FAC Explorer

Finding 1141624 (2024-001)

Significant Deficiency
Requirement
N
Questioned Costs
-
Year
2024
Accepted
2025-06-17
Audit: 359091
Organization: University of Guam (GU)
Auditor: Ernst & Young LLP

AI Summary

  • Core Issue: The University lacks a comprehensive written information security program that meets the requirements of the Gramm-Leach-Bliley Act (GLBA).
  • Impacted Requirements: Compliance with 2 CFR 200.303 and GLBA mandates for safeguarding sensitive data and establishing effective internal controls.
  • Recommended Follow-Up: The Office of Information Technology should create and annually review a written Information Security Program to ensure compliance with federal regulations.

Finding Text

Finding No.: 2024-001 Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster Federal Award No.: Various Area: Special Tests and Provisions – Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: $0 Criteria: 2 CFR 200.303 requires that a non-federal entity must “(a) establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (ⅳ) Assess apps developed by the institution (ⅴ) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (ⅵ) Dispose of customer information securely (ⅶ) Anticipate and evaluate changes to the information system or network. (ⅷ) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: The University does not have a comprehensive written information security program addressing all the required minimum elements of the GLBA although we have noted that the University performs certain procedures to address some of the aforementioned criteria. Cause: The Office of Information Technology (OIT) is not aware of the GLBA requirements that the University needs to comply with effective June 9, 2023. Effect: The University has not developed, implemented and maintained a written Information Security Program compliant with federal regulations. Recommendation: The OIT led by the Chief Information Officer should develop a written Information Security Program as soon as possible to ensure compliance to the federal regulations. Management should review and approve the written Information Security Program annually to ensure that all minimum requirements are met and any changes in regulations are complied with. Views of Responsible Officials: Management agrees with the finding. See Corrective Action Plan.

Categories

Subrecipient Monitoring Special Tests & Provisions

Other Findings in this Audit

  • 565180 2024-001
    Significant Deficiency
  • 565181 2024-001
    Significant Deficiency
  • 565182 2024-001
    Significant Deficiency
  • 565183 2024-001
    Significant Deficiency
  • 565184 2024-001
    Significant Deficiency
  • 565185 2024-002
    Significant Deficiency
  • 565186 2024-002
    Significant Deficiency
  • 565187 2024-002
    Significant Deficiency
  • 565188 2024-002
    Significant Deficiency
  • 565189 2024-002
    Significant Deficiency
  • 565190 2024-003
    Significant Deficiency
  • 565191 2024-003
    Significant Deficiency
  • 565192 2024-003
    Significant Deficiency
  • 565193 2024-003
    Significant Deficiency
  • 565194 2024-003
    Significant Deficiency
  • 565195 2024-004
    Significant Deficiency
  • 565196 2024-005
    Significant Deficiency
  • 565197 2024-005
    Significant Deficiency
  • 565198 2024-005
    Significant Deficiency
  • 565199 2024-005
    Significant Deficiency
  • 565200 2024-005
    Significant Deficiency
  • 565201 2024-006
    Significant Deficiency
  • 565202 2024-006
    Significant Deficiency
  • 565203 2024-006
    Significant Deficiency
  • 565204 2024-006
    Significant Deficiency
  • 565205 2024-006
    Significant Deficiency
  • 1141622 2024-001
    Significant Deficiency
  • 1141623 2024-001
    Significant Deficiency
  • 1141625 2024-001
    Significant Deficiency
  • 1141626 2024-001
    Significant Deficiency
  • 1141627 2024-002
    Significant Deficiency
  • 1141628 2024-002
    Significant Deficiency
  • 1141629 2024-002
    Significant Deficiency
  • 1141630 2024-002
    Significant Deficiency
  • 1141631 2024-002
    Significant Deficiency
  • 1141632 2024-003
    Significant Deficiency
  • 1141633 2024-003
    Significant Deficiency
  • 1141634 2024-003
    Significant Deficiency
  • 1141635 2024-003
    Significant Deficiency
  • 1141636 2024-003
    Significant Deficiency
  • 1141637 2024-004
    Significant Deficiency
  • 1141638 2024-005
    Significant Deficiency
  • 1141639 2024-005
    Significant Deficiency
  • 1141640 2024-005
    Significant Deficiency
  • 1141641 2024-005
    Significant Deficiency
  • 1141642 2024-005
    Significant Deficiency
  • 1141643 2024-006
    Significant Deficiency
  • 1141644 2024-006
    Significant Deficiency
  • 1141645 2024-006
    Significant Deficiency
  • 1141646 2024-006
    Significant Deficiency
  • 1141647 2024-006
    Significant Deficiency

Programs in Audit

ALN Program Name Expenditures
10.766 Community Facilities Loans and Grants $9.34M
84.063 Federal Pell Grant Program $5.40M
21.029 Coronavirus Capital Projects Fund $4.58M
47.083 Integrative Activities $3.64M
10.203 Payments to Agricultural Experiment Stations Under the Hatch Act $2.53M
84.268 Federal Direct Student Loans $2.44M
11.307 Economic Adjustment Assistance $2.14M
10.511 Smith-Lever Extension Funding $2.11M
84.425 Education Stabilization Fund $2.08M
93.397 Cancer Centers Support Grants $1.62M
59.037 Small Business Development Centers $1.18M
93.307 Minority Health and Health Disparities Research $822,921
11.417 Sea Grant Support $780,178
93.969 Pphf Geriatric Education Centers $684,510
93.632 University Centers for Excellence in Developmental Disabilities Education, Research, and Service $679,316
10.237 From Learning to Leading: Cultivating the Next Generation of Diverse Food and Agriculture Professionals $578,019
15.615 Cooperative Endangered Species Conservation Fund $543,370
84.031 Higher Education Institutional Aid $499,635
15.805 Assistance to State Water Resources Research Institutes $471,111
84.044 Trio Talent Search $466,675
15.808 U.s. Geological Survey Research and Data Collection $457,882
81.049 Office of Science Financial Assistance Program $444,450
84.047 Trio Upward Bound $413,017
10.937 Partnerships for Climate-Smart Commodities $409,866
84.033 Federal Work-Study Program $391,131
93.434 Every Student Succeeds Act/preschool Development Grants $386,383
10.028 Wildlife Services $366,629
11.473 Office for Coastal Management $363,047
12.300 Basic and Applied Scientific Research $353,572
15.820 National and Regional Climate Adaptation Science Centers $344,801
84.042 Trio Student Support Services $329,349
12.002 Procurement Technical Assistance for Business Firms $328,646
10.025 Plant and Animal Disease, Pest Control, and Animal Care $327,179
10.308 Resident Instruction, Agriculture, and Food Science Facilities and Equipment Grants $288,171
93.612 Native American Programs $277,553
47.050 Geosciences $264,924
93.391 Activities to Support State, Tribal, Local and Territorial (stlt) Health Department Response to Public Health Or Healthcare Crises $262,033
10.500 Cooperative Extension Service $229,154
93.251 Early Hearing Detection and Intervention $218,030
93.464 Acl Assistive Technology $180,106
84.032 Federal Family Education Loans $167,680
84.007 Federal Supplemental Educational Opportunity Grants $163,852
93.787 Title V Sexual Risk Avoidance Education Program (discretionary Grants) $162,369
10.561 State Administrative Matching Grants for the Supplemental Nutrition Assistance Program $155,507
10.514 Expanded Food and Nutrition Education Program $153,643
10.215 Sustainable Agriculture Research and Education $150,878
10.170 Specialty Crop Block Grant Program - Farm Bill $141,748
10.680 Forest Health Protection $140,659
11.463 Habitat Conservation $133,789
93.243 Substance Abuse and Mental Health Services Projects of Regional and National Significance $129,895
43.008 Office of Stem Engagement (ostem) $120,496
12.901 Mathematical Sciences Grants $116,358
93.898 Cancer Prevention and Control Programs for State, Territorial and Tribal Organizations $109,102
93.310 Trans-Nih Research Support $108,435
93.314 Early Hearing Detection and Intervention Information System (ehdi-Is) Surveillance Program $107,248
10.652 Forestry Research $105,926
93.433 Acl National Institute on Disability, Independent Living, and Rehabilitation Research $105,105
12.632 Legacy Resource Management Program $102,188
11.482 Coral Reef Conservation Program $98,448
10.310 Agriculture and Food Research Initiative (afri) $98,201
94.006 Americorps State and National 94.006 $95,245
15.875 Economic, Social, and Political Development of the Territories $91,906
15.945 Cooperative Research and Training Programs – Resources of the National Park System $82,991
10.912 Environmental Quality Incentives Program $82,937
10.311 Beginning Farmer and Rancher Development Program $82,000
10.202 Cooperative Forestry Research $59,108
66.046 Climate Pollution Reduction Grants $59,036
11.431 Climate and Atmospheric Research $55,013
10.327 Common Bean Productivity Research for Global Food Security Competitive Program $51,556
93.870 Maternal, Infant and Early Childhood Home Visiting Grant $48,268
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $46,206
15.926 American Battlefield Protection $33,177
21.027 Coronavirus State and Local Fiscal Recovery Funds $30,287
47.049 Mathematical and Physical Sciences $28,127
10.950 Agricultural Statistics Reports $27,632
93.945 Assistance Programs for Chronic Disease Prevention and Control $25,297
10.664 Cooperative Forestry Assistance $25,020
42.011 Library of Congress Grants $22,525
47.075 Social, Behavioral, and Economic Sciences $22,413
66.309 Surveys, Studies, Investigations, Training and Special Purpose Activities Relating to Environmental Justice $21,143
11.012 Integrated Ocean Observing System (ioos) $16,019
10.515 Renewable Resources Extension Act $15,393
47.076 Stem Education (formerly Education and Human Resources) $15,293
10.322 Distance Education Grants for Institutions of Higher Education in Insular Areas $14,049
10.924 Conservation Stewardship Program $8,909
10.328 Food Safety Outreach Program $7,756
10.304 Food and Agriculture Defense Initiative (fadi) $6,522
10.525 Farm and Ranch Stress Assistance Network Competitive Grants Program $6,500
93.048 Special Programs for the Aging, Title Iv, and Title Ii, Discretionary Projects $4,332
45.162 Promotion of the Humanities Teaching and Learning Resources and Curriculum Development $4,000
10.683 National Fish and Wildlife Foundation $3,720
66.716 Research, Development, Monitoring, Public Education, Outreach, Training, Demonstrations, and Studies $3,494
15.605 Sport Fish Restoration $3,009
15.657 Endangered Species Recovery Implementation $824
15.631 Partners for Fish and Wildlife $416
10.329 Crop Protection and Pest Management Competitive Grants Program $414
10.331 Gus Schumacher Nutrition Incentive Program $217