Finding Text
Criteria or specific requirement:
The Gramm-Leach-Bliley Act (Public Law 106-102) requires institutions to explain their informationsharing
practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade
Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance
Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)).
Condition:
Under an institution’s Program Participation Agreement with the U.S. Department of Education and the
Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention
to information provided to institutions by the Department or otherwise obtained in support of the
administration of the federal student financial aid programs.
Questioned costs:
None
Context:
During our audit procedures, it was noted that the University did not perform and document a risk
assessment that addresses certain of the elements noted in 16 CFR 314.4 (b) which are (1) employee
training and management; (2) information systems, including network and software design, as well as
information processing, storage, transmission and disposal; and (3) detecting, preventing and
responding to attacks, intrusions, or other systems failures and document safeguards for identified
risks.
Cause:
The University did not perform an IT risk assessment tailored specifically to the University, identify risks
or address risks identified as required by the Gramm-Leach-Bliley Act.
Effect:
The students’ personal information could be vulnerable.
Repeat Finding:
Yes, finding 2023-002.
Recommendation:
We recommend that the University engage a third party or perform the risk assessment for the areas
required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for
identified risks.
Views of responsible officials:
Please refer to the attached corrective action plan.