Finding 1169059 (2025-002)

Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster Federal Assistance Listing Number: Various Federal Award Identification Number and Year: N/A Pass-Through Agency: N/A Pass-Through Number: N/A Award Period: June 1, 2024 – May 31, 2025 Type of Finding: • Significant Deficiency in Internal Control over Compliance • Other Matters Criteria or Specific Requirement: The Code of Federal Regulations, 16 CFR 314.4(a), states that the first element an institution's written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program. As well, the regulations do provide for an institution to use a service provider as the Qualified Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must: • Retain responsibility for compliance with GLBA; • Designate a senior member of its personnel responsible for direction and oversight of the Qualified Individual; and • Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3). The Code of Federal Regulations, 16 CFR 314.4(g), states that there must be an evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact on the institution's information security program. Condition: During our testing, we noted that the University does not have a designated WISP compliance officer or Qualified Individual. We also noted that Bethel has not reviewed or updated any GLBA policies since 2023. Questioned Costs: N/A Context: During our testing, it was noted the University did not address the designated WISP compliance officer requirement. The University did not have adequate processes in place to ensure that GLBA safeguards were being following and operating effectively. Cause: The University’s processes and controls did not ensure that GLBA safeguards were effective and running properly. Effect: The University did not comply with GLBA safeguard rules by failing to have a WISP officer or Qualified Individual in place. Also, the University did not comply with GLBA safeguard rules by not reviewing or updating GLBA policies since 2023. Repeat Finding: No Recommendation: CLA recommends reviewing and updating key IT/financially relevant organization-wide policies and procedures on an annual basis. CLA also recommends the Organization review the institution's written information security program and ensure that a qualified individual (i.e. CIO, CISO, ISO) has been identified to enforce and monitor GLBA compliance. Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding