Higher Education Information Technology

Gramm Leach Bliley Act Update Impacts on Higher Education

Gramm Leach Bliley Act Update

The Gramm Leach Bliley Act (GLBA) took effect in May of 2003, and was updated in December 2021.  The updated requirements took effect on June 9, 2023 and were effective for the entirety of the fiscal year for higher education institutions.  We expect that the student assistance program will have updated requirements for the GLBA, and all institutions will have to abide by the updated GLBA for periods ending in June of 2024.  The GLBA requires that covered entities, defined below, must have adequate safeguards over sensitive information along with being transparent about information-sharing practices.

The safeguard rules require covered financial institutions to develop, implement and maintain an information security program to protect customer information.  Higher education institutions qualify as a financial institution based on their handling of student payments, refunds, and the transactions of the student assistance federal program.  The rule defines customer information to be any record containing non-public personal information such as bank account information, and other personally identifiable financial information. The institution’s information security program must be written with the objective to ensure the security and confidentiality of customer information, protect against anticipated threats to the security and integrity of customer information and to prevent unauthorized transactions.  Major changes from the original GLBA include the following requirements:

  • Designate a qualified individual to implement and supervise the information security plan. This could be an employee or service provider, but the service provider must still be overseen by a qualified individual at the institution.
  • Conducting a written risk assessment to determine foreseeable risks and threats, including internal and external threats, to the security, confidentiality, and integrity of customer information. The institution must also update the risk assessment periodically.
  • Designing and implementing safeguards to control the risks identified through the risk assessment including the following items:
    • Implement and periodically review access controls.
    • Understanding of the Institution’s information technology ecosystem
    • Encryption of data including in storage and when in transit
    • Assess access points to customer data including apps and other programs.
    • Implementation of multi-factor authentication
    • Disposal of customer data securely
    • Anticipate and evaluate changes to your information system or network.
    • Maintain a log of authorized users’ activities and review for unauthorized access.
  • Monitoring of systems – including regular testing of procedures and policies and conducting annual testing such as penetration testing and vulnerability scans. Monitoring any third-party providers that handle the institution’s information.  Ensure that all staff are up to date on security training based on their position in the institution.
  • Requiring that a qualified individual report to the governing body in writing on at least an annual basis. The report must include an overall assessment of the institution’s compliance with its information security program as well as risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.

Institutions should already have a basic information security program in place due to auditing requirements placed into the federal compliance supplement for the student assistance program starting in 2019. However, the updated GLBA expands upon the originally issued act.  Institutions should review all the requirements of the updated GLBA and ensure they are meeting the new requirements.  If you have any questions regarding the GLBA, reach out to a member of your audit team.

Higher Education

Life After HEERF


Colleges have utilized Higher Education Emergency Relief Funding (HEERF) to help offset additional expenditures related to the COVID-19 pandemic and to help students lower the cost of their education since March of 2020, when the Coronavirus Aid, Relief, and Economic Security (CARES) Act was approved by Congress.  The funds which were approved and distributed through the CARES Act, the Coronavirus Response and Relief Supplemental Appropriation Act (CRRSSA), and the American Rescue Plan Act (ARPA) have been expended and now Trustees are asking, “What does normal look like going forward?”

HEERF money helped institutions by offsetting additional costs associated with responding to the COVID-19 pandemic, such as additional cleaning supplies, adding additional information technology infrastructure to respond to the remote working and learning environment, and employing additional professors and staff to enforce social distancing.  Colleges were also allowed to utilize federal funds to offset “lost revenues” associated with the pandemic.  Some of the lost revenue was attributed to students who were unable or unwilling to attend college during the height of the pandemic. However, some of the lost revenue was due to the current decline in higher education demographics. Management must determine if tuition fees should be raised to help offset potential deficits and review offerings for financial feasibility now that HEERF money is no longer available.

HEERF was also available to assist students financially.  Students received cash stipends for extraordinary need during the pandemic.  College management will have to monitor enrollment to determine if the students who began taking courses with the added incentive of cash grants will continue their studies or if the recipients can no longer afford their higher education.  Potential data mining that could be completed include determining how many HEERF recipients finished the semester and how many HEERF recipients enrolled in the subsequent semester.  This can be compared to pre-pandemic student trends to see if the HEERF award assisted with student retention.  Additional data mining techniques could be employed to determine the demographics of the students who are attending college pre and post pandemic.  This could drive marketing campaigns if that demographic has shifted.  Demographic information could include location, age, gender, type of major, full time vs part time, remote or onsite, college experience, or work history.  Any information the institution collects could help fine tune marketing as well as when and what types of classes are offered.

Colleges will have to carefully review their next budget to ensure that student tuition and fees and government revenues cover their projected expenditures.  Colleges should review their course offerings and programs to ensure they have an appropriate selection of courses in order to attract students.  Information technology and data analytics, healthcare, teaching, and engineering are all growing fields and these programs should be invested in.  There are also research and development grants from various government agencies that could be useful in supplementing revenues, along with state grants.

HEERF funding helped many colleges through the worst of the pandemic and helped create a soft landing.  The next few years will be difficult as colleges learn how to stay financially fit without the ability to draw on HEERF funds.  Maher Duessel is here to serve as your trusted advisors. If you would like to discuss budgeting and forecasting future periods, feel free to reach out to us for additional information and discussion.

Information Technology

Information Technology Risks








With non-profits and governments having a more prominent place in the digital world, it is critically important for organizations to assess their information technology risks. Cyber crimes are not only impacting large public organizations but also smaller entities such as local municipalities and grassroot non-profit organizations.  In addition, for organizations that have adapted their operations to a remote environment, there are additional risks. We have several recommendations and tips your organization should consider implementing in the next twelve months to improve security protocols at your organization (if you have not done so yet).

  • Evaluate your IT service provider. Does your organization contract out its IT services or does your organization have in house IT? If your IT services are performed in house, is there sufficient knowledge residing within your IT team, and is the workload manageable for them? If you rely on contracted services, is there an official agreement with the third party?
  • Evaluate specific risks relevant to your organization. Do you accept online credit card payments? Are these transactions stored and processed on site versus a third party payment processor? Is your organization required to follow the Health Insurance Portability and Accountability Act (HIPAA) to protect sensitive patient health information?  There are also additional qualifications necessary for educational and financial institutions.
  • Evaluate your accounting software in terms of whether operations are automatic or manual, who has access to the software, documentation of rights to the software and the review of those rights. Evaluate your overall network security and individual application security.
  • Evaluate your access controls. (Access controls is a component of data security that dictates who is allowed to utilize your organization’s information and resources.) Authorization access controls have the goal of ensuring that the person seeking access is authorized, most often done with login credentials. Basic authentication controls ensure that those in possession of the authentication key (user name and password) can access your systems. Enhanced authentication controls ensure that the person who is accessing your data is not only authorized to access your data but also ensures they are who they say they are.  Enhance authentication controls can be obtained by using dual factor authentication. Did you know that internal personnel are responsible for just as many security incidents as outsiders? Employees should only have need-to-know access to be able to do their jobs and nothing more.
  • Is your organization following the NIST (National Institute of Standards and Technology) Guidance on passwords? To be reliable, passwords should be: a minimum of eight characters, be a mix of lowercase letters, uppercase letters, numbers and special characters to increase the strength of the password, there should be an automatically logoff or timeout due to inactivity, lock out of the account after three failed attempts (the duration of the lock out should be around 60-90 minutes to frustrate hacker attempts, and it could be indefinite for more sensitive accounts requiring reestablishment of credentials), and the account should be removed or disabled for terminated employees’ credentials in a timely manner. There should also be a segregation of duties, so that the person responsible for password policies, settings, and configurations should not be entering data or having access to applications.
  • Evaluate your organization’s determination of access (is it the data owner or IT?) What about level of access? Is it role based or ad hoc? Structured access is best practice and exceptions should be minimal. A review of those who have access should be performed on a yearly basis at a minimum.
  • What about your organization’s server and network operating system? Shares of the server should be examined and used sparingly/judiciously with rights to the server restricted for each group and user. Vendors should have read only and temporary access to maintain/debug the server. Be certain to sanitize default account credentials.
  • What about your organization’s ability to recover from an adverse event over the IT infrastructure? These impacts can affect your organization from an environmental, physical, internal, and malicious standpoint.  The Recovery Time Objective is the maximum acceptable delay between interruption of service and restoration of service. The Recovery Point Objective is the maximum acceptable amount of time since the last data recovery point. Evaluate how long your organization can afford to be down.
  • Does your organization have cyber security insurance? Insurance will cover losses in the event of an adverse event, though this insurance can be cost prohibitive for smaller non-profits and governments, and not all events are covered. You can lower your insurance costs by implementing a strong password control policy, including dual authentication, and encrypting sensitive data and personally identifiable information. Lastly, control the number of records you access, store and transfer – don’t store PII (Personal Identifiable Information) and consider using a third party to store credit card information.
  • Does your organization back up its data through full back ups and incremental back ups? Since backups are critical to the disaster recovery process, evaluate who performs them and where these backups are stored.
  • Evaluate your organization’s security protocols. For software security, are patches and updates automatically applied? For network security, evaluate your firewalls, routers, intrusion detection, and data encryption. Evaluate your organization’s cyber security training practices.
  • Do you have effective IT governance? Is there an IT Committee on your organization’s Board of Directors?
  • What about the practices of your vendors? Have there been any security issues at the vendors you work with, and has your organization been made aware of any cyber incidents? If you outsource your payroll for processing, investments and health insurance, you should evaluate if their controls are working appropriately and if you have the controls at your organization to ensure that the third party is working correctly. You should obtain, review, and understand the third-party organization’s controls, and any issues should be reviewed by Management, and they should ensure complimentary controls are in place. Your auditors will request Service Organization Control Reports. An SOC 1 Report provides information about the controls at a Service Organization that may directly impact its financial statements. An SOC 2 Report provides information about the suitability of the design and controls at the Service Organization relevant to security, availability, processing integrity, confidentiality, or privacy. An SOC 3 Report provides the auditor’s opinion on whether the Service Organization maintains effective controls over its systems and is typically intended for users who do not require a more thorough report.

We understand the list of items above is quite extensive and for many public agencies with limited financial resources, it may not be feasible to implement all of these practices due to budgetary constraints.  However, several of these items do not require any additional spending at all, but an overall commitment to investing the time needed to pay attention to critical security areas.  We encourage you to implement the protocols that make sense for your organization with respect to your size, goals, and operations. If you have any questions regarding IT risks at your organization, please contact a member of your audit team.


Calculation of Lost Revenue for Institutions of Higher Education

The Coronavirus Response and Relief Supplemental Appropriations Act of 2020 (CRRSAA) included a provision to allow Institutions of Higher Education (IHEs) to reimburse themselves for lost revenue due to the coronavirus pandemic. Many IHEs have questions on what is considered lost revenue as well as how lost revenue should be calculated and supported. The Department of Education (ED) has issued an FAQ that answers many of the questions put forth by IHEs. The IHEs must now decide which calculation method to utilize to support lost revenue at their respective institutions.

Definition of Lost Revenue

Due to some difficulty in determining exactly when revenue declines occurred during the pandemic, the ED noted that any lost revenue starting March 13, 2020 (the date of the disaster declaration) can be claimed as lost revenue. Since the CRRSAA was written into law on December 27, 2020 and made retroactive, an IHE could go back to March 13, 2020 and recalculate all of their lost revenue. They could apply that lost revenue to the Higher Education Emergency Relief Fund (HEERF) 1.0 or HEERF 2.0 funds. This would be recorded on the June 30, 2021 Schedule of Expenditure of Federal Awards (SEFA).

Lost revenue includes academic sources such as tuition, fees, institutional charges, room and board, lost research money, summer terms and summer camps. Auxiliary revenue includes cancelled events, which would include events that were scheduled, but cancelled because of the pandemic or yearly events that are held, that could not be held because of the pandemic. Auxiliary revenues would also include food service revenue, dormitory services, childcare services, use of facilities or venues, bookstore revenue, parking lot revenue, lease revenues, and royalties.

There are some revenue streams which are specifically not allowable under the lost revenue calculation. These revenue streams include capital outlays associated with athletic facilities, acquisition of real property, contributions or donations to the institution, marketing or recruiting activities, revenue related to sectarian instruction or religious activities, alcohol sales, and investment income.

Calculation of Lost Revenue

The FAQ gives specific methods to calculate lost revenue that the IHE has incurred during the pandemic. The IHEs must be consistent with the cost principles of the Uniform Guidance; therefore, any calculation must be consistent in the treatment of all revenue streams, meaning once you select a method that method must be applied to all revenue streams. The IHE should also ensure that the amount of lost revenue for the HEERF program is not included in the calculation of lost revenue for another federal program (double dipping). Also, if the institution refunded money to students and paid those refunds through HEERF, those refunds cannot be included in the calculation of lost revenue.

The following are the five methods to calculate lost revenue. It is important regardless of the method chosen, that there is adequate documentation for the amount of lost revenue the IHE is claiming and drawn down from the G5 system.

  • A year over year comparison using the prior year;
  • A semester-over-semester comparison using the prior year semester Fall 2019 vs Fall 2020;
  • A comparison using a 3 or 5 year combined average revenue as baseline revenue;
  • A comparison to previously budgeted revenue or projected revenue for the period; this would not include an adjusted amount after the pandemic occurred;
  • A comparison with a baseline year of a fiscal year prior to the March 13, 2020 national emergency declaration, such as the fiscal year from July 1, 2018-June 30, 2019

To determine which of the above methods is most beneficial, an institution not only has to think about tuition and fees but should also take into account auxiliary enterprises especially if those revenue streams are material. Ultimately the IHE must decide which calculation to utilize and then apply that calculation to all revenue streams to reimburse itself for lost revenue. IHEs should also keep in mind the earmarking requirements included in HEERF 1.0 and HEERF 2.0 that must be met at the end of the grant period. These include total student expense in relation to total institutional expenditures. If an institution does not believe it will expend a sufficient student portion, it should adjust institutional expenditures considered or risk having to return some of the HEERF 1.0 and HEERF 2.0 funds. Please contact us if you have any questions.