FAC Explorer

Finding 1105 (2023-001)

-
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2023-11-02
Audit: 2115
Organization: Trevecca Nazarene University (TN)
Auditor: Capincrouse LLP

AI Summary

  • Core Issue: The University is not fully compliant with the updated requirements of the Gramm-Leach-Bliley Act (GLBA).
  • Impacted Requirements: Key areas include lack of multi-factor authentication, absence of formal employee training, inadequate data retention policies, and missing annual reports to the board.
  • Recommended Follow-Up: Allocate resources to properly document and implement all GLBA compliance measures.

Finding Text

Gramm-Leach-Bliley Act (GLBA) Compliance DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033 and 84.379 Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with the updated requirements of GLBA. Criteria: 16 CFR 314.4 Questioned Costs: $0 Context: The University has not implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented formalized employee training program, documented in data retention policies disposal of PII, or provided a written, annual report to the board covering all required elements. Cause: The University has not codified and documented all informal practices occurring for compliance with GLBA. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend the University allocate sufficient resources to codify and document compliance with all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm-Leach-Bliley Act (GLBA) Compliance Planned Corrective Action: 16 CFR 314.4(c)(1-8) – The university currently secures a large majority of its systems and data following best practice guidelines including Single Sign On (SSO), Multifactor Authentication (MFA), and Passwordless Authentication. However, there are a few systems remaining that have not yet been fully protected by these systems. The University will work to identify and migrate all systems containing PII to its authentication security systems. 16 CFR 314.(e) – The university currently provides security training through several avenues throughout the year. However, there is not currently a formal training plan. The university will create a formal training plan to include in-person and online annual training as well as smaller and more frequent refresher training throughout the year. 16 CFR 314.4(i) – The university currently advises the Cabinet on all matters concerning security effectiveness, however, no formal presentation has been given to the Board of Trustees. The university will create a formal report to present to the Board of Trustees beginning with their Fall 2023 meeting. Other finding: Moving forward, the university will enforce its data retention policies and dispose of all PII once the retention date has been reached. Person Responsible for Corrective Action Plan: (Dr. John Eberle, Chief Information Officer) Anticipated Date of Completion: May 2024

Categories

No categories assigned yet.

Other Findings in this Audit

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $27.15M
84.063 Federal Pell Grant Program $3.02M
84.027 Special Education_grants to States $399,903
84.007 Federal Supplemental Educational Opportunity Grants $237,380
84.007 Covid-19 Federal Supplemental Educational Opportunity Grants $115,000
84.033 Federal Work-Study Program $95,329
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $1,886