We wanted to issue a brief reminder to all of our clients about the upcoming due date for the new Safeguards Rule requirements that apply to Title IV institutions. The new requirements issued by the FTC garnered headlines earlier in 2022, but we recognize compliance with the new controls may have slipped on many organizations’ check lists as competing initiatives took priority.
While previous guidance from the FTC contained more general language regarding cybersecurity program specifics, the guidance issued at the end of 2021 was very specific and outlined several key cybersecurity program requirements including:
- Designating a qualified individual to oversee the Information Security Program
- This ‘individual’ can be an employee, service provider, or affiliate, however, if it’s either of the external options they must have oversight from an institutional employee.
- Conducting a risk assessment with written results
- The FTC laid out some general requirements as to what is required in a risk assessment such as identifying risks, assessing controls associated with the risks, and how organizations will mitigate or accept the risks identified.
- Specific information security program requirements include:
- Creating an inventory of data, personnel, systems
- Encrypting personal data at rest and in transit
- Implementing multi factor authentication to key systems
- Creating and maintaining a change management process
- Performing vulnerability scanning and penetration testing
- Requiring and documenting security awareness training
- Creating, testing, and maintaining an incident response plan
These requirements may seem overwhelming, however, there is still time to comply with the new SafeGuard rule by the new deadline of June 9, 2023 The majority of these requirements can be addressed with a third party security assessment against a known framework such as the Center for Internet Security (CIS) or NIST Cyber Security Framework (CSF). Strata Information Group (SIG) can perform these assessments and work with your technical teams to ensure that controls are in place (or planned for implementation) that will help your organization comply with the new requirements. Contact SIG to request assistance with the Safeguards rule today. Consultations with our security team about the legislation are free.
Additional analysis for higher education is available from Educause here.