GLBA suggested audit procedures

[Peter Lundstedt <peter.lundstedt () DRAKE EDU>]

Happy Monday everyone,

The Educause blog post regarding the GLBA Audit Objective (here: 
https://er.educause.edu/blogs/2017/8/glba-audit-objective-text-online) contains a list of three suggested audit 
procedures:

a. Verify that the IHE has designated an individual to coordinate the information security program.

b. Obtain the IHE risk assessment and verify that it addresses the three required areas noted in 16 CFR 314.4 (b).

c. Obtain the documentation created by the IHE that aligns each safeguard with each risk identified from step b above, 
verifying that the IHE has identified a safeguard for each risk.
Items A and B appear to be self-explanatory, at least on the surface.  I'm having some trouble discerning item C.  I 
haven't been able to find templates or even recommendations for alignment of safeguards with covered risks, and how 
that should look.  If you are impacted by GLBA, how are you interpreting this item?

Thank you,
________________________________________
Peter Lundstedt
Director, Information Security & Compliance
Information Technology Services
Drake University

E  peter.lundstedt () drake edu<mailto:peter.lundstedt () drake edu>
drake.edu/its<http://www.drake.edu/its>