Click here to view this email as a web page.

Cybersecurity Updates
June 2023

It's Time to Implement New GLBA Requirements

Updates to the Gramm-Leach-Bliley Act (GLBA) went into effect on June 9, 2023. The enhanced requirements strive to ensure the security of student information by protecting against anticipated threats and preventing unauthorized access. Review the steps your institution must follow to comply with GLBA:

•

Designate a qualified individual to implement and supervise your institution's information security program.

•

Conduct a risk assessment.

•

Design and implement safeguards to control identified risks.

•

Regularly monitor and test the effectiveness of your safeguards.

•

Train your staff.

•

Monitor your service providers.

•

Keep your information security program current.

•

Create a written incident response plan.

•

Require your qualified individual to report to your Board of Directors.

GLBA Resources

An overview video of GLBA is available at fsatraining.ed.gov. Login or create a free account, then go to "Recorded Training," and "Presidents and Chancellors Briefing" to see our Deputy Chief Information Officer, Dan Commons, present "GLBA Cybersecurity and Institutions of Higher Education."

More information regarding GLBA is also available in FSA's announcement Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements and the Federal Trade Commission's publication FTC Safeguards Rule: What Your Business Needs to Know, as well as on the FTC's website.

If you have questions regarding the Department of Education's enforcement of GLBA, please contact FSA_IHECyberCompliance@ed.gov.

Protecting Federal Tax Information (FTI) Webinar

A video recording of FSA's webinar "Protecting Federal Tax Information (FTI) at Your Institution" is now available. The video covers your responsibilities in protecting FTI beginning with the 2024-25 FAFSA form. The IRS Data Retrieval Tool (DRT) is being replaced by the Future Act Direct Data Exchange (FADDX). The video session also covers the consent process for students and parents and the impact of failure to consent.

Once you log in to the FSA Training Center, select the "FAFSA® Simplification Training and Resources" icon on the home page to locate the recordings and transcripts.

Cyber Hackers Never Take a Vacation

As you zipline through a forest canopy, experience exotic marine life on a snorkeling trip, or scale the side of a mountain, the last thing you are thinking about is the safety of your online devices. Unfortunately, cyber hackers don't take R&R, but they will take advantage of online systems while you enjoy yours. Take the following steps to secure your devices no matter where you are:

•

Leave the gadgets at home: the more devices you bring on your trip, the higher the risk.

•

Password protect: make sure your devices require facial ID, PIN, or passcode to open to prevent unwanted access.

•

Check your settings: review your privacy settings and consider turning off the location tracking feature and update other privacy settings as needed.

•

Use only secure Wi-Fi: beware of "open" public Wi-Fi networks. Only connect to secure networks and consider using a VPN.

•

Update software: ensure software updates are installed to patch vulnerabilities.

•

Don't leave devices unattended: if your devices are not always with you while traveling, lock them up in a safe or your luggage.

•

Set up "find my phone": if your device does fall into the wrong hands, this feature allows you to track and even remotely wipe data or disable the device.

Gone Phishing?

To trick you into opening a malicious email, cybercriminals will often exploit urgency, personalization, and pressure. These emails often include links that seek to obtain your credentials, download malware, or infect the network. Remember to trust your instinct: if something seems "phishy," don't click any links and report it right away. Be on the lookout for the most common words hackers use in email subject lines:

Request

Follow Up

Urgent/Important

Are you Available/At Your Desk?

Payment/Invoice Status

Don't get hooked, learn more about phishing.

Learn more

New Cybersecurity Resources Available

FSA's new factsheet 3 Key Strategies: Safeguarding Schools from Cyber Threats provides recommendations to help IHEs address systemic cybersecurity risk. Along with each recommendation, there are key actions and related resources to help IHEs build, operate, and maintain resilient cybersecurity programs.

How to Report a Breach

Report breaches immediately through the Cybersecurity Breach Intake Form on Partner Connect or by emailing FSASchoolCyberSafety@ed.gov.

Cybersecurity Advisories

MOVEit Transfer and MOVEit Cloud Vulnerability

PaperCut MF/NG Improper Access Control Vulnerability

MinIO Information Disclosure Vulnerability

Google Chrome Skia Integer Overflow Vulnerability

Illumina Universal Copy Service

Feedback or Suggestions?

Email FSASchoolCyberSafety@ed.gov your recommendations for what to include in upcoming newsletters.

Please forward our newsletter to team members and colleagues who may find these cybersecurity tips useful.

This email was sent by: Office of Federal Student Aid
U.S. Department of Education
400 Maryland Ave. SW,
Washington, DC, 20002, US

Please do not reply to this email. Messages sent to this email address are not monitored. If you wish to contact us, please use the StudentAid.gov contact page. For more information about financial aid, visit StudentAid.gov.

Cybersecurity Updates June 2023