Every institution that participates in Title IV federal student aid programs is subject to the GLBA Safeguards Rule. That requirement is not new; what has changed is that the FTC is actively enforcing the updated requirements, and auditors are asking specific, evidence-based questions.
If your compliance posture has not been evaluated against the updated requirements, that review is worth scheduling. We've written a detailed walkthrough of the nine elements for institutions building or refining their programs. This article gives you a faster starting point: an interactive checklist to identify where you stand today.
Before You Begin
To get the most from this checklist, have the following accessible:
- Your institution's written information security program (if one exists)
- Your most recent risk assessment documentation
- Your vendor management records or contracts with key service providers
- Board meeting minutes or reports related to information security
- Your incident response plan
A note on scope: this checklist covers the core requirements under the updated Safeguards Rule. It's a self-assessment tool, not a formal compliance evaluation. A checked item means your institution has addressed that requirement in some form. An unchecked item signals an area worth investigating further.
GLBA Compliance Quick-Check
Use the interactive checklist below to evaluate your institution's current posture against the Safeguards Rule requirements. Check each item your institution has addressed.
GLBA Compliance Quick-Check
Review your institution's compliance with GLBA safeguard requirements for student financial information.
8 safeguards need attention.
Request a GLBA assessmentThis tool is for informational and educational purposes only. It does not constitute legal advice or a formal compliance determination. Consult qualified legal counsel and your institution's compliance team for official GLBA compliance assessment.
Have questions about GLBA? Contact us
Interpreting Your Results
Your completion percentage gives you a general sense of where you stand. Here's how to read it:
75-100% checked: Strong foundation. Your institution has addressed most of the core requirements. Focus your energy on documentation quality and evidence collection. Auditors look for evidence, not assertions: policies with approval dates, training logs with attendance records, vendor assessments with findings and follow-up actions.
50-74% checked: Common gaps. This is where most institutions land, and the gaps tend to cluster in predictable areas. Encryption at rest and vendor security oversight are the two most common. Prioritize these alongside any items you haven't addressed, and build a timeline for closing the remaining gaps before your next audit cycle.
Below 50% checked: Start with the foundation. The Qualified Individual requirement is your first step. Someone needs to own the program, with the authority and resources to build it. From there, complete a risk assessment. Everything else in the Safeguards Rule flows from understanding your specific risks.
Common Gaps We See
Across institutions we've assessed, four areas consistently surface as the most common compliance gaps:
- Encryption at rest. Most institutions encrypt data in transit (HTTPS, TLS) but haven't addressed data at rest. Database encryption, laptop disk encryption, and encrypted backups are all expected by auditors.
- Vendor security assessments. Having security language in contracts is necessary but not sufficient. Auditors want evidence that you've evaluated your critical vendors' actual security practices: questionnaires completed, SOC 2 reports reviewed, or on-site assessments conducted.
- Board reporting. The Safeguards Rule requires at least annual reporting to the board or governing body on the overall status of the information security program. Many institutions lack a formal reporting template or schedule.
- Tested incident response. Having a written incident response plan meets the letter of the requirement. Testing that plan through tabletop exercises or simulations demonstrates that it would actually work. Auditors increasingly ask for evidence of testing, not just documentation.
Next Steps
Gaps surfaced by this checklist are common across the sector. Most institutions have work to do, and the path forward is straightforward.
Start with our detailed guide to the nine GLBA elements for a deeper understanding of each requirement. A formal assessment extends this self-evaluation into board-ready documentation and a prioritized remediation roadmap.
Have questions or need support with GLBA compliance? Start a conversation.