Finding No. 2023-001 Gramm-Leach-Bliley Act–Student Information Security
Condition
During audit procedures, the auditor has noted the University risk assessment did not fully
addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were
missing:
1. Evidence of annua...
Finding No. 2023-001 Gramm-Leach-Bliley Act–Student Information Security
Condition
During audit procedures, the auditor has noted the University risk assessment did not fully
addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were
missing:
1. Evidence of annual security report to those charges with governance
The Qualified Individual (MIS Director) which is responsible for overseeing, implementing and enforcing the Information Security Program, will submit a
written report. This report will include any recommended changes, material matters, security events or violations and management responses. This report is submitted to President of the institution including the Board of Trustees at least annually on a fiscal year basis commencing with the first report due by June 30,
2024.
2. Vulnerability test
Vulnerability assessments of the institution information system will include systemic scans or reviews designed to identify publicly known security vulnerabilities, at least
every six months; and/or whenever there are material changes or circumstances that may have a material impact on the information security program. In addition, the
institution is evaluating the possibility a network scout services (a subscription base service), which runs a daily host discovery scan across the network to detect any
unauthorized devices or changes. 3. Disaster recovery plan
The institution will expand the disaster recovery plan to include the following:
The main datacenters have heat and humidity detection systems as well as a fire suppression system, alarms with motion detectors, security cameras set to 24
hours recording.
The University take reasonable steps to select and retain Service Providers who will maintain safeguards to protect Covered Data in compliance with GLBA.
Disaster Recovery Teams organized to respond to disasters of various type, size, and location. These teams will mobilized depending on the parameters of the disaster. It is the responsibility of the MIS Director to determine which Disaster Recover Teams to mobilize, following the declaration of a disaster. Each team will utilize their respective procedures, technical expertise, and recovery tools to return the information systems to operational status. The datacenter and network/telecommunications infrastructure will be a highest priority.
4. No backup test was performed to assure data accuracy during year ended June 30, 2023.
The Datacenter department runs a daily basis backup on a secure server, but in order to assure the store data is accurate the institution is analyzing to implement a third party Backup Verification Application. The backup application offers a verification process, which includes:
Verifying the files' integrity/they have no corruption
Monitor for ransomware traces
Making sure the file system is stable
Checks to make sure a restore will work properly, if needed
Anticipated completion date: June 30, 2024.