Finding FA 2024-003: Special Tests and Provisions – Gramm-Leach-Bliley Act (GLBA) - Student
Information Security: Perform Timely Access Revocation and Strengthen User Access Reviews;
Maintain and Review Logs of Users’ Activity for both SAP and PeopleSoft Student Information System
(PS SIS); and Implement Data-at-Rest Encryption for SAP and PS SIS
Federal Program Information:
Assistance Listing Number: ALN 84.007, 84.003, 84.063, 84.268, 93.364
Federal Program Name: Student Financial Assistance Cluster
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: Various
Federal Award Year: July 1, 2023, to June 30, 2024
Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act – Student
Information Security
Criteria or Specific Requirement:
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.” Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement, and maintain a comprehensive information security program
that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4 [Elements] altered the current Rule’s required elements of an information security program and added several new elements.” The FTC also stated, “the elements for the information security programs set forth in this section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed.” The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security program –
• Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)).
• Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in
the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).
• Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16
CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows:
– Implement and periodically review access controls.
– Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
– Encrypt customer information on the institution’s system and when it’s in transit.
– Assess apps developed by the institution
– Implement multi-factor authentication for anyone accessing customer information on the institution’s system
– Dispose of customer information securely
– Anticipate and evaluate changes to the information system or network.
– Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
• Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards
it has implemented (16 CFR 314.4(d)).
• Provides for the implementation of policies and procedures to ensure that personnel are able to
enact the information security program (16 CFR 314.4(e)(1)).
• Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)).
• Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it
knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate
responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as the Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must:
• Retain responsibility for compliance with GLBA;
• Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and
• Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3).
Because the written information security program may be in one or more readily accessible parts and the Qualified Individual is responsible for implementing and monitoring the information security program, it is ED’s
expectation that the Qualified Individual would be able to provide the written information security program that
addresses the elements required for the written information security program to the auditors.
Identified Condition:
A. Perform Timely Access Revocation and Strengthen User Access Reviews (Repeat finding)
Based on test of controls to verify that access of terminated employees is timely removed in PS SIS, SAP and Active Directory (AD), we noted that out of the terminated employees subject for testing:
1. 17 users were still active in PS SIS, 10 of whom have logged in after their termination.
2. 27 users were still active in SAP, nine (9) of whom have logged in after their termination.
3. 45 users were active in AD, 20 of whom have logged in after their termination.
Moreover, while a privileged user access review is performed for PS SIS, SAP and AD, there is no review performed to check the validity of regular users for these systems. Employee functions and/or responsibilities may change over time; thus, previously provisioned access may no longer be valid.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS (Repeat finding)
A compliance requirement that requires institutions to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users [16 CFR 314.4(c)(8)], is not currently implemented by the District.
C. Implement Data-at-Rest Encryption for SAP and PS SIS Servers (Repeat finding)
Drive-level encryption is implemented and observed for a sample workstation that processes customer information. However, encryption mechanisms are not currently implemented for SAP and PS SIS servers. Compliance requirement 16 CFR 314.4(c)(3) requires institutions to protect by encryption all students’ data held at rest.
Cause and Effect:
A. Perform Timely Access Revocation and Strengthen User Access Reviews
Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized access to the District’s resources and sensitive information. Furthermore, the lack of user access reviews for regular users increases the risk of inappropriate users or access remaining undetected over time which may be used to process unauthorized transactions or view confidential information.
B. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and unauthorized activities may not be detected and responded to in a timely manner.
C. Implement Data-at-Rest encryption for SAP and PS SIS Servers
Data that is held to servers without encryption is vulnerable to unauthorized access specially if physical and logical controls are compromised. In the event of a breach, sensitive data, such as students’ information may be exposed.