Finding 1325 (2023-001)

Requirement

Questioned Costs

Year

2023

Accepted

2023-11-07

Audit: 2482

Organization: Fuller Theological Seminary and Subsidiaries (CA)

Auditor: Capincrouse LLP

AI Summary

Core Issue: The Seminary is not fully compliant with updated GLBA requirements, particularly in documenting safeguards and vendor policies.
Impacted Requirements: Compliance with 16 CFR 314.4 is not fully met, which could expose student information to security risks.
Recommended Follow-Up: Complete documentation of all policies and procedures related to safeguards and vendors in the information security program.

Finding Text

Gramm-Leach-Bliley Act (GLBA) Compliance DEPARTMENT OF EDUCATION ALN #: 84.268, 84.033, and 84.038 - Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The Seminary did not sufficiently comply with a couple of components of the updated requirements of GLBA. Criteria: 16 CFR 314.4 Questioned Costs: $-0- Context: The Seminary has certain policies in the safeguards and vendor sections of GLBA have not been fully documented. Cause: The Seminary made significant progress to address and document compliance with the updated requirements of GLBA and has a few areas left to complete. Effect: The Seminary may have unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable. Recommendation: We commend the Seminary for significant work completed on GLBA. We recommend the Seminary complete documentation of the known policies and procedures related to safeguards and vendors be included in the information security program. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm-Leach-Bliley Act (GLBA) Compliance Planned Corrective Action: We are thankful for the recognition of the significant work that has been done to comply with GLBA and protect the PII of Fuller's students. In response to these findings Fuller will, by December of 2023, complete the following documentation of known policies and procedures: 1. Create a monthly calendar of information security that documents the information security activities undertaken each month. 2. Document Fuller's review of vendor SOC reports and contract language. Person Responsible for Corrective Action Plan: Jeff Harwell, Chief Technology Officer Anticipated Date of Completion: 12/31/2023

Other Findings in this Audit

1326 2023-001

-
1327 2023-001

-
577767 2023-001

-
577768 2023-001

-
577769 2023-001

-

Programs in Audit

ALN	Program Name	Expenditures
84.268	Federal Direct Student Loans	$9.70M
84.425	Covid-19 Education Stabilization Fund Heerf - Supplemental Support Under American Rescue Plan	$506,031
84.425	Covid-19 Education Stabilization Fund Heerf - Institutional Portion	$345,453
84.033	Federal Work-Study Program	$167,305
84.038	Federal Perkins Loan Program	$104,502
93.242	Mental Health Research Grants	$63,564
84.425	Covid-19 Education Stabilization Fund Heerf - Student Aid Portion	$19,095