FAC Explorer

Finding 1191651 (2025-002)

Material Weakness Repeat Finding
Requirement
N
Questioned Costs
-
Year
2025
Accepted
2026-03-27
Audit: 395499
Organization: Hawaii Pacific University (HI)
Auditor: KMH LLP

AI Summary

  • Core Issue: The University has not fully implemented all required elements of its information security program as mandated by the Gramm-Leach-Bliley Act (GLBA).
  • Impacted Requirements: Key elements missing include regular testing of safeguards, oversight of service providers, and an incident response plan for maintaining student information on over 5,000 consumers.
  • Recommended Follow-Up: Complete the remaining elements of the information security program, document the implementation process, and conduct periodic internal assessments or consider hiring a third-party consultant for compliance reviews.

Finding Text

Criteria: 16 CFR Part 314 requires the University to implement information safeguard standards prescribed by the Gramm Leach Bliley Act (GLBA). GLBA requires institutions and servicers to develop, implement, and maintain a written, comprehensive information security program which contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the institution or servicer, the nature and scope of their activities, and the sensitivity of any student information.An institution’s written information security program must include the following elements: •Element 1: Designates a Qualified Individual responsible for overseeing and implementing the institution’s or servicer’s information security program and enforcing the information security program (16 C.F.R. 314.4(a)). •Element 2: Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution or servicer) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 C.F.R. 314.4(b)).•Element 3: Provides for the design and implementation of safeguards to control the risks the institution or servicer identifies through its risk assessment (16 C.F.R. 314.4(c)). At a minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 C.F.R. 314.4(c)(1) through (8). •Element 4: Provides for the institution or servicer to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 C.F.R. 314.4(d)) •Element 5: Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 C.F.R. 314.4(e)). •Element 6: Addresses how the institution or servicer will oversee its information system service providers (16 C.F.R. 314.4(f)). •Element 7: Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program (16 C.F.R. 314.4(g)). •Element 8: For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the establishment of an incident response plan (16 C.F.R. 314.4(h)). •Element 9: For an institution or servicer maintaining student information on 5,000 or more consumers, addresses the requirement for its Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program (16 C.F.R. 314.4(i)).Context: We conducted inquiries with the University’s Information Security Officer to determine whether the University had a written information security program that addressed the elements required by GLBA. Although the University has a designated security officer (i.e. Qualified Individual) and has made progress in developing and implementing the elements of a written information security program, management confirmed that the University did not implement all required elements of the program as prescribed by the GLBA. Cause: Management indicated that there was a lack of awareness regarding the requirement to establish an information security program that addressed the required elements. Effect: The University was not in compliance with the GLBA requirement which could result in administrative action by the Department of Education and may impact the University’s participation in Title IV programs. Questioned Costs: None Identification of repeat finding: This is a repeat finding. See prior year finding 2024-002. Recommendations: We recommend that the University put in place all remaining unimplemented elements in order to complete the University’s written, comprehensive information security plan prescribed by GLBA. The University should develop and retain documentation supporting the completion and implementation of each of the required elements. Once completed, the University should conduct periodic internal assessments of the Information Security Programs’ compliance or consider engaging a third-party consultant to conduct such a review. Section III – Federal Award Findings and Questioned Costs (continued) Views of responsible officials: The University has made substantial progress toward completing the remaining elements required under the Gramm-Leach-Bliley Act (GLBA) and aligning its program with the FTC Safeguards Rule. Full implementation timelines are primarily constrained by current staffing capacity within ITS/Cybersecurity and Legal, as well as certain technical tool limitations (e.g., data discovery and validation). Despite these constraints, notable progress has been achieved across the required FTC Safeguards Program elements as summarized below: • Element 1 – Designate a Qualified Individual: Completed. Qualified individual appointed to implement and supervise the company’s information security program, reporting mechanisms to the Board established. Completion is confirmed based on oversight and execution of subsequent program elements. • Element 2 – Conduct a Risk Assessment: Completed. Initial risk assessment conducted to identify reasonably foreseeable threats; controls and priorities for Elements 3–9 is being guided by this assessment. • Element 3 – Access Controls & Data Classification: 70% complete. Policies finalized; multi-factor authentication (MFA) implemented; initial asset inventory completed. Data owner assignments and detailed access reviews are in progress. • Element 4 – Vulnerability Management: Complete. Latest penetration testing identified no critical findings. • Element 5 – Information Security Policies: Drafted and pending Legal review; Board acceptance scheduled for March 2026. • Element 6 – Third-Party Oversight: 70% complete. Policy and workflow developed. Board acceptance scheduled for March 2026. • Element 7 – Periodic Risk Assessments: 80% complete. Updated risk assessment currently in progress. • Element 8 – Incident Response Plan: 90% complete. Final reporting and approval scheduled for March 2026. • Element 9 – Qualified Individual & Board Reporting: 90% complete. Annual report scheduled for March 2026. • Red Flags Rule (Identity Theft Prevention): 50% complete. Policy drafted, complete comprehensive program, formal procedures and additional trainings still required. Remaining actions will be completed as Legal and Board approvals are obtained and staffing capacity allows. HPU will continue to develop and retain documentation supporting the completion and implementation of each safeguard element, as prescribed by GLBA. Periodic internal assessments of the Information Security Program will be scheduled following full implementation, with consideration given to engaging an independent third party for future reviews.

Corrective Action Plan

The University has made substantial progress toward completing the remaining elements required under the Gramm-Leach-Bliley Act (GLBA) and aligning its program with the FTC Safeguards Rule. Full implementation timelines are primarily constrained by current staffing capacity within ITS/Cybersecurity and Legal, as well as certain technical tool limitations (e.g., data discovery and validation). Despite these constraints, notable progress has been achieved across the required FTC Safeguards Program elements as summarized below: • Element 1 – Designate a Qualified Individual: Completed. Qualified individual appointed to implement and supervise the company’s information security program; reporting mechanisms to the Board established. Completion is confirmed based on oversight and execution of subsequent program elements. • Element 2 – Conduct a Risk Assessment: Completed. Initial risk assessment conducted to identify reasonably foreseeable threats; controls and priorities for Elements 3–9 is being guided by this assessment. • Element 3 – Access Controls & Data Classification: 70% complete. Policies finalized; multi- factor authentication (MFA) implemented; initial asset inventory completed. Data owner assignments and detailed access reviews are in progress. • Element 4 – Vulnerability Management: Complete. Latest penetration testing identified no critical findings. • Element 5 – Information Security Policies: Drafted and pending Legal review; Board acceptance scheduled for March 2026. • Element 6 – Third-Party Oversight: 70% complete. Policy and workflow developed; Board acceptance scheduled for March 2026. • Element 7 – Periodic Risk Assessments: 80% complete. Updated risk assessment currently in progress. • Element 8 – Incident Response Plan: 90% complete. Final reporting and approval scheduled for March 2026. • Element 9 – Qualified Individual & Board Reporting: 90% complete. Annual report scheduled for March 2026. • Red Flags Rule (Identity Theft Prevention): 50% complete. Policy drafted, complete comprehensive program, formal procedures and additional trainings still required. Next Steps: Remaining actions will be completed as Legal and Board approvals are obtained and staffing capacity allows. HPU will continue to develop and retain documentation supporting the completion and implementation of each safeguard element, as prescribed by GLBA. Periodic internal assessments of the Information Security Program will be scheduled following full implementation, with consideration given to engaging an independent third party for future reviews. Person(s) Responsible: Information Security Officer; Vice President of Operations and Chief Information Officer. Targeted Correction Date: March 31, 2026.

Categories

Subrecipient Monitoring Student Financial Aid Reporting

Other Findings in this Audit

  • 1191633 2025-002
    Material Weakness Repeat
  • 1191634 2025-003
    Material Weakness Repeat
  • 1191635 2025-004
    Material Weakness Repeat
  • 1191636 2025-002
    Material Weakness Repeat
  • 1191637 2025-003
    Material Weakness Repeat
  • 1191638 2025-004
    Material Weakness Repeat
  • 1191639 2025-002
    Material Weakness Repeat
  • 1191640 2025-003
    Material Weakness Repeat
  • 1191641 2025-004
    Material Weakness Repeat
  • 1191642 2025-002
    Material Weakness Repeat
  • 1191643 2025-003
    Material Weakness Repeat
  • 1191644 2025-004
    Material Weakness Repeat
  • 1191645 2025-002
    Material Weakness Repeat
  • 1191646 2025-003
    Material Weakness Repeat
  • 1191647 2025-004
    Material Weakness Repeat
  • 1191648 2025-002
    Material Weakness Repeat
  • 1191649 2025-003
    Material Weakness Repeat
  • 1191650 2025-004
    Material Weakness Repeat
  • 1191652 2025-003
    Material Weakness Repeat
  • 1191653 2025-004
    Material Weakness Repeat

Programs in Audit

ALN Program Name Expenditures
84.268 FEDERAL DIRECT STUDENT LOANS $50.47M
84.063 FEDERAL PELL GRANT PROGRAM $5.18M
11.417 SEA GRANT SUPPORT $1.12M
84.031 HIGHER EDUCATION INSTITUTIONAL AID $951,650
20.200 HIGHWAY RESEARCH AND DEVELOPMENT PROGRAM $616,339
10.237 FROM LEARNING TO LEADING: CULTIVATING THE NEXT GENERATION OF DIVERSE FOOD AND AGRICULTURE PROFESSIONALS $429,973
93.364 NURSING STUDENT LOANS $421,135
84.033 FEDERAL WORK-STUDY PROGRAM $381,152
84.038 FEDERAL PERKINS LOAN PROGRAM_FEDERAL CAPITAL CONTRIBUTIONS $305,820
84.007 FEDERAL SUPPLEMENTAL EDUCATIONAL OPPORTUNITY GRANTS $297,712
93.264 NURSE FACULTY LOAN PROGRAM (NFLP) $229,197
93.847 DIABETES, DIGESTIVE, AND KIDNEY DISEASES EXTRAMURAL RESEARCH $150,259
11.609 MEASUREMENT AND ENGINEERING RESEARCH AND STANDARDS $136,476
11.999 MARINE DEBRIS PROGRAM $103,583
11.620 SCIENCE, TECHNOLOGY, BUSINESS AND/OR EDUCATION OUTREACH $99,264
84.325 SPECIAL EDUCATION - PERSONNEL DEVELOPMENT TO IMPROVE SERVICES AND RESULTS FOR CHILDREN WITH DISABILITIES $79,002
93.853 EXTRAMURAL RESEARCH PROGRAMS IN THE NEUROSCIENCES AND NEUROLOGICAL DISORDERS $73,265
47.084 NSF TECHNOLOGY, INNOVATION, AND PARTNERSHIPS $68,919
93.310 TRANS-NIH RESEARCH SUPPORT $61,791
19.501 PUBLIC DIPLOMACY PROGRAMS FOR AFGHANISTAN AND PAKISTAN $61,722
11.454 UNALLIED MANAGEMENT PROJECTS $40,339
93.213 RESEARCH AND TRAINING IN COMPLEMENTARY AND INTEGRATIVE HEALTH $38,610
47.050 GEOSCIENCES $36,640
11.427 FISHERIES DEVELOPMENT AND UTILIZATION RESEARCH AND DEVELOPMENT GRANTS AND COOPERATIVE AGREEMENTS PROGRAM $32,208
47.076 STEM EDUCATION (FORMERLY EDUCATION AND HUMAN RESOURCES) $22,179
10.200 GRANTS FOR AGRICULTURAL RESEARCH, SPECIAL RESEARCH GRANTS $20,459
93.859 BIOMEDICAL RESEARCH AND RESEARCH TRAINING $12,033
93.279 DRUG USE AND ADDICTION RESEARCH PROGRAMS $1,505