Gramm-Leach-Bliley Act (GLBA) Compliance
Planned Corrective Action:
Multi-Factor Authentication: The University’s Compliance Committee, led by the Chief Financial Officer, now requires that Multi Factor Authentication (MFA) is turned on for all MFA capable software systems that house Sensitive Personally Identifiable Information of students. The Committee will implement policies to ensure that all users who access those systems are required to use Multi Factor Authentication. Any legacy systems without MFA will be retired.
Information System Monitoring/Testing: In June of 2023, the University entered into a contract with an outside Managed IT Services provider. This third-party vendor provides the following services:
• Firewall to protect network perimeter.
• Security updates and critical patches.
• Alerts to inform about issues on all endpoints. • Defense agents that scan and monitor external devices.
• Agents to actively monitor web traffic and block malicious links.
• Tools used for internal and external vulnerability scans.
• Alerts to monitor for any malicious activity or events of potential compromise.
• Other advanced threat protection.
The University's Compliance Committee will assess the effectiveness of the existing continuous monitoring procedures and ascertain whether further vulnerability assessments and penetration testing are necessary to meet the stipulated criteria within Title 16, Chapter I, Subchapter C, Part 314 of the Federal Trade Commission regulations. The Compliance Committee will collaborate with additional IT Security Professionals as deemed necessary and ensure that the University is in compliance with the regulations.
Person Responsible for Corrective Action Plan: David Entler, Chief Financial Officer
Anticipated Date of Completion: January 31, 2024