Skip to Main Content

GLBA assessment for Ohio University


Ohio University’s (OU’s) Information Security Office (ISO) engaged BerryDunn’s higher education consulting team to conduct security risk assessments for three departments within the University. These departments are required to be in compliance with the Gramm-Leach-Bliley Act (GLBA) per the US Department of Education’s (ED’s) requirements. The assessments used the NIST 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST 800-171) framework and included consideration of relevant GLBA controls. 


BerryDunn completed the first assessment for the Office of Student Financial Aid and Scholarships (OSFAS) in 2018 and additional assessments for the Bursar’s Office and Heritage College of Osteopathic Medicine (HCOM) in May 2020. 

Over the course of these security risk assessments, the BerryDunn higher education consulting team reviewed the university’s information security policies, procedures, and standards, and engaged members from the respective departments, before planned on-site meetings, to prepare for the engagement and obtain an initial understanding of the systems and controls in scope. The assessments were completed on-site, where team members met with OU ISO, Office of Information Technology (OIT), department leadership, and staff teams. 


The scope of these security risk assessments involved evaluating the systems, processes, and practices against the requirements in the NIST 800-171 framework for adherence. BerryDunn’s deliverables for each assessment included: 

  • Completed NIST risk assessment workbook that documented BerryDunn procedures and the assessed unit’s adherence status towards NIST compliance.
  • A report providing an overview of the scope of the assessment, the processes followed, risk assessment outcomes, risk mitigation plans, and recommendations for next steps.

BerryDunn's higher education consultants developed prioritized remediation plans that addressed gaps identified and, where needed, recommended the implementation of new controls, policies, procedures, and practices. BerryDunn included important considerations to help leadership understand the implementation of remediating activities.

Related Industries

Related Services


Information Systems

Related Professionals


BerryDunn experts and consultants

“We have engaged BerryDunn for the performance of two NIST/GLBA risk assessments over the last two years. Each time the consultants were professional, knowledgeable, and provided great insight with specific knowledge to the higher education industry.”  

- Alicia Porter, Ohio University

Higher education expertise