Audit 337905

FINDING 2024-001: Failure to Meet the Standards for Safeguarding Customer Information FEDERAL AGENCY: U.S. Department of Education PROGRAM NAME: FEDERAL DIRECT LOAN PROGRAM ALN: 84.268 FEDERAL AWARD YEAR: 2023-2024 Criteria: Institutions shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in the objectives of section 501(b) of the Act (16 CFR 314.3(a)). Condition: The Institution failed to implement the new Gramm-Leach-Bliley Act's (GLBA) standards for safeguarding customer information to their student information security policy. We consider this finding to be a material weakness in the Special Tests and Provisions Compliance Requirement. Cause: The condition was caused by the Institution's security officer being unaware of the requirement to establish a policy based off a risk assessment. Question Costs: $0 Recommendation: We recommend the Institution work with their contracted IT department to complete a risk assessment and create a policy using the FTC's 9 elements for GLBA compliance. Views of Responsible Officials: The Institution agrees with the Single Audit Finding and a response is included in the Corrective Action Plan

FINDING 2024-001: Failure to Meet the Standards for Safeguarding Customer Information FEDERAL AGENCY: U.S. Department of Education PROGRAM NAME: FEDERAL DIRECT LOAN PROGRAM ALN: 84.268 FEDERAL AWARD YEAR: 2023-2024 Criteria: Institutions shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in the objectives of section 501(b) of the Act (16 CFR 314.3(a)). Condition: The Institution failed to implement the new Gramm-Leach-Bliley Act's (GLBA) standards for safeguarding customer information to their student information security policy. We consider this finding to be a material weakness in the Special Tests and Provisions Compliance Requirement. Cause: The condition was caused by the Institution's security officer being unaware of the requirement to establish a policy based off a risk assessment. Question Costs: $0 Recommendation: We recommend the Institution work with their contracted IT department to complete a risk assessment and create a policy using the FTC's 9 elements for GLBA compliance. Views of Responsible Officials: The Institution agrees with the Single Audit Finding and a response is included in the Corrective Action Plan