Body
Issue/Question
How does USD maintain compliance with GLBA
Environment
- Finance
- Education Department
- GLBA
- Compliance
- University of South Dakota (USD)
Cause
Required compliance in the higher education space
Resolution
USD STAFF ONLY
GLBA Compliance Program – USD
Overview
The Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule establish requirements for protecting nonpublic personal financial information (NPI).
The University of South Dakota (USD) is subject to GLBA due to the collection and processing of financial information within the Financial Aid Department, including:
- Bank account numbers
- Routing numbers
- Other financial data related to student aid
USD maintains a comprehensive information security program designed to protect this data in accordance with GLBA requirements.
GLBA Governance and Oversight
- GLBA Compliance Officer: Shelley Brunick
- Information Security Program Lead (Qualified Individual): Lance Peterson, CISO CISSP
- Regulatory Oversight: Federal Trade Commission
USD’s GLBA compliance is implemented through a written information security program aligned with institutional cybersecurity and data governance practices .
GLBA Compliance Status by Safeguards Rule Requirement
The FTC Safeguards Rule (16 CFR Part 314) requires financial institutions to implement a comprehensive security program consisting of administrative, technical, and physical safeguards.
- Designation of Qualified Individual
- Requirement: Assign responsibility for the information security program
- USD Status: ✅ Compliant
- A Qualified Individual has been designated to oversee and implement the security program
- Program leadership is integrated with USD’s enterprise security operations
- Risk Assessment Program
- Requirement: Identify and assess risks to customer information
- USD Status: ✅ Compliant
- Formal risk assessment program implemented using CIS Critical Security Controls framework
- Risks are identified, tracked, and managed through USD’s GRC processes
- Risk assessments consider threats, vulnerabilities, and business impact
- Safeguards Implementation
- Requirement: Design and implement controls to mitigate identified risks
- USD Status: ✅ Compliant
- USD implements safeguards aligned to CIS Controls, including:
- Access Control (CIS Control 6): Role-based access, MFA, least privilege
- Asset & Data Visibility (CIS Controls 1–3, 5): Inventory and classification of systems and data
- Data Encryption (CIS Control 3): Encryption of financial data at rest and in transit
- Application Security (CIS Controls 15 & 16): Secure development and vendor validation
- Logging & Monitoring (CIS Controls 8 & 13): Centralized logging via Microsoft Sentinel
- Secure Disposal (CIS Controls 3 & 15): Controlled data retention and destruction
- Multi-Factor Authentication (MFA)
- Requirement: Require MFA for access to systems containing customer information
- USD Status: ✅ Compliant
- MFA enforced through Microsoft Entra ID and Conditional Access
- Applies to users accessing financial systems and sensitive data
- Continuous Monitoring and Testing
- Requirement: Monitor and test the effectiveness of safeguards
- USD Status: ✅ Compliant
- Continuous monitoring via Microsoft Sentinel and Red Canary MDR
- Annual security reviews and control validation performed
- Detection and response metrics tracked (MTTD, MTTR)
- Security Awareness Training
- Requirement: Train personnel on safeguarding customer information
- USD Status: ✅ Compliant
- Security awareness training provided to workforce
- Training aligned with CIS Control 14
- Includes phishing awareness and data handling practices
- Service Provider Oversight
- Requirement: Ensure service providers protect customer information
- USD Status: ✅ Compliant
- Vendor risk management program in place
- Contracts include data protection and security requirements
- Ongoing monitoring of service providers aligned to CIS Control 15
- Information Security Program Maintenance
- Requirement: Keep the security program current
- USD Status: ✅ Compliant
- Security program reviewed and updated annually
- Adjustments made based on evolving threats and technology changes
- Incident Response Plan
- Requirement: Maintain a written incident response plan
- USD Status: ✅ Compliant
- Formal incident response plan in place (USD Major Incident Response Plan)
- Includes:
- Defined roles and responsibilities
- Communication and escalation procedures
- Containment, remediation, and recovery processes
- Post-incident review and improvement
- Board-Level Reporting
- Requirement: Report on security program status to leadership
- USD Status: ✅ Compliant
- Security program status is reported to institutional leadership
- Includes risk posture, control effectiveness, and incident trends
Protection of Customer Information
Under GLBA, customer information includes any nonpublic personal financial information maintained by USD.
USD’s program ensures:
- Confidentiality of financial data
- Protection against anticipated threats
- Prevention of unauthorized access that could result in harm or inconvenience
Integration with Cybersecurity Frameworks
- USD leverages industry-standard frameworks to strengthen GLBA compliance:
- CIS Critical Security Controls (v8.1) – Operational cybersecurity baseline
- NIST Cybersecurity Framework (CSF) – Risk-based program alignment
- Microsoft Security Stack – Identity, endpoint, and data protection
- Red Canary MDR – Continuous monitoring and response
- This ensures GLBA compliance is fully integrated into USD’s enterprise security architecture.
Continuous Improvement
- USD recognizes GLBA compliance as an ongoing process requiring continuous evaluation and enhancement.
- Ongoing efforts include:
- Enhancing financial data classification and protection
- Expanding monitoring and detection capabilities
- Strengthening third-party risk management
- Aligning safeguards with emerging regulatory expectations
Summary
The University of South Dakota:
- ✅ Meets GLBA and FTC Safeguards Rule requirements
- ✅ Maintains a written, risk-based information security program
- ✅ Protects financial data through layered administrative, technical, and physical controls
- ✅ Implements strong identity, monitoring, and incident response capabilities
- ✅ Continuously improves safeguards aligned with CIS Controls and industry standards