Finding 1102872 (2024-001)

Finding 2024-001: Special Tests and Provisions – Gramm-Leach Bliley Act Repeat of finding 2023-001 Federal Program - Student Financial Assistance Cluster Federal Agency - U.S. Department of Education Pass-Through Entity - Not Applicable Assistance Listing Number - 84.033, 84.268, 84.063, 84.379, 84.007 Federal Award Number - Various Federal Award Year - June 30, 2024 Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The University does not have a written information security program that addresses all elements that apply. Cause: The University did not have procedures and processes in place specific to GLBA and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the University at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: The University should perform and document an annual risk assessment to determine the University's specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the University should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Director of Information Technology in collaboration with a campus-wide committee responsible for overseeing information security. A draft of the documented information security program has been created and will specifically address the cybersecurity requirements of GLBA.