- We added the FTC Safeguards Rule (for GLBA compliance) to the Compliance Analysis report
- You’ll need to update your Institution Security Profile questionnaire to answer two new questions and then save a new snapshot
FTC Safeguards Rule Background
Most higher education institutions need to comply with the Gramm-Leach-Bliley Act (GLBA), which requires organizations that are considered “financial institutions” to explain their information-sharing practices to their customers and to safeguard sensitive data.
To demonstrate compliance, institutions need to meet the Federal Trade Commission’s Standards for Safeguarding Customer Information, or the “Safeguards Rule” for short.
The law took effect in 2003, but the FTC amended the rule in 2021, and the updates go into effect on June 9, 2023. Several CampusCISO members asked for updated reports to help validate their readiness to meet this deadline.
How to review your readiness for the Safeguards Rule
Update your Institution Profile answers
The FTC Safeguards Rule requires institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. [see FTC website]
Since the original Compliance Analysis Report focused on your cybersecurity capabilities (i.e. the technical components of your security program), we updated the report to give you a more complete view of your program.
Two new profile questions
Some Safeguards Rule requirements are based on administrative controls rather than technical capabilities. We’ve updated the Institution Profile questions to capture some additional data that helps address these requirements.
For example, the rule requires that you designate a “Qualified Individual” with the responsibility and authority to develop and maintain your information security program.
You’ll want to answer these questions and save a new snapshot to get a more complete picture of your security capabilities.
Open your Compliance Analysis report
We added the Safeguards Rule to our Compliance Analysis reports.
If you have a paid CampusCISO membership, you can access this data by navigating to Reports –> Assessment Reports –> Compliance Analysis. (See screenshot to the right.)
Filter your report output
You can filter the results by selecting “FTC Safeguards Rule” under “Framework” and then clicking “Search.”
The report helps you review the technical capabilities you have in place that can support each of the Safeguards Rule requirements.
Review data from prior snapshots
You can change the report date to view data from *any* of your saved snapshots. The FTC Safeguards Rule analysis will work retroactively with all of your saved snapshots. These older snapshots do not include the two new questions, though, so your calculated readiness value may be lower than you expected.
You’ll need to answer the two new profile questions and save an updated snapshot to see the most complete view of your readiness.
New Compliance Analysis report format
The original Compliance Analysis Report only showed if you had technical capabilities in place (vendor solution + people + adoption level) that could support each control objective.
Several requirements in the FTC Safeguards Rule rely on administrative controls, such as having a designated “Qualified Individual” responsible for the security program. We’ve added a new “Profile Score” column in the report. This shows the average score from the Institution Security Profile questions that apply to that control.
You can review the specific profile questions that are mapped to the control by clicking “View analysis details.”
In the “Control Analysis Details” section, you’ll also see that we updated the “Control Readiness Assessment” calculation to include your technical capabilities (the Weighted Adoption Score) plus your administrative capabilities (the Profile Characteristics Score).
We’ve already mapped the FTC Safeguards Rule to this new calculation, and we’ll update the other frameworks in the coming weeks.