What is GLBA Compliance Penetration Testing?

What is GLBA Compliance Penetration Testing?
Jason Gillam
Author: Jason Gillam

When it comes to safeguarding student data, educational institutions must meet several compliance requirements. The Gramm-Leach-Bliley Act (GLBA) is one regulation that has established a set of baseline standards for handling confidential information. Penetration testing and vulnerability assessments under GLBA will be required as of December 9, 2022, for many educational organizations that collect, process, maintain, or handle personally identifiable financial information.  

To ensure compliance with GLBA, educational organizations may need to undergo regular penetration testing and vulnerability assessments. The penetration testing simulates a real-world attack on the institution's systems and data to identify vulnerabilities that hackers could exploit. Vulnerability assessments scan for known vulnerabilities across infrastructure and applications.

What does GLBA Compliance Penetration Testing include?

There are two parts to the GLBA Compliance Penetration test. First, Secure Ideas will perform a penetration test focused on the security of the information in scope for GLBA. The test will cover your internal and external network surfaces. Second, Secure Ideas will perform two vulnerability assessments over one year, spaced apart by approximately six months. Currently, this service is designed for educational organizations, not full-service financial institutions.

How does this service save your organization money?

We understand that the education industry is highly competitive and views regulatory compliance as a necessary obligation rather than an intrinsic priority. We price all of our penetration testing services as fixed-bid work, using our highly skilled US-based consultants. We have made the following concessions to keep our price as low as possible without sacrificing quality:

  • We time box the test. A time box means we allocate a specific amount of time for the project rather than working until we have exhausted all possible findings. When working within a time box, we prioritize our work from high-risk attack vectors to lower-risk attack vectors.
  • We prioritize the GLBA scope. Your organization may have many different networks to serve various purposes, but only a small number contain systems that manage sensitive financial loan information. We will examine all your network surfaces but will concentrate our efforts on attack paths to the data of interest for GLBA. We will limit efforts building exploits or proofs of concepts that would not prove a significant risk to these systems.
  • We may use sampling. We can test a subset of similarly configured networks, such as the student and staff networks across different campuses.
  • We will shorten our report deliverable. Don't worry; your report will still contain all of the finding details and an executive summary. But we will include an activity summary instead of a detailed narrative and skip the strategic guidance section.
  • We will combine efforts. Vulnerability scanning is a valuable input for this type of penetration test. We will perform the first of your two annual compliance scans at the beginning of the penetration test to save some effort.

How is this service priced?

Your quote will include an indication of the number of days of effort. We calculate this number by comparing your scoping information to similar projects that we have tested in your industry. We then multiply the effort by our standard daily rate to determine the total cost.


Join the professionally evil newsletter