Get Help Now



GLBA Compliance Action Plan

Posted March 23, 2023

Cybersecurity documentation is always difficult, especially when it means setting policies, establishing clear roles, executing all the tasks inside a cybersecurity program, and doing so knowing the whole program is going to be audited by the Department of Education. In addition, IHEs typically struggle with a lack of resources, having to wear multiple hats and an overall lack of knowledge and experience in cybersecurity.

Here’s what GreyCastle Security recommends to ensure that you put your best foot forward: 

  1. Appropriate Skillsets: not only do you need someone with knowledge and experience with cybersecurity to ensure your program doesn’t hit roadblocks, but it’s required by GLBA, and for good reason. Without someone experienced to help navigate the specific GLBA cybersecurity requirements and help to ensure you’re applying sound practices in your unique environment, it’s likely that you’ll fail to meet minimum expectations for compliance and potentially fail an audit. 
  2. Think like an Auditor: while you may feel like you’re doing a great job, if you can’t prove it, then you’re going to have problems with an audit. Make sure your program is documented, you’re generating evidence to support the activities your policies say you’re carrying out, and be prepared to talk to each component of your program. The better organized you are, the better your audit will go. You don’t want an auditor repeatedly asking you for documents or evidence you should have provided from the start. 
  3. Keep it simple: from policies to working groups, GreyCastle Security has seen time and time again how overcomplicating and involving too many resources can make this already difficult task next to impossible. Bring together the minimum necessary people, departments, and stakeholders to get the job done and ensure they have clarity of objectives, timelines, and outcomes. 

GLBA Compliance Gotchas to Avoid

  1. Understanding Scope: let’s be clear, if you don’t have a complete understanding of what’s in scope and out of scope for GLBA, it’s likely that your program will suffer in many ways; too many departments involved, too large a scope, too many controls, and lack of clarity. One of the biggest issues GreyCastle Security witnesses is when organizations have too many exceptions to their policies (what you claim you’re doing to protect sensitive data). 
  2. Understanding which departments must comply: one of the best ways to stay focused and have clarity of exactly which departments and resources must be in compliance with GLBA, is to know exactly which departments have what is defined as Controlled Unclassified Information (CUI). CUI is at the core of the safeguards you must implement to comply with GLBA. By making a succinct list of the departments and the actual data elements that are in fact CUI, you’re setting yourself up for success by defining your scope in terms of how your organization is structured and what information they are using. 
  3. Understanding what CUI is: Controlled Unclassified Information (CUI) is actually a government term that originated from DoD contracts. It’s now expanded to include any form of data that is sensitive to the US government. CUI ranges from caches of ammonium nitrate to law enforcement investigation information to sensitive information, including sensitive student financial information. 

By addressing these challenges, higher education institutions can comply with GLBA safeguards and protect sensitive information. It’s important to note that compliance is an ongoing effort, and institutions must continuously review and update their policies and procedures to keep up with the changing regulatory environment and emerging threats. 

Want to make sure you’re up-to-date on the newest compliance requirements? Grab our newest GLBA checklist guide to make sure you’re prepared for the new deadline this year.


Let’s Discuss Your Cybersecurity Needs

Contact Us
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Contact Us