2024-001 Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William
D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding: 2023-001)
Criteria: In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a
comprehensive information security program that is written in one or more readily accessible parts
and contains administrative, technical, and physical safeguards that are appropriate to your size and
complexity, the nature and scope of your activities, and the sensitivity of any customer information
at issue and must contain all of the elements that are further described in 16 CFR 314.4.
Statement of Condition: During the audit, it was noted that the University’s Gramm-Leach-Bliley Act
Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the
application of the comprehensive information security program was not effectively administered by
the University during the 2024 year. An updated policy was put into place in July 2024, which
addressed several of the deficiencies noted in the existing policy, but not all.
The seven required elements for the GLBA policy are as follows, along with the status within each of
the University’s policies in place during the year:
1. The policy designates a qualified individual responsible for overseeing and implementing the
institution’s information security program and enforcing the information security program in
compliance.
Both the existing policy and the newly implemented sufficiently address this attribute. Luke
Edwards, IT director, and Tim Fisher, IT Systems Analyst, work together to oversee the information
security program and implementation of additional facets.
2. The policy provides for the information security program to be based on a risk assessment that
identifies reasonably foreseeable internal and external risks to the security, confidentiality, and
integrity of customer information (as the term customer information applies to the institution)
that could result in the unauthorized disclosure, misuse, alteration, destruction, or other
compromise of such information, and assesses the sufficiency of any safeguards in place to control
these risks.
This attribute was addressed in the existing policy but was not considered to be sufficient; the
newly implemented policy does sufficiently address this requirement. Additional risk assessments
are planned to be performed every 2 years to reexamine reasonably foreseeable risks and to
account for changes in cybersecurity controls. The next risk assessment shall be completed by
December 31, 2025.
3. The policy provides for the design and implementation of safeguards to control the risks the
institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s
written information security program must address the implementation of the minimum
safeguards identified in 16 CFR 314.4(c)(1) through (8), which are detailed as follows:
3.1. Implement and periodically review access controls.
This attribute was not addressed in the existing policy; the newly implemented policy does
address this requirement, instituting a continuous monitoring process undertaken at
periodic intervals. The University has contracted with a new software to assist with this,
which is expected to be live by December 31, 2024.
3.2. Conduct a periodic inventory of data, noting where it is collected, stored or transmitted.
Both the existing policy and the newly implemented policy are silent on this requirement.
Resolution to this matter is expected to be addressed and incorporated into the policy by
December 31, 2024.
3.3. Encrypt customer information on the institution’s system and when it is in transit.
This attribute was not addressed in the existing policy; the newly implemented policy does
address this requirement. The University has had encryption in transit for several years but
has not had encryption at rest. In October 2023, the University purchased licenses to enable
encryption at rest and most virtual machines containing sensitive data were fully encrypted
by April 30, 2024. The remaining virtual machines are planned to be encrypted by December
31, 2024.
3.4. Assess applications developed by the institution.
Both the existing policy and the newly implemented policy are silent on this requirement.
However, the University does not develop in-house applications for transmitting, accessing,
or storing customer information.
3.5. Implement multi-factor authentication for anyone accessing customer information on the
institution’s system.
Both the existing policy and the newly implemented policy are silent on this requirement.
However, the University utilizes multi-factor authentication on all connections to the server
where student information system is accessed, as well as administrative and financial
applications.
3.6. Dispose of customer information securely.
Both the existing policy and the newly implemented policy are silent on this requirement.
Evaluation of organizational data retention policies for effectiveness is ongoing and
expected to be completed by December 31, 2024. Future evaluations for the effectiveness
of data retention policies will take place every other year in a joint venture with the Finance
and IT Departments.
3.7. Anticipate and evaluate changes to the information system or network.
This attribute was not addressed in the existing policy; the newly implemented policy does
address this requirement. Official policies should be in place by December 31, 2024.
3.8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
Both the existing policy and the newly implemented policy are silent on this requirement.
Office 365 user logging has been in place; sign-ins to on-premises resources was
implemented in March 2024. IT has processes in place for addressing suspicious activity.
4. The policy provides for the institution to regularly test or otherwise monitor the effectiveness of
the safeguards it has implemented.
This attribute was addressed in the existing policy but was not considered to be sufficient; the
newly implemented policy does sufficiently address this requirement.
5. The policy provides for the implementation of policies and procedures to ensure that personnel
are able to enact the information security program.
Both the existing policy and the newly implemented sufficiently address this attribute. Software
has been purchased and implemented for continuous monitoring of vulnerabilities within
organizational software.
6. The policy addresses how the institution will oversee its information system service providers.
This attribute was addressed in the existing policy but was not considered to be sufficient; the
newly implemented policy does sufficiently address this requirement. Collection of SOC2 security
reports from vendors that have access to systems with student information is in progress. The
collection and analysis of these reports is expected to be completed by December 31, 2024.
Review of these reports is planned to be conducted annually, with requests for updated security
reports every 3 years.
7. The policy provides for the evaluation and adjustment of its information security program in light
of the results of the required testing and monitoring; any material changes to its operations or
business arrangements; the results of the required risk assessments; or any other circumstances
that it knows or has reason to know may have a material impact the institution’s information
security program.
Both the existing policy and the newly implemented sufficiently address this attribute. Status
reports regarding facets of the information security policy are provided to senior leadership team
members and to the board at least annually at their regularly scheduled meetings.
Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature.
Perspective Information: The 2024 audit included testing of the University’s Gramm-Leach-Bliley Act
Policy as outlined in Part 5 of the Compliance Supplement including the application of this program
for the year.
Cause and Effect: During the current year, the responsible parties began putting procedures into place
and drafted an updated policy to ensure deficiencies in the information security policy are addressed.
As this process requires the coordination of multiple individuals, software systems, and approvals, the
updates were unable to be completed by June 30, 2024.
Recommendation: The University should continue to update their Gramm-Leach-Bliley Act Policy to
be in accordance with the requirements and put in place effective controls and practices to ensure
the policy is monitored in a way to ensure it is administered effectively and timely.
View of Responsible Officials: The Johnson University IT Department has consistently worked to
improve compliance with GLBA regulations since July 2023. The leadership of Johnson University has
taken a proactive and measured approach to GLBA compliance that ensures a balance between
reaching compliance quickly and reaching compliance with long-term strategic planning. This has led
to a GLBA implementation that will take 2 or more years but will set up the university for long-term
excellence in compliance and security. The University understands the importance of GLBA
requirements and is committed to ensuring student data is protected from all foreseeable threats. It
will continue to iterate on its GLBA corrective action plan to ensure proper compliance for long-term
security.