Finding 1101142 (2024-001)

Finding 2024-001 U.S. Department of Education Student Financial Assistance Cluster Gramm Leach Bliley Act (GLBA) Criteria - Institutions participating in the Student Financial Assistance (SFA) program are required to comply with GLBA. GLBA requires institutions to implement certain written policies. Condition - The University does not have the following required written policies that are required under GLBA: • The written information security program does not include a change management policy. • A written information security staff training policy is not in place. • A written vendor management policy is not in place. Cause - The University has not established formal policies to ensure compliance with the GLBA requirements. Resource constraints and competing priorities were contributing factors. Effect - The University is not fully compliant with GLBA requirements. Recommendation - We recommend that the University develop and implement a comprehensive written information security program that addresses all minimum elements required by GLBA. Additionally, we recommend that the University establish a formal written policy for staff training on data security and privacy and develop and implement a vendor management policy to ensure third-party service providers safeguard customer information appropriately. Views of Responsible Officials – The University acknowledges the recommendation and is committed to implementing a comprehensive written information security program that fully addresses all GLBA requirements. The University has drafted a formal data security and privacy training policy for staff. The University currently requires faculty and staff to complete annual security and privacy trainings as directed through the employee handbook. The University has drafted a vendor management policy to ensure third-party service providers maintain appropriate safeguards for customer information. A dedicated security team will oversee the development and implementation of these measures, ensuring compliance with GLBA regulations and the protection of sensitive student data.