FAC Explorer

Finding 19878 (2022-001)

Significant Deficiency
Requirement
N
Questioned Costs
-
Year
2022
Accepted
2022-10-31
Audit: 17880
Organization: Faulkner University (AL)
Auditor: Jackson Thornton Certified Public Accountants

AI Summary

  • Core Issue: The University failed to adequately protect customer information, leading to a cyber security incident.
  • Impacted Requirements: Compliance with 16 CFR 314.3, which mandates a robust information security program to safeguard customer data.
  • Recommended Follow-Up: Enhance network security controls to prevent future incidents and ensure customer information remains secure.

Finding Text

Identification of the Federal Program - Student Financial Aid Cluster - Assistance Listing Nos. 84.007, 84.033, 84.038, 84.063, and 84.268. Criteria - 16 CFR 314.3, Standards for Safeguarding Customer Information, requires that the University develop, implement, and maintain a comprehensive information security program that insures the security and confidentiality of customer information; protects against any anticipated threats or hazards to the security or integrity of such information; and protects against unauthorized access to or use of such information that could result in substantial hardship or inconvenience to any customer. Condition - Controls were not sufficient to ensure protection of customer information. Effect - The University experienced a cyber security incident where customer information was potentially compromised. Cause - Information technology controls were not adequate to prevent a cyber security incident. Recommendation - The University should continue its efforts to improve controls related to network security to ensure protection of customer information. Views of Responsible Officials - Management agrees with the finding. As required, the University notified the Department of Education?s Office of Federal Student Aid (FSA) of the incident via the online portal notification on April 23, 2022. The FSA provided notice to the University on June 9, 2022 that it had reviewed the information, provided responses, and closed the incident.

Corrective Action Plan

The University takes a firm stance on ensuring that student data, and any other data in its possession, is secure and that the overall network infrastructure in place to protect that data is following identified best practices for security. To the best of our knowledge, we believed that the controls in place were effective to prevent potential data loss. Following the cyber security incident, we responded aggressively to add further controls and security measures, including an endpoint detection and response (EDR) software application at both the server and individual workstation level. The EDR application will immediately lock the workstation or server down if suspicious activity is detected. We have also engaged the services of an independent information technology security company to review our current network configurations and processes, and we will work to develop a plan to respond to any recommendations this review may provide to further enhance our network security. The University requires its employees to participate in cybersecurity training and ongoing phishing tests, and we will continue this best practice. Finally, the individuals responsible for oversight of the information security program will continue to participate in training programs specifically geared toward cybersecurity and industry best practices for data security. As required, the University notified the Department of Education?s Office of Federal Student Aid (FSA) of the incident via the online portal notification on April 23, 2022. The FSA provided notice to the University on June 9, 2022 that it had reviewed the information and responses provided and closed the incident.

Categories

No categories assigned yet.

Other Findings in this Audit

  • 19879 2022-001
    Significant Deficiency
  • 19880 2022-001
    Significant Deficiency
  • 19881 2022-001
    Significant Deficiency
  • 19882 2022-001
    Significant Deficiency
  • 596320 2022-001
    Significant Deficiency
  • 596321 2022-001
    Significant Deficiency
  • 596322 2022-001
    Significant Deficiency
  • 596323 2022-001
    Significant Deficiency
  • 596324 2022-001
    Significant Deficiency

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $30.28M
84.063 Federal Pell Grant Program $4.62M
84.425 Education Stabilization Fund $3.97M
21.019 Coronavirus Relief Fund $1.92M
84.007 Federal Supplemental Educational Opportunity Grants $337,619
84.033 Federal Work-Study Program $270,155
84.382 Strengthening Minority-Serving Institutions $165,236
84.038 Federal Perkins Loan Program $158,948
84.031 Higher Education_institutional Aid $78,893
10.558 Child and Adult Care Food Program $21,891