Finding 1116 (2023-001)

Significant Deficiency

Requirement

Questioned Costs

Year

2023

Accepted

2023-11-02

Audit: 2132

Organization: Dallas Theological Seminary (TX)

Auditor: Capincrouse LLP

AI Summary

Core Issue: The Seminary failed to meet updated GLBA compliance requirements, risking student information security.
Impacted Requirements: Key areas include security risk assessments, multi-factor authentication, employee training, and continuous monitoring.
Recommended Follow-Up: Allocate necessary resources to ensure compliance with GLBA and implement corrective actions as planned.

Finding Text

Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268 and 84.033, Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The Seminary did not sufficiently comply with the updated requirements of GLBA. Criteria: 16 CFR 314.4 Questioned Costs: $-0- Context: The Seminary has not: - sufficiently documented its security risk assessment and safeguards for systems and programs added during the year - implemented multi-factor authentication on all systems containing personally identifiable information (PII) - implemented a formal employee training program - implemented comprehensive continuous monitoring or annual penetration testing and biannual vulnerability scanning during the audit period - provided a written, annual report to the board Cause: The Seminary underwent a system conversion during the year and was not able to allocate sufficient resources to address and document compliance with the updated requirements of GLBA. Additionally, equipment purchased to address portions of compliance has remained on backorder. Effect: The Seminary has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend the Seminary allocate sufficient resources to address all updated requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm-Leach-Bliley Act (GLBA) Compliance Planned Corrective Action: Management has policies and plans in place that are being updated to meet the specific requirements of the GLBA no later than December 31, 2023. The internal policies were updated to perform risk assessment and documentation immediately upon completion of any new system or program implementation. The Seminary has implemented multi-factor authentication (MFA) across 95% of all applications and systems and the remaining 5% have other safeguards in place, therefore management believes we meet this specific requirement. To ensure the formal employee training program is fully implemented the IT policy will be modified to reflect that all new employees be trained individually by IT Helpdesk employees. The Seminary's continuous monitoring process or establishment of periodic vulnerability assessments and penetration testing will be completed no later than December 31, 2023. The Seminary will present to the board of trustees at its March 2024 meeting the Annual Report on Information Security Programs to include all the required details. Person Responsible for Corrective Action Plan: Robert Riggs, Senior Vice President for Operations and Institutional Efficiency/COO Anticipated Date of Completion: December 31, 2023

Other Findings in this Audit

1117 2023-001

Significant Deficiency
577558 2023-001

Significant Deficiency
577559 2023-001

Significant Deficiency

Programs in Audit

ALN	Program Name	Expenditures
84.268	Federal Direct Student Loans	$2.86M
84.033	Federal Work-Study Program	$126,966
84.425	Covid-19 Education Stabilization Fund Governor’s Emergency Education Relifef Fund	$50,000