Security and Confidentiality of Customer Information

Brenda Walton -

DEAR CPA LETTER CPA-19-01

ED’s Office of Inspector General (OIG) has issued Dear CPA Letter CPA-19-01. This letter amends the 2016 Audit Guide that is applicable to proprietary schools and compliance attestation engagements of 3rd party servicers. The letter adds Section C.8.12 to Chapter 3 of the Audit Guide. This section will be applicable for all audits of fiscal years ending on or after 12/31/19 that are conducted using the 2016 Audit Guide. The purpose of this section is to ensure compliance with the Federal Trade Commission’s regulations for implementing the Gramm-Leach-Bliley Act (GLBA) regarding the security and confidentiality of customer information.

This section requires procedures to:

  • Verify that the institution has designated an individual to coordinate the information security program.
  • Verify that the institution has documented a safeguard for each risk identified in the next bullet.
  • Verify that the institution has performed a risk assessment that addresses the 3 areas noted in 16 CFR 314.4(b) which are –
    • Employee training and management;
    • Information systems as well as information processing, storage, transmission, and disposal; and
    • Detecting, preventing and responding to attacks, intrusions, or other system failures.

Schools should also refer to Dear Colleague Letters GEN-15-18 and GEN-16-12 for information on protecting student information. DCL GEN-16-12 lists requirements under the GLBA which include:

  • Developing, implementing, and maintaining a written information security program;
  • Designating an employee responsible for coordinating the information security program;
  • Identifying and assessing risks to customer (student) information;
  • Designing and implementing an information safeguards program;
  • Selecting appropriate service providers that maintain appropriate safeguards; and
  • Periodically evaluate and update their security program.

Additionally, DCL-GEN-16-12 lists the standards defined in NIDPT SP 800-171, the recognized information security publication for protecting information. As part of a school’s security program, schools should:

  • Limit information access to authorized users;
  • Ensure that system users are properly trained;
  • Create information system audit records;
  • Establish baseline configurations and inventories of systems;
  • Perform appropriate maintenance on information systems;
  • Perform appropriate maintenance on information systems;
  • Screen individuals prior to authorizing access;
  • Limit physical access to systems;
  • Conduct risk assessments;
  • Assess security controls periodically and implement action plans;
  • Monitor, control, and protect organizational communications; and
  • Identify, report, and correct information flaws in a timely manner.

To access the electronic announcement and the Dear CPA Letter CPA-19-01, https://ifap.ed.gov/eannouncements/111319DearCPALetterCPA1901.html and https://www2.ed.gov/about/offices/list/oig/nonfed/cpa1901.pdf.