Student Aid Tied To US InfoSec Law

California Community Colleges Information Security CenterColleges in the U.S. are being held to the same legal standard for information security as banks and brokerage houses because they collect student financial data, making them financial services organizations in the eyes of the law.

As part of its annual student aid compliance audits, the U.S. Department of Education has begun requiring colleges to produce evidence of compliance with the Federal Information Security Modernization Act of 2014, also known as the Gramm-Leach-Bliley Act, or GLBA. GLBA is a consumer protection reform that controls how financial institutions handle the private information of individuals.

The law requires colleges to protect student financial aid records and information by following recommendations set out in NIST 800-171, a publication of the National Institute of Standards and Technology. The document specifies how institutions should set up their information systems and policies in order to ensure the long-term security of financial data.

Compliance Help For CCCs

To help the state’s community colleges with compliance, the California Community Colleges Information Security Center has begun reaching out to technology and administrative leaders to offer free security assessments.

“Requirement 3.12 of NIST 800-171 is ‘security assessment,’” said Jeff Holden, Chief Information Security Officer of the Information Security Center. Colleges or districts can request an assessment through an online form on the center’s website. Assessments involve analyzing information systems and policies to find any deficiencies, and make recommendations for remediation and ongoing controls. Findings from individual assessments are kept confidential to the district, Holden said.

Specific Security Needs Addressed

The Information Security Center is fully funded by the Chancellor’s Office to provide information security services and resources at no cost to colleges, systemwide. In fact, according to Holden, the center has assembled its extensive menu of services to address specific requirements outlined in NIST 800-171.

Among these are security awareness training for college and district employees; security standards and policy templates that colleges or districts can customize; and vulnerability management to discover security risks in the network and recommend actions.

The center has also published a white paper that explains the information security needs of the colleges and describes the resources available to help college leaders ensure their systems are secure. Visit the Information Security Center at CCCSecurityCenter.org to learn more.

For information about GLBA requirements for colleges, read the U.S. Department of Education’s Dear Colleague letter, and download the NIST 800-171 publication.


Crista Souza is the TechEDge News Editor