Finding Text
Student Financial Aid Cluster
U.S. Department of Education
Federal Direct Student loans 84.268, Federal Work-Study Program 84.033, Federal
Pell Grant Program 84.063, Federal Supplemental Educational Opportunities Grant
84.007, Teacher Education Assistance for College and Higher Education Grants 84.379
Award Year - Academic year 2022-2023
Criteria or Specific Requirement - The Gramm-Leach-Bliley Act (Pub. L. 106-102) requires financial
institutions to explain their information-sharing to their customers and to safeguard sensitive data (16 CFR
314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV
Educational Assistance Program as "financial institutions" and subject to the Gramm-Leach-Bliley Act
because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)).
Under 16 CFR 314, institutions are required to develop, implement and maintain a comprehensive information
security program that address the implementation eight minimum safeguards.
Condition - The University does not have a written information security program that addresses the
minimum safeguards identified in 16 CFR 314.4(c)(1) through (8).
Questioned Costs - None noted.
Context - Through inquiry of management and review of information policies published on the University's
website it was determined the eight requirements were not all included in a comprehensive policy.
Effect - The University was not in compliance with the Gramm-Leach-Bliley Act .
Cause - The University's policy was not finalized.
Identification as a repeat finding, if applicable - Not applicable.
Recommendation - We recommend management takes necessary steps to finalize a written information
security policy which at minimum has the eight safeguards within 16 CFR 314.
View of Responsible Official and Planned Corrective Actions - Management agrees with the stated
finding and has implemented a corrective action plan.