Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Is your higher-ed institution ready for the Safeguards Rule?

Nov 14, 2023

On June 9, 2023, the FTC applied the Gramm–Leach–Bliley Act, also known as the Safeguards Rule, requirements to the higher education industry.

Postsecondary institutions are now classified under the umbrella of financial organizations and are expected to secure and protect student financial aid information. According to the FTC, they must agree that student information is guarded from “unauthorized personnel, and that they are aware of and will comply with all of the requirements to protect and secure data.”

To maintain compliance and keep student data secure, your institution can start by developing a robust, written information security program.

Developing your program

According to the Safeguards Rule, your institution must have a written information security program that includes the following nine, actionable elements:

1. An information security strategy

Designating an individual to lead information security strategy for your organization is a critical part of compliance.

If you don’t have a chief information security officer or director of security, it doesn’t mean you’re in violation of the rule. However, it is essential to appoint someone with experience to help you implement proper security procedures.

You may want to consider outsourcing this role if you lack the skillsets internally. By doing so, you can help ensure that your institution’s security needs are met effectively and efficiently.

2. Risk assessment

Your institution will need to complete a comprehensive risk assessment that identifies both internal and external risk to your data. This assessment should also include external vendors and third-party organizations who have access to your institutional data.

3. Data security safeguards

As a part of your program, you’ll need to design and implement reasonable data security safeguards.

Which safeguards you apply can vary, but some options include:

  • Implementing multi-factor authentication across your organization to add additional layers of cloud security.
  • Combining intrusion detection with your everyday anti-virus application.
  • Creating stricter rules for accessing your virtual private network to help ensure institutional data is protected.

4. Regular testing

Once your safeguards are in place, you need to conduct regular testing to evaluate their effectiveness.

Monitoring your systems is also required for compliance. Your institution will need to regularly measure your vulnerability or conduct annual or semi-annual penetration tests.

5. Personnel training

In addition to adding safeguards to your systems, you also need to ensure that your institution’s personnel can understand and follow your information security policies.

Online training options, such as KnowBe4, make training easier and more convenient for staff. They can also help increase your staff’s overall security awareness and prepare them for the inevitable phishing email attempts.

6. Vendor management

Your institution will need to account for how your organization oversees service providers.

Governance over vendors is crucial and ties into your risk assessment. Your organization needs to know where your providers are storing their data and whether they have a disaster recovery plan for their own systems.

7. Corrective action

Depending on the results of your risk assessment and regular testing, you’ll need to evaluate and adjust your information security policies.

In addition to acting on the results of your monitoring processes, you can also form a governance committee of officers for strategic planning. The goal of this committee should be to eliminate and reduce future risk.

8. An incident response plan

Having a disaster recovery or a business continuity plan is an essential part of a robust security program.

The safeguards rule only requires an incident response plan if your student information population is 5,000 or more students. However, even if your institution is under this population threshold, an effective plan can help you prevent an extended recovery timeline and lessen the impact of an incident on both staff and students.

9. Regular reporting

If your student information population is 5,000 or more, the individual you designate to oversee your information security strategy is required to report to your institution’s leadership on the security program.

Your security officer should plan on presenting to organizational leadership at least once a year, if not more regularly.

How Wipfli can help

Your institution has a responsibility to keep your students’ information safe. But are you doing enough?

Our dedicated cybersecurity team can help you ensure that you're maintaining compliance and keeping financial aid data secure. Contact us today to learn more about how we can help your institution be confident in your data protection.

Sign up to receive additional education content in your inbox or continue reading: 


Sean Grennan, MS
Manager, CIO Advisory
View Profile