Finding Text
Finding 2024-008 - Material Weakness: Special Tests and Provisions - Compliance and Control Finding
Student Financial Aid Cluster
Federal Agency: U.S. Department of Education
Federal Award Number: 84.007, 84.033, 84.063, 84.379 and 84.268
Pass-Through Entity: None
Criteria Or Specific Requirement: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021, and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the Written Information Security Program (WISP) required to be established by the University. The requirements for the WISP noted at 16 CFR 314.4 require that the University designate a Qualified Individual responsible for overseeing and implementing the University’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
• In addition, the University is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the WISP. The University is also responsible for documenting in the WISP how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the University’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the University’s information security program.
Condition: The current state of the University’s Information Security Program is not in compliance with the regulatory obligation.
Cause: Controls over compliance put in place by management were not operating effectively as it relates to these compliance requirements.
Effect: The failure to meet the requirements of the FTC Safeguards Rule could make the University vulnerable to cyber security and student data protection risks.
Questioned Costs: Not applicable.
Context: We inquired with the University personnel regarding GLBA regulations and noted the following:
• There is currently no written information security program in place.
• The University has not conducted risk assessments specifically addressing risks related to student data.
• Third-party cloud providers, which implement security practices, are utilized to protect student data. These providers encrypt student data when stored on cloud platforms; however, the University does not currently use encryption for local servers or endpoints. Furthermore, there are no established policies regarding encryption.
• There are no documented policies governing physical or logical access controls.
• Account management practices are informal, with no formal processes or policies in place.
• Multi-factor authentication is not required for access to student data, except for email, and no compensating controls have been implemented.
• A written data retention policy has not been established.
• There is no formal change management process or policy currently in place.
• There are no formal policies or requirements for security training for University personnel.
Identification As A Repeat Finding: Not applicable.
Recommendation: We recommend that the University implement a more robust WISP, conduct a broader risk assessment, and begin documenting the current informally implemented practices in order to ensure appropriate compliance.
Views Of Responsible Officials: Harris-Stowe State University acknowledges the audit finding regarding noncompliance with the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule. In response, the University has collaborated with Omega Technical Solutions and iLeap Group to execute a comprehensive cybersecurity compliance and modernization initiative. As of the audit period close, over 90% of related deficiencies have been remediated.
Specific corrective actions taken or underway include:
1. Written Information Security Program (WISP): A formal WISP has been developed and implemented. It outlines oversight structures, risk management strategies, testing protocols, and required safeguards in alignment with 16 CFR 314.4.
2. Risk Assessment: A comprehensive risk scorecard was created. All Active Directory accounts were reviewed and flagged for deactivation or role reassignment as appropriate.
3. Access and Encryption Controls: Encryption is now deployed across all active endpoints. Logical access control and encryption policies have been adopted and published. Multi-factor authentication (MFA) is enforced for all systems handling student data.
4. Account Management and Role-Based Access: RBAC policies have been established and account provisioning is now formally documented and managed.
5. Retention, Change Management, and Training: A written data retention policy and formal change management procedures are now in place. An onboarding cybersecurity training program has been developed, with full implementation scheduled by August 31, 2025.
6. Legacy Server Risk Mitigation: One legacy Microsoft 2008 server has failed and is decommissioned. The remaining server is isolated, monitored with NIST- and Microsoft Sentinel-aligned tools, and pending full replacement as part of the upcoming infrastructure upgrade.
7. Ongoing Monitoring and Vendor Oversight: TCPM-aligned monitoring practices and vendor oversight protocols are now active and included in the WISP framework.
The University’s IT Security SharePoint site houses all related documentation and is structured to support transparency, audit readiness, and continued compliance oversight.