Finding 1046 (2023-001)

Significant Deficiency

Requirement

Questioned Costs

Year

2023

Accepted

2023-11-01

Audit: 2011

Organization: Erskine College (SC)

Auditor: Capincrouse LLP

AI Summary

Core Issue: The College is not fully compliant with the updated requirements of the Gramm-Leach-Bliley Act (GLBA).
Impacted Requirements: Key areas include lack of a written information security program, insufficient risk assessments, absence of multi-factor authentication, and inadequate vendor management.
Recommended Follow-Up: Allocate necessary resources to ensure compliance with GLBA requirements and implement corrective actions as agreed by management.

Finding Text

Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The College did not sufficiently comply with the updated requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $-0- Context: The College has not: • documented a written information security program addressing all requirements of GLBA • sufficiently documented its security risk assessment and safeguards for all systems containing personally identifiable information (PII) • implemented multi-factor authentication on systems containing personally identifiable information (PII) • implemented sufficient vendor management policies and reviews • provided a written, annual report to the board Cause: The College has not allocated sufficient resources to address and document compliance with the updated requirements of GLBA. Effect: The College has not adequately addressed the updated requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend the College allocate sufficient resources to address all updated requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm-Leach-Bliley Act Planned Corrective Action: 1. Erskine College will review all vendors who have access to personal identifiable information on an annual basis in addition to contract initiation. Erskine College will review vendors to make sure they are following Graham Leach Bliley Act standards. Erskine College IT department will maintain a list of all active vendors and access levels of such vendors. 2. An annual security report will be generated, written, and presented to our Board of Trustees on an annual basis moving forward. This report will be generated by the Information Technology department and will be submitted to the Vice President of Operations to report at the Board of Trustees meeting. 3. Erskine College will update our Information Security Program to address the components from 16 CFR 314.3 and 16 CFR 314.4 and have a new version approved by our Board of Trustees. Person Responsible for Corrective Action Plan: Stephanie Hudson. Director of Information Technology Anticipated Date of Completion: End of quarter 1, 2023

Other Findings in this Audit

1047 2023-001

Significant Deficiency
1048 2023-001

Significant Deficiency
1049 2023-001

Significant Deficiency
1050 2023-001

Significant Deficiency
1051 2023-001

Significant Deficiency
577488 2023-001

Significant Deficiency
577489 2023-001

Significant Deficiency
577490 2023-001

Significant Deficiency
577491 2023-001

Significant Deficiency
577492 2023-001

Significant Deficiency
577493 2023-001

Significant Deficiency

Programs in Audit

ALN	Program Name	Expenditures
84.268	Federal Direct Student Loans	$5.11M
84.063	Federal Pell Grant Program	$1.85M
84.038	Federal Perkins Loan Program	$400,408
84.007	Federal Supplemental Educational Opportunity Grants	$130,811
84.033	Federal Work-Study Program	$75,188
84.379	Teacher Education Assistance for College and Higher Education Grants (teach Grants)	$22,632