Education Meets Some Milestones for Data Security at Colleges

While the Department of Education is somewhat on track to meet its goal of improving student privacy and data security at institutions of higher education, it still has room to improve, according to an update to the Department of Education’s agency priority goals – part of the President’s Management Agenda (PMA) – released September 19.

As part of the PMA, the Department of Education was tasked with increasing information security program outreach activities and conducting security audits of colleges by Sept. 30, 2019. The two requirements are intended to “to help protect IT systems and data privacy.”

As of Q3 FY2019, the Department of Education has met two milestones, delayed one, and not met one. The two remaining milestones aren’t due until FY2020.

On a positive note, the Department of Education has exceeded expectations for outreach. The Department’s Office of Federal Student Aid (FSA) was required to perform 14 outreach activities targeting privacy and data security requirements at IHEs in FY2018. The update noted that the Department surpassed its FY2019 performance target in March of 2018.

Additionally, FSA and the Student Privacy Policy Office have met the FY2019 goal to engage in 17 outreach activities targeting privacy and data security requirements at IHEs.

On the other hand, the Department has yet to commence work on the security audits. In FY2018, FSA was supposed to work with the Office of Management and Budget and colleges to “prepare for the upcoming GLBA audit guidance.” However, the update noted that this has yet to happen and said that “Publication of GLBA audit requirements in the FY 2018 OMB Compliance Supplement was postponed.” Education and OMB finally published the guidelines for audits in June, but the delayed release came after the evaluation period for the update.

Without guidance on the security audits, the Department has had to postpone them, leaving the goal of conducting 36 audits by the end of FY2019 delayed. The Department was supposed to expected to have at least 36 colleges complete an audit of information security safeguards which result in no significant findings. However, since audit requirements have only just been published, colleges are unable to complete the required audits.

Categories

Recent