Finding 1084673 (2024-002)

2024-002 Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding 2023-002) Criteria: In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue and must contain all of the elements that are further described in 16 CFR 314.4. Statement of Condition: During the audit, it was noted that the University’s Gramm-Leach-Bliley Act Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the application of the comprehensive information security program was not effectively administered by the University during the 2024 year. An updated policy was put into place in February 2024, which addressed several of the deficiencies noted in the existing policy, but not all. The seven required elements for the GLBA policy are as follows, along with the status within each of the University’s policies in place during the year: 1. The policy designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement, identifying a GLBA Compliance Program Coordinator responsible for the listed functions. 2. The policy provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 3. The policy provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), which are detailed as follows: 3.1. Implement and periodically review access controls. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement, instituting a continuous monitoring process undertaken at periodic intervals. The timeframe of the periodic intervals is not defined. 3.2. Conduct a periodic inventory of data, noting where it is collected, stored or transmitted. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. They will utilize data mapping to complete this process. However, the institution was unable to provide a date of the last inventory completed. 3.3. Encrypt customer information on the institution’s system and when it is in transit. Both the existing policy and the newly implemented policy are silent on this requirement. 3.4. Assess applications developed by the institution. Both the existing policy and the newly implemented policy are silent on this requirement. 3.5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. Both the existing policy and the newly implemented policy are silent on this requirement. 3.6. Dispose of customer information securely. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. The new policy provides a link to the information regarding retention and destruction of documents. 3.7. Anticipate and evaluate changes to the information system or network. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 3.8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. The policy provides a link to the acceptable use policy. 4. The policy provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement, instituting a continuous monitoring process undertaken at periodic intervals. The timeframe of the periodic intervals is not defined. 5. The policy provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement, identifying the IT department in collaboration with the VP of finance as the responsible parties for this process. 6. The policy addresses how the institution will oversee its information system service providers. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. The program coordinator has been tasked with this activity in conjunction with the VP of Finance. 7. The policy provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. The policy will be reviewed annually at a minimum. Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature. Perspective Information: The audit included testing of the University’s Gramm-Leach-Bliley Act Policy as outlined in Part 5 of the Compliance Supplement including the application of this program for the year. Cause and Effect: Due to lapses of oversight in multiple departments, the University failed to update their GLBA policy in a timely manner to include the required components in accordance with the Compliance Supplement. The University implemented an updated policy in February 2024. Both the previous policy and updated policy were subjected to audit procedures, and several requirements were missing from both policies. Therefore, the policy is considered incomplete and does not provide the appropriate disclosures to consumers. Recommendation: The University should update their Gramm-Leach-Bliley Act Policy to be in accordance with the requirements and put in place effective controls and practices to ensure the policy is monitored in a way to ensure it is administered effectively. View of Responsible Officials: The University recently reviewed the Gramm-Leach-Bliley Act Policy and has put in place controls and practices to effectively monitor and administer the policy. In April 2024, we hired an IT company to help with various campus needs, including data compliance procedures and security measures. The company has been reviewing our current policies and making recommendations to implement appropriate safeguards to keep the university up to date and compliant. We have already installed multi-factor authentication features for our software systems, and there are more updates to come. In July 2024, we received a notice of compliance from the Federal Student Aid regarding our corrective action procedures for the Gramm-Leach-Bliley Act.