Moran Technology Consulting

GLBA is Not a Project

By Adam Vedra, CISO & Senior Consultant

Most higher education institutions need to comply with the Gramm Leach Bliley Act (GLBA). Recent changes to the FTC Safeguards Rule have prompted institutions to re-think how they approach GLBA compliance. The impact on staffing, monitoring activities, regular risk assessments, and more have shifted the balance for many institutions who can no longer set it and forget it. GLBA is not a project, it is a program of continuous improvement.

GLBA is now more programmatic and integrated into the overall information security program. There are several key elements to the FTC Safeguards Rule, and it is important to read through it to understand the scope of the changes and how they may apply at your institution. 16 CFR part 314.6

There are some key elements to highlight in the 2021 version of the Safeguards Rule, that you should be aware of.

Qualified Individual & Personnel. The FTC requires that your institution have a qualified individual to oversee, execute, and enforce your information security program. In addition your security personnel need to trained in relevant risks, and have knowledge in threats and countermeasures.

Written Information Security Program (WISP). The FTC requires that your institution have a written information security program. This is a living document that is always adapting based several inputs in your program. It is important to understand that this is not a policy but a program document that is descriptive about the objectives and controls in your security program.

Regular Risk Assessment. A risk assessment is the foundational input into your WISP. Identified risk in your customer information should drive your programmatic decisions and design (technical, administrative, physical). A risk assessment is not a one time event, but should be a regular part of assessing your environment.

Monitoring. Once you have a program in place, controls, systems, and procedures will need to be monitored for effectiveness. The ideal approach is continuous monitoring, and this is not simply logging. Rather, this is an active evaluation of the data to determine effectiveness and to discover indicators of compromise. The safeguards allow for other methods of monitoring if continuous is not attainable.

Data Retention. Data retention policy and schedules are important to risk reduction at your institution. It is important to have good direction on handling of and disposing of sensitive information in order to prevent leaks. Furthermore, your institution does not want to retain data longer than it must. In a breach situation the loss and damage increase as the number of records retained increases.

Board Reporting. The FTC requires the qualified individual at your institution to report to the board of trustees or directors at least annually. This report must be written and include not only compliance with GLBA, but all things germane to the information security program and its status at your institution.

There is a common theme written throughout the safeguards and you can see it in the above examples. There is a regular and repeatable cadence to many activities. Security professionals are not surprised to read this, as they all know that continuous adaptation and improvement are critical when facing an ever-changing threat landscape. This means that your information security program in general and your GLBA compliance in particular will need regular attention by your institution in order to stay in compliance. This requires resourcing and executive support to maintain this kind of effort.

Once you have a handle on what GLBA and the FTC Safeguards mean for your institution, you may not know where to begin. It is important to adequately scope your environment. Determine where customer information is transported and stored. When you know the systems, people, and facilities involved you can assess for gaps against the safeguards rule. Next you should assess that environment for risk, considering threats and vulnerabilities to customer information. Finally, develop a plan of action based upon the assessments that can improve your program and reach compliance.

The updates to the FTC Safeguards are a good catalyst for many institutions to make the necessary improvements to their information security program. Each institution may find itself at a different place on the path towards compliance and a tailored roadmap for improvement is critical to making GLBA programmatic at your institution.

For further information on this topic, you can start by watching a recorded webinar with the HESS Consortium and MTC. Recorded GLBA Webinar

For particular questions about your information security & compliance program and how MTC can help you can make needed improvements, reach out to