Educause Security Discussion mailing list archives
GLBA suggested audit procedures
From: Peter Lundstedt <peter.lundstedt () DRAKE EDU>
Date: Mon, 18 Dec 2017 16:44:53 +0000
Happy Monday everyone, The Educause blog post regarding the GLBA Audit Objective (here: https://er.educause.edu/blogs/2017/8/glba-audit-objective-text-online) contains a list of three suggested audit procedures: a. Verify that the IHE has designated an individual to coordinate the information security program. b. Obtain the IHE risk assessment and verify that it addresses the three required areas noted in 16 CFR 314.4 (b). c. Obtain the documentation created by the IHE that aligns each safeguard with each risk identified from step b above, verifying that the IHE has identified a safeguard for each risk. Items A and B appear to be self-explanatory, at least on the surface. I'm having some trouble discerning item C. I haven't been able to find templates or even recommendations for alignment of safeguards with covered risks, and how that should look. If you are impacted by GLBA, how are you interpreting this item? Thank you, ________________________________________ Peter Lundstedt Director, Information Security & Compliance Information Technology Services Drake University E peter.lundstedt () drake edu<mailto:peter.lundstedt () drake edu> drake.edu/its<http://www.drake.edu/its>
Current thread:
- GLBA suggested audit procedures Peter Lundstedt (Dec 18)