In what it said was in response to requests for additional information, the Department of Education this week provided guidance to postsecondary institutions on the information security requirements under the Gramm-Leach-Bliley Act (GLBA).
In an April 24 Electronic Announcement, the Department provided additional guidance regarding information security certification requirements necessary to ensure compliance with GLBA.
According to the announcement, the GLBA, among other things, defines a service provider as “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution.”
The Department said an institution is required to oversee service providers by:
- Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue.
- Requiring service providers by contract to implement and maintain such safeguards.
- Periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards.
Also in the announcement, the Department clarified that due to the nature of the Program Participation Agreement (PPA) and applicable laws and regulations related to program participation, institutions participating in federal student financial aid programs do not have service provider relationships with the Department or the office of Federal Student Aid.
Questions about the announcement should be sent to FSASchoolCyberSafety@ed.gov.
