Finding 1121132 (2024-004)

2024-004 Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding: 2023-002) Criteria: In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue and must contain all of the elements that are further described in 16 CFR 314.4. Statement of Condition: During the audit, it was noted that the University’s Gramm-Leach-Bliley Act Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the application of the comprehensive information security program was not effectively administered by the University during the 2024 year. A new policy was put into place during June 2024. The seven required elements for the GLBA policy are as follows, along with the status within each of the University’s policies in place during the year: 1. The policy designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. This attribute was not addressed in the existing policy; the newly implemented policy does sufficiently address this requirement. The director of information systems, Casey Reagan, has been identified as the responsible party. 2. The policy provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. This attribute was not addressed in the existing policy; the newly implemented policy does sufficiently address this requirement. The University contracted with a third-party cybersecurity firm to address this requirement in the updated policy. 3. The policy provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), which are detailed as follows: 3.1. Implement and periodically review access controls. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 3.2. Conduct a periodic inventory of data, noting where it is collected, stored or transmitted. Both the existing policy and the newly implemented policy are silent on this requirement. 3.3. Encrypt customer information on the institution’s system and when it is in transit. Both the existing policy and the newly implemented policy are silent on this requirement. 3.4. Assess applications developed by the institution. Both the existing policy and the newly implemented policy are silent on this requirement. 3.5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. Both the existing policy and the newly implemented policy are silent on this requirement. 3.6. Dispose of customer information securely. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 3.7. Anticipate and evaluate changes to the information system or network. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 3.8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 4. The policy provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. This attribute was not addressed in the existing policy; the newly implemented policy does sufficiently address this requirement. The University contracted with a third-party cybersecurity firm to address this requirement in the updated policy. 5. The policy provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 6. The policy addresses how the institution will oversee its information system service providers. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. 7. The policy provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. This attribute was not addressed in the existing policy; the newly implemented policy does address this requirement. Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature. Perspective Information: The 2024 audit included testing of the University’s Gramm-Leach-Bliley Act Policy as outlined in Part 5 of the Compliance Supplement including the application of this program for the year. Cause and Effect: During the current year, the responsible parties began putting procedures into place and drafted an updated policy to ensure deficiencies in the information security policy are addressed. As this process requires the coordination of multiple individuals, software systems, and approvals, the updates were unable to be completed by June 30, 2024. Recommendation: The University should continue to update their Gramm-Leach-Bliley Act Policy to be in accordance with the requirements and put in place effective controls and practices to ensure the policy is monitored in a way to ensure it is administered effectively and timely. View of Responsible Officials: The University acknowledges this finding. The University was in the process of updating this policy in 2023-24 to be in compliant and has finished updating the policy. The FSA Cyber Compliance Team reached out to Tusculum due to this finding for the 2022-23 audit period and Tusculum provided the Corrective Action Plan and new policy. On August 1st, 2024, Tusculum received word that the CAP acceptably addressed the GLBA finding. For the issues that are above that list that our policy is silent on the issue, the University will further detail our policy on the measures enacted.