Finding 1123827 (2024-003)

Finding No. 2024-003 – Special Tests and Provisions - Gramm-Leach-Bliley Act–Student Information Security Federal Program ALN 84.007 Federal Supplemental Educational Opportunity Grant Program ALN 84.033 Federal Work-Study Program ALN 84.063 Federal Pell Grant Program ALN 84.268 Federal Direct Student Loan Program Name of Federal Agency Teacher Education Assistance for College and Higher Education Grants (TEACH Grants) U.S. Department of Education (USDE) Type of Finding Internal Control/Compliance Category Significant deficiency Compliance Requirement Special Tests and Provisions Criteria Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. The Gramm-Leach-Bliley Act (GLBA) (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)). The Standards for Safeguarding Customer Information, required by the GLBA (16 CFR §314.4) requires the University to: a) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). b) Provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). c) Provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: 1. Implement and periodically review access controls. 2. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. 3. Encrypt customer information on the institution’s system and when it’s in transit. 4. Assess apps developed by the institution. 5. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. 6. Dispose of customer information securely. 7. Anticipate and evaluate changes to the information system or network. 8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. d) Provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). e) Provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). f) Address how the institution will oversee its information system service providers (16 CFR 314.4(f)). g) Provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal controls designed to reasonably ensure compliance with Federal laws, statutes, regulations, and the terms and conditions of the Federal award. Furthermore, generally accepted information technology guidance endorses the implementation of a process to identify risk and ensure appropriate safeguards are in place to protect information technology systems and data. Condition During our audit procedures, we noted that the University risk assessment did not fully addressed all the elements required by (16 CFR 314.4). Accordingly, the following elements were missing: 1. Vulnerability test 2. Penetration test 3. No backup test was performed during year ended June 30, 2024. Cause In the past years there’s been a high turnover in the position of the qualified individual responsible for overseeing and implementing the University’s information cyber-security program. As a result, some of the procedures and policies established in the information cyber-security program risk assessment have not been consistently or continuously maintained, accordingly, the student personal information could be at risk. In addition, the USDE has informed through electronic announcements (EA), that “when an audit report that includes a GLBA audit finding is received, they will refer the audit to the Federal Trade Commission (FTC). Effect Once the finding is referred to the FTC, that finding will be considered closed for the USDE audit tracking purposes. The FTC will determine what action may be needed as a result of the GLBA audit finding. Identification of a repeat finding This is not a repeat finding from the immediate previous audit. Questioned cost N/A Context The Gramm-Leach-Bliley Act (GLBA) created a requirement that financial institutions must have certain information privacy protections and safeguards in place. The Federal Trade Commission (FTC) has enforcement authority for the requirements and has determined that institutions of higher education (institutions) are financial institutions under GLBA. Each institution has agreed to comply with GLBA in its Program Participation Agreement with the Department. In addition, as a condition of accessing the Department’s systems, each institution and servicer must sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement, which states that the institution must ensure that all federal student aid applicant information is protected from access by or disclosure to unauthorized personnel. Institutions and third-party servicers are also required to demonstrate administrative capability in accordance with 34 C.F.R. § 668.16, including the maintenance of adequate checks and balances in their systems of internal control. An institution or servicer that does not maintain adequate internal controls over the security of student information may not be considered administratively capable. Recommendation We recommend that the University addresses the cause for the high turnover in the position of the qualified individual responsible for overseeing the implementation of policies and procedures, including internal controls, to ensure that they are in compliance with 16 CFR 314.4(b) and (c). Views of Responsible Officials and Planned Corrective Actions Management of the University agrees with this finding. Please refer to the corrective action plan on pages 61-63.