OMB Introduces New Information Security Audit Objectives for Higher Education Institutions – JD Supra
Written by Saul Ewing Arnstein & Lehr LLP
The United States Office of Management and Budget (“OMB”) recently issued a Compliance Supplement for 2019 that includes, for the first time, audit objectives for colleges and universities concerning compliance with the Safeguards Rule of the Gramm-Leach-Bliley Act (“GLBA”). The 2019 Compliance Supplement, which is effective for audits of fiscal years beginning after June 30, 2018, identifies important compliance requirements that the federal government expects to be considered as part of an audit required by the Single Audit Act of 1984 and its 1996 amendments. The newly added GLBA audit objectives are significant because they are the first time that compliance with information security requirements has been expressly included as part of the Title IV audit process.
Why do higher education institutions need to comply with the Gramm-Leach-Bliley Act?
The GLBA and its Safeguards Rule, 16 C.F.R. § 314, require “financial institutions” to protect sensitive data. As explained in the OMB’s 2019 Compliance Supplement, the Federal Trade Commission considers higher education institutions that receive Title IV funds to be “financial institutions” subject to the GLBA. Program Participation Agreements signed between higher education institutions and the Department of Education also incorporate the Safeguards Rule and require institutions to protect student financial aid information—particularly information provided to the institution by the Department.