Finding Text
2025 – 003: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Title: Student Financial Aid Cluster ALN Numbers: 84.063, 84.033, 84.007, 84.268, 84.038, 93.364 Award Period: July 1, 2024 – June 30, 2025 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include eight elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Additionally, institutions must conduct penetration testing and vulnerability assessments to ensure the effectiveness of their safeguards. Condition: The University has not implemented key components of the GLBA Safeguards Rule, including maintaining a formal data inventory and performing a periodic risk assessment of information. Questioned costs: None Context: 1. The University has not identified their process in how they identify and manage data, personnel, devices, systems, and facilities within a defined data inventory. 2. The University has not performed a risk assessment within the audit period to assist in the adjustment of their managerial, technical, and operational controls. Cause: The underlying cause of these conditions is the absence of formal data governance practices and a structured, recurring risk assessment process. Effect: As a result of the lack of a defined data inventory and a current risk assessment, the Organization may not effectively identify, assess, or mitigate risks to information, increasing the risk of inadequate safeguards, data compromise, and noncompliance with GLBA requirements. Repeat Finding: Yes Recommendation: We recommend that management establish and document a formal process to identify and maintain an inventory of data, personnel, devices, systems, and facilities that support or process customer information. Additionally, we recommend that management implement a formal, documented risk assessment process that is performed at least annually and updated as needed. Views of responsible officials: There is no disagreement with the audit finding.