Finding Text
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency
DEPARTMENT OF EDUCATION
ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster
Federal Award Identification #: 2022-2023 Financial Aid Year
Condition: The University did not sufficiently comply with the updated requirements of GLBA.
Criteria: 16 CFR 314.4
Questioned Costs: $-0-
Context: The University has not implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring or once a year penetration testing and twice a year vulnerability scanning, implemented sufficient vendor management policies and reviews, or provided a written, annual report to the board.
Cause: The University has been in the process of addressing and documenting compliance with the requirements of GLBA. As this work has progressed over the last couple of years, the standards were updated, and the University has incorporated those updates into its roadmap for security.
Effect: The University has not adequately addressed the updated requirements of GLBA, which may lead to unintended exposure of student information to security risks.
Identification as repeat finding, if applicable: Not applicable.
Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. We commend the University for the work completed on GLBA.
Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.