peel that back, and really the advice for everyone has been, don’t wait, get started in going through an 800-171 assessment, looking at what those risks are, how to mitigate and address those risks. And we talked about December 9th, 2021, and hey, we have a year, first week of June and 2022 and we have, like six months, so if institutions haven’t started right, back to those main points, Steve around, what are folks, now they’re worried, right? Because now what’s going to happen is everyone gonna start receiving these letters, and what’s that going to look like?
Jason Pufahl 10:45
And actually, it’s interesting, because our guidance with clients is, start now, it’s going to take some time. I mean, I think, frankly, institutions can expect the assessment process itself to probably take a couple of months, but then everything that falls out and falls into that POAM, or Plan of Action Milestones, it’s going to take a couple of years, and you’re gonna want to budget for it and advocate for the money you need to make these improvements.
Brian Kelly 11:14
And I think, it is, it’s a ongoing process. It’s not a one and done, right. It’s something that has to be baked into your process, your annual budgeting cycle, in your review cycle, your audit. So that’s, I mean, that’s great advice right in there. It’s one don’t wait, but two, don’t think you’re just going to be done once you’ve gone through it.
Jason Pufahl 11:32
Right, but you know, we keep using the word ambiguity. I mean, in one place that I don’t feel like there is any ambiguity is the requirement to go through that assessment and understand where your gaps are, right. So, you know, as much as there might be some interpretation about how you address some of these in that control space, or what the outcomes look like, the reality is 800-171 for CMMC, 800-171 for FSA, you’re at least working with that same standard, which is great. And you do need to do an assessment institutionally.
Steven Maresca 12:02
And there’s also no ambiguity relative, to you know, applicability dates for new GLBA rulemaking, December 9th, 2022 deadline is when it’s expected to apply, right, that doesn’t mean realistically, that an organization not compliant will be immediately contacted, right. It’s in the next audit cycle, the time when it actually surfaces will be the next fall realistically after fiscal closes and financial audits occur. There’s a timeline here, and it just needs to really be emphasized that beginning somewhere is the most important step because the FSA knows, just like the DoD, from the perspective of CMMC, there are very few organizations that are legitimately compliant with NIST 800-171. Beginning and making forward movement is fundamentally the most important aspect of all this.
Jason Pufahl 12:51
Demonstrable progress. Right? Yeah, you definitely can’t, you can’t ignore it and expect any leniency later.
Steven Maresca 12:57
And on that point, you know, the FSA communications do reflect that reality. They’re not asking for perfection. They’re asking for demonstration of corrective actions from the last assessment having been documented, having been resolved, and having been tracked, that’s all that they’re truly asking for today.
Brian Kelly 13:20
Right, and a lot of that, to your point, it’s not a tech, it’s not always a technical spend. It’s documentation, it’s people, it’s a process, it’s making sure that’s baked into the organizational process. And I think, as you said, the you know, the audit cycle, we know that we’re aware of that, I think, you know, worried a little bit about sort of the safeguards rule, and the FTC’s reporting rule changes that might then start the process. Yeah, as you’ve reported an incident, then you’re going to have a different view, your FSA is gonna have a different view. And you’re gonna go through a different process after you’ve recorded an incident, right? So back to that sort of incident ready or working through sort of that risk assessment, impact assessment of, as you’re going through these, if we were to have a reportable incident, what does that look like? It’s always a good time to use that as a tabletop exercise or practice that, before that reporting requirement kicks in.
Steven Maresca 14:14
I want to bring this back to the central point, it’s about data. And few organizations, even if higher maturity can assert that they truly know where their data originates, where it ends up and how it flows. This is a learning exercise, and frankly, beginning to understand where the data actually resides, the protections that are appropriate for it, and you know, downstream uses of it really helps to frame every other part of the conversation.
Brian Kelly 14:41
And my mind went there, Jason, when you said that this is a process, a long process, right? In my time as a CISO at an institution, we started down that journey of trying to figure out that data lifecycle, we ended up talking to like 27 different areas and sort of, you start to cycle through that right? You know, what your own experience where, who did you get that data from? What business unit did you get that data from, and who do you share it with? And each of that is an iterative cycle to that process, but you have to go through it. Because if you don’t, to your point, know the entirety of that data’s lifecycle, then there’s gaps, right? And that’s what gets you in trouble.
Steven Maresca 15:20
And furthermore, making an assertion that you’re compliant with the control may not be reasonably possible, if the date is unknown, right? So starting there, that’s the first step for anyone that feels like they’re behind.
Jason Pufahl 15:32
Yeah, I think, Brian, you used the term early on, right, one of the definitions described, the team approach, you know, a combination of your security office, you know, folks in admissions, financial aid, etc. It’s a real opportunity here to work across the institution, understand the business, and really, you know, sort of demonstrate that this information security role is a business value. And I think, yeah, I probably come back, or come out of this from having been a CISO, you have maybe 10 years ago for higher ed, and it was very much a tactical position, right? It was do you have firewalls, do you have some of these controls in place? Now you are a member of moving an institution forward, right, you have a critical role in moving institution forward, and I think that’s how this needs to be viewed.
Brian Kelly 16:24
Yeah, absolutely. And I think that’s what we’ve seen is that cultural shift, since you and I were practicing, right, it was sometimes security was adding friction to the conversation, and culturally that’s changing from the office of, no, you can’t do that, and David Sherry at Princeton, I think, is the first person I heard use this right, you know, so the office of know, we want you to know how to do this securely, we want you to know what the right way to do it. And I think that is the enabler that we’ve seen, you know, information security become over through the pandemic, certainly and over the last couple of years. And I think, for folks listening to this, right, if you’re a CISO, this is an opportunity for you to go over and talk to your Director of Financial Aid, have a conversation about this, and how, to Steven’s point, doing this correctly, can allow you to continue to offer aid and loans and, and help your enrollment help student retention, help recruiting, all the things that some institutions might be struggling with, right. So instead of feeling like information security is gonna get in the way or make this harder, there’s an opportunity there. And if you’re listening to this, and you’re a financial aid administrator, go over and have a conversation with your CISO, right, and really bringing those folks together.
Steven Maresca 17:32
And your Institutional Research Representatives, because they are the folks who report, track progress and make those particular metrics actually move forward. And frankly, they’re intimate with the data. They’re great to talk to for this as well.
Brian Kelly 17:46
Great catch, great call out.
Jason Pufahl 17:47
But that evolution and security, I mean it really is apparent nowadays, where you can’t be a security practitioner, and have no BA, maybe a dominant piece of your vocabulary. And maybe every once a while, maybe you want to say it. But for the most part, it is all about shades of greys, it’s enabling the business, and it’s enabling it in a way that’s more secure than it was before.
Brian Kelly 18:07
And we’ve had good conversations with federal student aid, there’s new leadership there, their culture is changing as ours is as well. And I think there is genuine intent to try to help, to Steven’s point, protect controlled, unclassified information, to protect student information. And they’re, I think they’re trying to make a good faith effort to help us help our institutions protect that data, not just sort of be the auditor to come in and ding you for not doing it, but help you get to doing it, right, so they don’t have to ding you.
Jason Pufahl 18:38
So Brian, you have the the enviable position of having perspective across, let’s say, institutions of all sizes, right, R1’s, I think we do a lot of work in the smaller liberal arts colleges, typically, but they probably didn’t have any obligation for 800-171 relative to CMMC before. Would you say there’s much of a difference in capability to comply with these FSA rules for institutions that are more familiar, historically, from this 800-171 perspective?
Brian Kelly 19:10
It depends, right? That’s the lawyer answer, right? It depends on the size and complexity of the institutions. You know, I think coming from a smaller institution, when I was in the CISO role, I always thought the larger more well-resourced institutions had everything they needed, and they don’t always. So either the size or the prestige of the institution isn’t always an indicator that they’re more mature, sometimes they’re more complex, right? So that goes back to your systems might be much easier to comply with 800-171 because you are a smaller liberal arts college you have you actually know who the people are, they might sit in the same building as you so you know, there’s there’s pluses and minuses to both sides of that, but I think, you know, having started it and gone through it as a practitioner, it’s manageable, but I always felt like you do need a third party to come in and help you close gaps to help with facilitate conversations. And certainly, we don’t know and see everything when we’re sitting myopically at our desk in an institution as the Chief Information Security Officer, we don’t necessarily know what’s happening at those other institutions. So my broad view now is to help try to connect and collect those dots. And certainly you, you all do in your role with the different clients that you support. You can bridge best practices and share, you know, ideas. And that’s really what EDUCASE is trying to do is take institutions that are more mature and more further along and the 800-171 journey, and help that be actionable to the smaller schools. And that’s, I think what we see in those 800-171 community group meetings, is a lot of, there’s a lot of folks that attend, that they want to listen and learn, and there’s some that are going to dominate those calls, and they’re going to share what they’ve done. And that’s where we see a lot of the progress being made and that type of, and that’s something you know, from higher ed, it’s a very open sharing, and we’re all trying to help each other which is, which is really, I think, help move this compliance needle forward.
Jason Pufahl 19:10
Yeah I mean, the other thing I know about higher ed is they’re not always the fastest moving entity. So you know, harkening back to my previous comment, starts soon, because, frankly, there are going to be conversations that happen across the institution, there are other priorities that compete with this, you know, the sooner you begin, the more likely you are to ultimately complete it and higher ed doesn’t, you know, they don’t, they don’t rush to get these things done, typically.
Steven Maresca 21:29
I’d like to reframe that a little bit, even, starting in a consistent way to respond to some of these issues, frankly, reduces friction, increases efficiency, because the audit is yearly from a financial standpoint, it’s not, it doesn’t change, right. And it’s always a substantial amount of effort, anything that enables easy reporting, and easy attestation is going to make that less painful for all participants,
Jason Pufahl 21:55
Maybe revisiting each year and simply updating those things that maybe have changed.
Steven Maresca 21:59
Exactly. So more formality in some areas will simply reduce effort and others and is my expectation, right.
Brian Kelly 22:05
And in the long view into your point getting started, right, we keep coming back to getting started, doing it taking some steps forward, in that, at this point in time, we don’t have the obligation, our members will not be able to say they were unaware that this was coming, right, your customers can’t, and that’s not a defensible position with FSA to say, well, we didn’t know that’s why we didn’t do anything. And I think Steven, you said this earlier, even if you’re not completed, right, showing progress, showing that you’ve started it, will help you in those conversations with auditors and regulators, versus just saying, well, we didn’t do anything.
Jason Pufahl 22:40
Right, yeah. I mean, so I always look, I always try to feel like where’s the right spot, where is the right spot to wrap up? And it really feels that this piece of the conversation, we’re saying get started, because saying you didn’t know isn’t defensible. You’re already halfway through the year at this point. It’s certainly not too late to meet the upcoming December deadline, but at the same time, summer’s here. So, everybody has plans over the summer, you probably aren’t getting started in earnest at this point until maybe September. Especially if you want guidance from third parties, they’ll start to those that get more calls most likely. The standard is not incredibly complicated. But I’d say the question’s do require some interpretation, right, so getting some third party advice is definitely helpful. Start now, so there’s no doubt about it.
Brian Kelly 23:35
Don’t wait. And don’t hesitate to reach out to partners, third party partners, to EDUCAUSE to your other institutional members, you know, folks know each other in this community, and it really is a great community.
Jason Pufahl 23:49
Yeah, and honestly, you know, having come from higher ed, and now actually having the opportunity to support a lot of them. I do miss that ongoing collaborative aspect, right. There’s real value in that, I think everybody’s willing to come together. So reach out to your peer institutions as well, for sure. So, on that note, Brian, I truly appreciate you making the trek down to come in person, which is great.
Brian Kelly 24:12
Yeah, it’s good to get out.
Jason Pufahl 24:14
And hopefully have you on, you’re in the not too distant future. And of course, if anybody has any questions relative to 800-171 or any of the compliance requirements around this FSA stuff that we’re talking about here, we’re happy to talk more, we can have Brian on again, of course, we can do sort of smaller discussions, happy to engage in whatever way that sort of facilitates a better understanding.
Brian Kelly 24:37
And I’ll share all the EDUCAUSE links and things you can post in the show notes so folks can go out and find those as well.
Jason Pufahl 24:42
Super, Brian, thank you.
Stay vigilant, stay resilient. This has been CyberSound.