Corrective Action Plans

Reference Number: 2024-001 Finding: Other Instance of Noncompliance and Significant Deficiency Status: In-progress Corrective Action: Following our analysis, we have concluded that adjusting our data transmission schedule to NSC will help prevent future last minute data anomalies, ensuring that a final transmission for the term always occurs after the end date of each term. Additionally, we have identified a potential issue where NSC may fail to send graduate records to NSLDS for students who immediately re-enroll in the subsequent semester. Due to timing between the submission from NSC to NSLDS, the newer enrollment appears to be overriding the previously sent graduation record, preventing the graduation record from being sent to NSLDS. To address this, we will create a dedicated report to identify students in this situation and manually update NSLDS with the missed graduation data. Finally, there were isolated cases where a historical date adjustment was made to generate an auxiliary outcome (e.g., a grade change of Withdrawal instead of Withdrawal Failing), which made it appear as though a record change wasn't submitted in a timely manner. For these, we will discontinue this practice and employ an alternative method to derive the desired outcome (e.g., additional grade change transactions input after the withdrawal with no date adjustment). Person(s) Responsible for Implementing: Mike Acosta, Institutional Analyst, Nathan Dugat, Registrar, Lynda McKendree, Dean of Scholarships and Financial Aid Implementation Date: 11/01/2024

Recommendation: We recommend that the District implements a process that will ensure all Title IV funds are awarded at proper amounts. Action taken in response to finding: Student’s award was adjusted to appropriately match the EFC of a subsequent ISIR that had not been processed at the time of awarding. Evidence of that change was provided to auditors in July 2024. Refresher training was provided to analysts to improve monitoring the output files of the ISIR import process (RCRTPxx) that identifies subsequent ISIRs received for students with locked records. Names of the contact persons responsible for corrective action: Patrick Scott and Anna Marie Troupe Planned completion date for corrective action plan: July 2024

Recommendation: We recommend the District re-evaluate their procedures for providing up-to-date URL information to the Department of Education. Action taken in response to finding: This is a relatively new requirement that was overlooked, and we are happy that the auditors found it. The District has submitted the URL for its contracts with BankMobile to the Department’s website. If the URL for those contracts should change, then the District will need to update those URLs. Please note that the public-facing database of those URLs is updated irregularly—the last update was in January of 2024—and any future submission should have a date stamp somehow attached for future audits. There is a very real possibility that a school could provide this information, but not have it reflected in the database. Names of the contact person responsible for corrective action: Patrick Scott, Dean –Financial Aid, Anna Marie Troupe, Financial Aid Supervisor Planned completion date for corrective action plan: December 2024

Recommendation: We recommend the District re-evaluate their procedures for processing and documenting outstanding Title IV funds to the Department of Education. Action taken in response to finding: As this is a multi-year finding, the Financial Aid department and the Business Services department have been working closely this term to develop a coordinated approach to avoid the issue going forward. Our procedures have been changed drastically. Once a student appears on a timeout / stale-dated check report from the vendor responsible for delivering aid to our students, we are reversing the funds and processing that reversal through COD first, then reaching out to the student to see if they need to make arrangements for correcting their address. This was done in the opposite fashion in prior years, and while it reduced delays for students who could rectify things, it carried too much risk of being forgotten and the 240 day mark being surpassed. The financial aid department has committed to placing the reversals and processing them through COD within seven business days of receiving the notification from the vendor and/or Business Services. This is far stricter than the federal regulations, but a seemingly necessary step to ensure compliance. Additionally, the Business Services team is aware of the impossibility of delivering aid beyond 240 days of the original check issuance and is helping the financial aid team to understand issuance dates in situations where Title IV aids may be commingled with other financial aid across multiple disbursement attempts. This coordination will ensure the District’s compliance going forward. Name of the contact person responsible for corrective action: Patrick Scott, Dean – Financial Aid, Shannon Beckham –Director of Business Services Planned completion date for corrective action plan: December 2024

Recommendation: We recognize the District made corrective action after the June 30, 2023 audit and implemented those controls during the Fall 2023 semester. We recommend the District continue to follow those controls put in place to ensure compliance with the aforementioned criteria. Action taken in response to finding: The District reviewed its enrollment reporting procedures and ensured that information—especially the effective date of status changes—is accurately reported to NSLDS as required by regulations. Name of the contact persons responsible for corrective action: Alysa Borelli, Dean—Enrollment Services, and Patrick Scott, Dean – Financial Aid Planned completion date for corrective action plan: These corrections were already put into place during Fall 2023 when the issue was discovered in the FY 2023 audit.

Recommendation: We recommend that the District improve the existing procedures and controls to ensure compliance with the aforementioned criteria. Action taken in response to finding: As this finding has occurred in multiple years, it is one of the financial aid team’s top priorities. Return to Title IV calculations are complex operations—especially in the California Community College system where multiple Pell awards per term and high withdrawal rates are common—that require time and focus. This year’s batch of calculations were problematic due for several reasons: • Human error • Insufficient number of staff capable of reliably performing calculations • Failure to retain students who have received financial aid beyond the 60% mark of the term • A typographical error in the college’s end date for Fall 2023 required us to re-calculate all Return to Title IV calculations, making each of those calculations a technical violation of Title IV regulations since they were done outside the limited time window We have taken the following actions: • Increased the number of people in the department who are capable of performing calculations • Provided support for two staff members to obtain their NASFAA certification in Return to Title IV funds calculations • Requested out-of-class status to remunerate one of our student services assistants who obtained that certification so that they can be involved in these calculations going forward • Emphasized the importance of timely calculations in staff meetings and evaluations • Altered our procedures to include deliberate consideration of dates involved to better control the timeliness of both calculations and returning funds to the Title IV programs. • Added a step to the new aid year setup that verifies that the term start, and end dates entered in the Banner® system are correct. Names of the contact persons responsible for corrective action: Patrick Scott, Dean – Financial Aid, and Anna Marie Troupe, Financial Aid Supervisor Planned completion date for corrective action plan: January 2025

2024‐001 Significant Deficiency: Return to Title IV Funds (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; Federal Pell Grant Program, ALN #84.063; Federal Supplemental Opportunity Grant Program, ALN #84.007; and TEACH Grant Program, ALN #84.379) Name of Contact Person The Director of Financial Aid, Christin Mustard, is responsible for the corrective action plan for this finding. Corrective Action Plan We agree with this finding. After review of this student’s Return to Title IV calculation, it was determined that upon beginning the calculation in the PowerFAIDS system, the Refresh button was not used which would have recalculated the completed days to include the 9-day Spring Break. After reviewing this procedure with PowerFAIDS, it was recommended that we also enter the withdrawal date on the R2T4 tab of the POE screen which forces the system to recalculate the completed days prior to beginning the R2T4 calculation. We have added this step to our Return to Title IV procedures. Anticipated Completion Date The corrected Return to Title IV calculation was completed, which resulted in an Unsubsidized loan return of $1,029. The loan funds were returned via the Common Origination and Disbursement (COD) system.

2024-003: Student Financial Audit Cluster - Reporting (Significant Deficiency) Corrective Action: Controls have been implemented to retain the documentation used in preparing the FISAP. All documentation for all pieces of the FISAP are now being stored electronically in a shared drive as well as on paper to be held in the Director’s office. Anticipated Completion Date: 9/13/2024 Contact Person: Laurie Johnstone

2024-005: Student Financial Audit Cluster - Special Tests and Provisions: Enrollment Reporting (Significant Deficiency) Corrective Action: Upon investigation, we discovered that even though Casper College is reporting our enrollment to the National Student Clearinghouse (NSC) in a timely fashion, those reports are not always being sent to the National Student Loan Data System (NSLDS) swiftly. We understand that NSC is a third-party servicer and ultimately, the institution is responsible for ensuring NSLDS is being updated properly. As a failsafe, Casper College has developed an internal audit procedure to manually update students in NSLDS to be in compliance with CFR 690.83. Anticipated Completion Date: 9/18/2024 Contact Person: Laurie Johnstone

2024-004: Student Financial Audit Cluster - Special Tests and Provisions: Disbursements to or on Behalf of Students (Significant Deficiency) Corrective Action: Casper College’s award notifications have been updated to include when funds will be disbursed. In addition, the award notifications reference the Important Dates URL on the Casper College website for parents and students to refer to that include award disbursement dates. Anticipated Completion Date: 9/6/2024 Contact Person: Laurie Johnstone

Finding 2024-002 - Significant Deficiency: Enrollment Reporting Condition For 1 of 17 students tested, the student’s status was reported incorrectly to the National Student Loan Data System (NSLDS). The student graduated however was reported to NSLDS as withdrawn. The student’s status was also reported late, after 60 days. In addition, another student’s status was also reported late. The sample was not a statistically valid sample. Corrective Action Plan The school agrees with the finding. While the withdrawn status was reported for this specific student, the follow-up graduated status was not. This student completed the graduation requirements much later. The school has implemented improved communication between registrar and financial aid to be sure these later graduations are reported. In addition, the timeframe for sending monthly enrollment reports through the National Student Clearinghouse will be altered to improve timely reporting of all statuses. The late statuses were by only a few days and should be resolved by adjusting this timeline. Name(s) of Contact Person(s) Responsible for Corrective Action: Jeff Aalbers Anticipated Completion Date: January 31, 2025

Finding 2024-001 - Eligibility Condition For 1 out of 7 students tested, the school disbursed a loan to a student that had a Perkins student loan in default and there was no support documenting that the student was not in default at the time of the disbursement. The sample was not a statistically valid sample. Corrective Action Plan The school agrees with the finding. Procedures have been updated to ensure all verification and c-code reviews are conducted prior to disbursing of any Title IV aid. This would include maintaining documentation of clearance that is recent and up-to-date in the student’s permanent online folder. Name(s) of Contact Person(s) Responsible for Corrective Action: Jeff Aalbers Anticipated Completion Date: January 31, 2025

Finding2024-001: FEDERAL WORK STUDY-WORKING DURING CLASS TIME Comments on Finding and Recommendation(s): We concur with this finding. Due to the error rate of FWS instances of noncompliance, the Institution should review and update its internal controls related to FWS to ensure that students are not working during scheduled class time and enhance communication between Federal Work Study supervisors and registration department to ensure instances of noncompliance do not recur. Action Taken or Planned: 1} The school IT department is setting up the WorkEasy clock in/clock out system for students to lock students out of being able to clock in during scheduled class times. 2} Supervisors will examine each time card to verify no student has worked during scheduled class hours unless as defined in Volume 6 Chapter 2: Working During Scheduled Class Time Prohibited - "Exceptions are permitted if an individual class is cancelled, if the instructor has excused the student from attending for a particular day, and if the student is receiving credit for employment in an internship, externship, or community work-study experience. Any such exemptions must be documented." Documentation will be provided before the work is approved to be classified and paid as FWS wages earned. 3} Supervisors will be trained and required to sign a policy at the beginning of each award year or upon hire that states students are not permitted to work during scheduled class hours unless they meet one of the documented exceptions in Volume 6 Chapter 2. By signing this policy, supervisors agree that they may be subject to disciplinary action if they fail to abide this policy.

Non-Compliance with Monthly Direct Loan Reconciliations Management agrees with the finding and the auditor's recommendation. Mass General Brigham (MGB) will update existing procedures to include a formal monthly Direct Loan reconciliation with applicable supporting documentation. This will be implemented February 2025 for the period beginning January 2025. Updates will be prepared by the Director of Student Financial Aid and the Director of Finance for review and approval by the Controller's Office prior to implementation.

2024-001 – Student Financial Assistance Cluster – (a) Federal Supplemental Educational Opportunity Grants (b) Federal Work Study Program (c) Federal Perkins Loan Program (d) Federal Pell Grant Program (e) Federal Direct Student Loans (f) Teacher Education Assistance for College and Higher Education Grants, Assistance Listing No. (a) 84.007 (b) 84.033 (c) 84.038 (d) 84.063 (e) 84.268 (f) 84.379 – Year Ended June 30, 2024 Criteria: Institutions shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in the objectives of section 501(b) of the Act (16 CFR 314.3(a)). Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). Condition: The College did not implement a written information security program and a risk assessment as part of the Gramm-Leach-Bliley Act’s (GLBA) standards for safeguarding customer information. We consider this finding to be an instance of noncompliance in relation to Special Tests and Provisions. Statistical sampling was not used in making sample selections. Corrective Action Plan: We are currently working with our IT vendors (CampusWorks and Lockstep) on policies and increasing GLBA compliance. Responsible Person for Corrective Action Plan: Holly Tharp, Vice President for Finance and Business Implementation Date for Corrective Action Plan: June 30, 2025

Student Financial Assistance Cluster – Assistance Listing No. Various Recommendation: We recommend the University implement a procedure moving forward to ensure that all necessary MPN’s are retained for at least three years after payment in accordance with the federal regulation. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: Item was in reference to Perkins Loans that were assigned to ED. While the University does not disagree with the fact that three MPN’s were unavailable, each were old Perkins Loans, and each were successfully assigned to ED utilizing alternative documentation, as suggested by ED. The University has a current process in place to retain all information in student files for a minimum of three years. Name(s) of the contact person(s) responsible for corrective action: Mark Freed Planned completion date for corrective action plan: 06/30/2025

Student Financial Assistance Cluster – Assistance Listing No. Various Recommendation: We recommend the Institute review its reporting procedures to ensure that students’ statuses are accurately and timely reported to NSLDS as required by regulations. Explanation of disagreement with audit finding: There is no disagreement with the audit finding. Action taken in response to finding: This process is being reviewed with the Registrar’s Office, as they complete enrollment reporting through the Clearinghouse. The University has found that some delays are happening due to the lack of federal aid at the initial time. For example, one student started in Fall 2023 and the University has documentation to reflect the student was reported to Clearinghouse within the required timeframe. However, the student had not completed Entrance Counseling or a Master Promissory Note, thus they had not received Title IV aid and were not included in the request file from NSLDS to the Clearinghouse. The University will continue to review and make appropriate changes to the current process. Name(s) of the contact person(s) responsible for corrective action: Mark Freed Planned completion date for corrective action plan: 06/30/2025

Planned Corrective Action: The Organization has implemented several measures to enhance its student attendance tracking and withdrawal processes to ensure compliance with federal regulations as of April 2024. Key corrective actions include: 1. Student Attendance Warning (SAW) Forms: Instructors will issue a SAW form to any student accumulating four unexcused absences. This form serves as notification that the student may be withdrawn from the class after eight unexcused absences. Signed SAW forms will be submitted to the Registrar to improve documentation and tracking. 2. Bi-Weekly Attendance Review: The Registrar and Financial Aid Counselor will meet bi-weekly to review attendance records and ensure that proper documentation (including SAW forms) is on file for all students with unexcused absences. Instructors will be promptly notified to address any missing documentation. 3. Withdrawal Process and R2T4 Completion: Withdrawn students will receive timely email notifications, and R2T4 forms will be completed on the same day of the withdrawal notification. These forms will be reviewed by the third-party processor, FAME, to ensure accuracy. Funds will be returned via AFA within three business days of the R2T4 review. 4. Monitoring and Compliance: Regular audits will be performed to ensure adherence to this corrective action plan. Ongoing training will be provided to all responsible parties, including Student Services, Admissions, Instructors, the Registrar, and Financial Aid staff, to maintain compliance with attendance tracking and withdrawal processes. Anticipation Date of Completion: Corrective action steps are currently in place, and monitoring is ongoing. Bi-weekly attendance reviews and audits are scheduled moving forward. R2T4 processing improvements are effective immediately.

Management View and Corrective Action Plan Finding Number: 2024-001 Grantor: Department of Education Program Name: Federal Pell Grant Program Award Year: 7/1/2023 - 6/30/2024 Award Number: P063P230300 Assistance Listing Numbers: 84.063 Management concurs that it made an overpayment in the amount of $1,335 in the Federal Pell Grant Program. The following controls will be added to ensure that overpayment does not occur in the future. 1. Training will be provided to individuals involved in the process to ensure that changes made to financial aid packages are appropriate and in accordance with requirements. 2. The R2T4 checklist used for all students with federal aid who withdraw mid-semester will be updated with a reminder to check the Pell Offered/Accepted/Paid amount prior to locking the funds to ensure the amounts are the same. 3. The Office of Financial Aid (OFA) will explore the possibility of developing a report that will check all Pell recipients, within a given year, for discrepancies between Offered/Accepted/Paid Pell amounts in Banner on a monthly basis. If a discrepancy exists, OFA staff will review and adjust as necessary in a far more timely manner. Management expects to implement these controls during the Spring 2025 term. Kelli Perry Associate Vice President for Finance and Controller

NSLDS Reporting Errors Planned Corrective Action: Management agrees with this finding. The Registrar's Office has already resolved the system issues that were created by a new process for SP24 that created errors and resulted in students left off enrollment reports. The Registrar has successfully implemented a process to ensure consistency in reporting that can be shown through our submitted reports post Fall of 23'. Prior to each submission, the Registrar now performs a spot check by pulling a SIS enrollment report which helps to cross-reference and confirm the data. Additionally, the Registrar will select 10 random records from the enrollment file for detailed verification of accuracy, and correct any necessary records prior to submitting to NSC. The Registrar has identified some discrepancies between what is reported to NSC and what is pulled by NSLDS and are in the process of collaborating with CIU's IT team to investigate and resolve these issues promptly. Person Responsible for Corrective Action Plan: Elizabeth Haselden, Registrar; Joy Brown, Degree Audit and Data Specialist Anticipated Date of Completion: May 31, 2025

Inaccurate and Untimely Returns of Title IV Funds (R2T4) Planned Corrective Action: Management agrees with the finding. The Registrar’s Office and the Financial Aid Office met on 12/17/24 to discuss the discrepancy between withdrawal dates used by Fin Aid and those used by the Registrar’s Office. It was agreed that LDA and withdrawal date should be the same date for students who officially withdraw and students that are dropped due to non-participation. It was agreed that the Registrar Office would notify the Financial Aid Office of students who are administratively dropped for non-participation in a timely manner. We also agreed that we should meet at least quarterly to review our procedures and communication between offices. The Associate Director and the Director will both review the calendar set-up dates used for R2T4 calculations in our POEs to insure the correct term dates are entered. The Associate Director has now moved her undergrad online caseload to another counselor so that she has more time to focus on her primary roles of processing R2T4s and disbursing aid. Person Responsible for Corrective Action Plan: Elizabeth Haselden, Registrar; Joy Brown, Degree Audit and Data Specialist; Laura McCall and Martha Lewis, Fin Aid Associate Directors; Patty Hix, Fin Aid Director Anticipated Date of Completion: May 31, 2025

Views of Responsible Officials and Planned Corrective Actions Clearinghouse reports are from the college’s student information system (SIS). Though the student’s withdrawal was processed and entered in the SIS in a timely manner, the system categorized the student as "less than half time” because of a passing grade in a course from which the student was exempted due to passing a proficiency test. The SIS did not change the student status to withdrawn until the semester ended, which was more than 60 days beyond the withdrawal date. Action Taken/Planned: The college’s Business Office maintains an online spreadsheet list of withdrawn students outside of the SIS that is updated when a student withdraws from the college. The list has been shared with the personnel responsible for the Clearinghouse reports. Personnel will monitor the withdrawal listing and verify that all withdrawn students are accurately categorized in the Clearinghouse report from the SIS before completing the submission. Anticipated Completion Date/Date Completed: November 18, 2024

Finding Reference Number: 2024-004 Initial Fiscal Year: 2023 Summary of Finding: Significant Deficiency: Disbursement Notifications (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268; U.S. Department of Education, Teacher Education Assistance for College and Higher Education Grants, ALN #84.379) (Repeat Finding: 2023-005) In accordance with 34 CFR 668.165(a)(2), when a University credits a student’s account, the University must notify the student or parent of (i) the anticipated date and amount of the disbursement, (ii) the student’s or parent’s rights to cancel all or a portion of that loan or disbursement, and (iii) the procedures and time by which the student or parent must notify the University that he or she wishes to cancel the loan or disbursement. This communication must occur no earlier than 30 days before, and no later than seven days after, crediting the student’s ledger account at the institution if the institution does not obtain affirmative confirmation from the student. During the 2024 audit, it was noted that 13 of 38 students, or 34.2%, who had received Direct Loan funds and/or TEACH grant funds did not receive disbursement notifications due to a system failure. The failure was not noticed to be able to remedy the situation timely. The University should ensure system functionality periodically, specifically entering periods in which disbursements are concentrated, such as the beginning of the semester, to prevent lapses in mass. The University should also create a process to verify that disbursement notifications have been distributed as intended, so that any missed notices can be remedied timely. Entity’s Corrective Action Plan Corrective Action Plan Summary: The University has taken a comprehensive and proactive approach to address this issue through two key initiatives. First, we have instituted a robust audit process designed to ensure the integrity and functionality of the system responsible for documenting sent emails. This process enables us to systematically verify that the system is operating as intended. Second, we have deployed advanced software solutions that serve to mitigate the risk of similar issues arising in the future. These combined measures reflect our commitment to ensuring operational reliability and preventing recurrence. Anticipated Completion Date: October 1, 2024 The corrective action plan has been implemented to resolve the prior year finding, helping to ensure that future dates are accurate. Name and Title of Responsible Person: Rocky Christensen, Director of Financial Aid

Finding Reference Number: 2024-003 Initial Fiscal Year: 2024 Summary of Finding: 2024-003 Significant Deficiency: Direct Loan Limits (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) In accordance with the Federal Student Aid Handbook, Volume 3, Chapter 3, you must determine an undergraduate student’s Pell Grant eligibility before originating a Direct Subsidized or Unsubsidized Loan for that student, and you must package Campus-Based funds and Direct Subsidized Loans before Direct Unsubsidized Loans. In addition, you must determine an undergraduate student’s maximum Direct Subsidized Loan eligibility before originating a Direct Unsubsidized Loan for the student. The student’s maximum annual loan limit increases as the student progresses to higher grade levels. During the audit, it was noted that the University did not fulfill maximum award of students’ Direct Subsidized Loan eligibility prior to awarding Unsubsidized Direct Loans for 3 of the 32 applicable students tested, which is a 9.4% error rate. This finding is monetary in nature. In the instances noted in testing, the total error is $5,983 in under-award. Extrapolation of this monetary error estimates a total potential error of $54,614. The University should institute processes and controls to ensure that the student eligibility is assessed properly based upon grade level progression and that maximum Subsidized Direct Loans are awarded prior to Unsubsidized Direct Loans, as this practice is more beneficial for the student. Entity’s Corrective Action Plan: Corrective Action Plan Summary: The University has determined that this finding was caused by a deficiency in the software’s calculation of the subsidized award. Specifically, the software failed to update the student’s records following changes in circumstances that impacted the calculation of financial need. In response, the University has conducted a thorough evaluation and implemented new software designed to address this issue and ensure accurate calculations in future cases. Anticipated Completion Date: November 1, 2024 The corrective action plan has been implemented to resolve the prior year finding, helping to ensure that future dates are accurate. Name and Title of Responsible Person: Rocky Christensen, Director of Financial Aid.

Finding Reference Number: 2024-001 Initial Fiscal Year: 2023 Summary of Finding: Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding: 2023-001) In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue and must contain all of the elements that are further described in 16 CFR 314.4 During the audit, it was noted that the University’s Gramm-Leach-Bliley Act Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the application of the comprehensive information security program was not effectively administered by the University during the 2024 year. An updated policy was put into place in July 2024, which addressed several of the deficiencies noted in the existing policy, but not all. The University should continue to update their Gramm-Leach-Bliley Act Policy to be in accordance with the requirements and put in place effective controls and practices to ensure the policy is monitored in a way to ensure it is administered effectively and timely. Entity’s Corrective Action Plan: The Johnson University IT Department has consistently worked to improve compliance with GLBA regulations since July 2023. The leadership of Johnson University has taken a proactive and measured approach to GLBA compliance that ensures a balance between reaching compliance quickly and reaching compliance with long-term strategic planning. This has led to a GLBA implementation that will take 2 or more years but will set up the university for long-term excellence in compliance and security. The University understands the importance of GLBA requirements and is committed to ensuring student data is protected from all foreseeable threats. It will continue to iterate on its GLBA corrective action plan to ensure proper compliance for long-term security. The Johnson University IT Department has developed a plan to address deficiencies in GLBA compliance in each of the following areas: Requirement 1 - Qualified Individual: 16 CFR 314.4(a) Johnson University has designated Tim Fisher as our Qualified Individual. Tim Fisher is an employee of Johnson University, serving in the IT Systems Analyst role, and will work alongside Johnson University’s IT Director to oversee the information security program and its implementation. While Tim has over 15 years of on-the-job cybersecurity experience, additional training resources have already been provided to Tim Fisher to pursue the CompTIA Security+ certification. Tim Fisher expects to complete the training and gain the certification by the end of 2025. This was deemed sufficient for GLBA compliance in the audit report provided by Blackburn, Childers & Steagall, PLC dated November 6, 2024. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Requirement 2 - Risk Assessment: 16 CFR 314.4(b) Johnson University partnered with HORNE, a cybersecurity company, to conduct a risk assessment in November 2023. The assessment covered several topics and recorded inherent risk levels, existing mitigating controls, and the residual risk levels of each topic covered. Residual risk levels, the level of risk existing despite the existing controls, were found to be considered high in termination procedures and review of security logs. GLBA policy development and implementation decisions were based heavily on this initial risk assessment. A more comprehensive cybersecurity company with experience serving customers in Higher Education, DeapSeas, has been selected for ongoing cybersecurity assistance and will be conducting future risk assessments. Additional risk assessments are planned to be performed every 2 years to reexamine reasonably foreseeable risks and to account for changes in cybersecurity controls. The next risk assessment shall be completed by the end of 2025. Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 3.1 - Access Controls: 16 CFR 314.4(c)(1) Johnson University policy ensures that employee supervisors dictate appropriate access for each employee to the IT Department when they are hired or change positions. Supervisors are responsible for ensuring employees have appropriate access to locations where sensitive information is stored, such as file servers and Jenzabar (Student Information System) software access. The IT Department processes permission changes and does not provide permissions without explicit request from the employee supervisor. Auditing existing permissions is a weak spot that has, in the past, taken hours of manual work. We have purchased software, AD Manager, to assist with access reviews. We expect this software to be ready to audit necessary permission groups by the end of 2024. This should significantly reduce the time it takes to audit permissions through additional reporting and easy remediation features. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement, instituting a continuous monitoring process undertaken at periodic intervals. The University has contracted with a new software to assist with this, which is expected to be live by December 31, 2024. Note from JU IT: Requirement 3.1, access control reviews, is complicated as each department supervisor is responsible for setting access permissions. The IT Department will need to engage department supervisors for review and approval. Due to the transition in the I.T. Director position, the expectation to be live should be adjusted to March 31, 2025. Requirement 3.2 – Data Identification: 16 CFR 314.4(c)(2) Informal identification has been completed by the IT Department through generalized asset inventory procedures. DeapSeas, our selected cybersecurity vendor, has been contracted to conduct a more formal data identification procedure in early 2025. This will identify critical items and analyze risks and responsibilities associated with each party. This procedure will take place through scanning the corporate network and interviewing departments on their data storage procedures. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Resolution to this matter is expected to be addressed and incorporated into the policy by December 31, 2024.” Note from JU IT: For requirement 3.2, data inventory, we’re already under contract with DeapSeas to do this. It will be completed by March 31, 2025. Requirement 3.3 – Encryption: 16 CFR 314.4(c)(3) Johnson University has had encryption in transit for several years but has not had encryption at rest. Johnson University purchased licenses to enable encryption at rest in October 2023 and finished a project to encrypt most virtual machines containing sensitive data using AES-256 and XTS-AES-256 encryption on April 29, 2024. The remaining virtual machines are planned to be encrypted before the end of 2024. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement.” Requirement 3.4 – Secure Development: 16 CFR 314.4(c)(4) Johnson University does not develop in-house applications for transmitting, accessing, or storing customer information. A combination of the risk assessment, vendor analysis, and penetration testing will assess the security of externally developed applications. The risk assessment has already been completed, but further vendor analysis and penetration testing are planned to be completed by the end of June 2025. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. However, the University does not develop in-house applications for transmitting, accessing, or storing customer information.” Requirement 3.5 – Multi-factor Authentication: 16 CFR 314.4(c)(5) Johnson University has enabled multi-factor authentication on all connections to the server where our student information system (Jenzabar One) is accessed. Multi-factor authentication is also enabled for all logins to Office 365 and integrated applications, such as Zoom videoconferencing, our student/employee portal, Jenzabar Financial Aid (financial aid management system), and Jenzabar Recruitment (admissions software). Multi-factor authentication is also enabled on connections to our administrative systems, such as our network firewall, hypervisor, door access control, and security camera management systems. With multi-factor authentication requirements for all these systems, we believe that multi-factor authentication is enabled on all critical systems to protect student information. Evaluation of low-risk systems, such as our classroom audiovisual systems, for feasibility of multi-factor authentication are ongoing and expect to be completed by the end of 2024. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. However, the University utilizes multi-factor authentication on all connections to the server where student information system is accessed, as well as administrative and financial applications.” Requirement 3.6 – Data Retention: 16 CFR 314.4(c)(6) Organizational data retention policies, developed by the Finance Department, are currently in effect. These policies were originally written for other means but have some overlap with GLBA regulations. Evaluation of these policies for effectiveness is ongoing and expected to be completed by the end of 2024. Future evaluations for the effectiveness of data retention policies will take place every other year in a joint venture with the Finance and IT Departments. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Evaluation of organizational data retention policies for effectiveness is ongoing and expected to be completed by December 31, 2024. Note from JU IT: Requirement 3.6, data retention policies, will require collaboration between Finance and IT. Finance’s existing policies on data retention need to be enhanced. This just takes time and decisions from the CFO (how long to retain and when to delete – IT will be enforcing the policy technically). Evaluation will be completed by June 30, 2025. Requirement 3.7 – Change Management: 16 CFR 314.4(c)(7) Change management procedures have been discussed and official policies are being developed. Evaluation of security risk and risk of downtime or other degradation of service are being considered in change management procedures. Official policies should be in place in 2025. Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. Official policies should be in place by December 31, 2024. Note from JU IT: A change management plan will be completed by March 31, 2025. Requirement 3.8 – User Logging: 16 CFR 314.4(c)(8) User logging is in place for all log-ins to Office 365 log-ins to its services and integrated applications. Microsoft Entra sign-in risk and user-risk policies are in place to enforce stronger security measures during sign-in, force password resets, or deny sign-ins altogether based on risk analysis. Sign-ins to on-premises resources are logged through new software, Log360, implemented in March 2024. Log360 analyses log-ins and sends notifications to IT Department technicians via email for suspicious activity. IT will then process these reports to take appropriate action to resolve the threat unless there is sufficient evidence of a false positive. Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this requirement. Office 365 user logging has been in place; sign-ins to on-premises resources was implemented in March 2024. IT has processes in place for addressing suspicious activity.” Requirement 4 – Security Assessment: 16 CFR 314.4(d)(1) DeapSeas, a cybersecurity vendor, has been chosen to conduct security assessments. A security assessment is planned for early 2025. Ongoing, internal security assessments are planned on an annual basis to be conducted by the IT Department. These assessments will assist in evaluating the effectiveness of existing controls and the ongoing development of the security program. Software has also been purchased and implemented for continuous monitoring of vulnerabilities within organizational software. The software, Vulnerability Manager, provides notice of known vulnerabilities and available patches for software installed on devices within our organization. These notifications are distributed through the software and through email. Automated and semi-automated patches are available through the software to be deployed to organizational devices over the internet. Patching known vulnerabilities within our software portfolio is a priority for us. This system should reduce overall risk and patch effectiveness will be verified with penetration testing. Our first annual penetration test is planned for early 2025. Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 5 – Security Training: 16 CFR 314.4(e) Security training has been made mandatory for all employees beginning in Fall 2024. Security training is done through our online video training platform, KnowBe4. This system allows for video, quizzes, and other learning material to be presented to the employees. KnowBe4 develops this content and ensures accuracy and appropriateness. Johnson University IT Department selects available materials and assigns them to employees. Security training was last updated after the initial risk assessment and will be reviewed every 6 months. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Requirement 6 – Service Providers: 16 CFR 314.4(f) Collection of SOC2 security reports from vendors that have access to systems with student information is in progress. The collection and analysis of these reports is expected to be completed by the end of 2024. Review of these reports is planned to be conducted annually, with requests for updated security reports every 3 years. \ Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be sufficient; the newly implemented policy does sufficiently address this requirement. Requirement 7 – Security Control Monitoring: 16 CFR 314.4(g) Security controls are being monitored using Log360 wherever possible. Continuous evaluation of these controls is underway and adjustments will be made to security controls as needed. New change management policies and penetration testing will influence the way we evaluate these controls and will likely include changes to monitoring systems and evaluation methods. Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this attribute.” Anticipated Completion Date: Fall 2026 Name and Title of Responsible Person: Luke Edwards, Director of IT.