A Small University's Path to GLBA Compliance
Vol. 1 No. 1 (2025), EdgeCon Autumn 2025 Articles
Vol. 1 No. 1 (2025)

A Small University's Path to GLBA Compliance

EdgeCon Autumn 2025 Articles
Published 11/07/2025
Ronald Loneker Jr
Saint Elizabeth University

Keywords

GLBA compliance
Incident response
Vendor risk management
Multifactor authentication
Higher education cybersecurity
Safeguards Rule

How to Cite

Loneker Jr, R. (2025). A Small University’s Path to GLBA Compliance. EdgeCon Proceedings, 1(1). Retrieved from https://edgeconproceedings.net/index.php/ecprcdgs/article/view/845
ACM ACS APA ABNT Chicago Harvard IEEE MLA Turabian Vancouver

Download Citation

Endnote/Zotero/Mendeley (RIS) BibTeX

Abstract

Objective 
This presentation describes how Saint Elizabeth University achieved compliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule during the 2024 audit cycle. The session will outline the university’s response to auditor findings, the steps taken to satisfy federal requirements, and the process used to receive clearance from both external auditors and the Federal Student Aid Office. A discussion period will follow, inviting participants to share their institutions’ experiences with GLBA compliance.

Context 
GLBA compliance is required by Federal Student Aid, and the FTC Safeguards Rule is enforced by the Federal Trade Commission. Institutions that fail to demonstrate adequate information security safeguards risk federal audit findings, loss of Title IV eligibility, and increased oversight. As regulatory expectations expand, even small institutions must adopt structured, auditable data protection practices.

Key Insights 
Saint Elizabeth University implemented several major changes to meet GLBA and Safeguards Rule requirements, including:

  • Requiring multifactor authentication (MFA) for access to systems containing personally identifiable information (PII).
  • Establishing continuous system monitoring and weekly vulnerability assessments using FortifyData and DHS cyber-hygiene services, plus an annual third-party penetration test.
  • Creating a formal process for evaluating service providers through annual HECVAT or SOC 2 reviews and ongoing vendor vulnerability scanning.
  • Developing an institutional incident response plan and updating the IT Security Plan and Risk Assessment documents.
  • Delivering an annual written status report on the IT security program to the Board of Trustees, as required by the rule.
  • Updating the Records Retention and Disposal policy, which must be reviewed every three years.

These steps resulted in successful clearance by auditors and Federal Student Aid.

Future Directions
The university will reassess all documentation and security processes in light of its transition to a new cloud-based student information system. As cloud adoption introduces new security and monitoring considerations, revised controls will be incorporated into the 2025 IT and GLBA compliance audits.

References

Federal Trade Commission. (2023). Standards for safeguarding customer information, 16 C.F.R. § 314. https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314