Finding 33520 (2022-002)

Significant Deficiency Repeat Finding

Requirement

Questioned Costs

Year

2022

Accepted

2023-01-30

Audit: 35847

Organization: Simpson University (CO)

Auditor: Capincrouse LLP

AI Summary

Core Issue: The University is not fully compliant with the Gramm-Leach-Bliley Act (GLBA), risking student information security.
Impacted Requirements: Key GLBA requirements under 16 CFR 314.3 and 16 CFR 314.4 have not been met due to lack of documentation.
Recommended Follow-Up: Allocate necessary resources to ensure compliance with GLBA and implement the corrective action plan.

Finding Text

Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, and 84.038-Student Financial Assistance Cluster Federal Award Identification #: 2021-2022 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $-0- Context: The University has not documented its security assessment. Cause: COVID-19, turnover in staffing. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: 2021-002 Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm-Leach-Bliley Act Compliance Planned Corrective Action: The Director of Information Technology is in the process of creating the necessary security policies to further Simpson University?s compliance of the consumer financial information rule of the Gramm-Leach-Bliley Act. Completion of this project has a planned finalization date of 6/1/2023. The following security measures have been implemented since the audit findings of 2021. -Established a Zero Trust access control strategy -Created an Incident Response Policy and Cyber Security Plan -IT and HR departments have developed training materials and schedules for all employees pertaining to cyber security policies -Deployed encryption at-rest and immutable backups -Enforced Multi-factor authentication -Installed next-generation endpoint protection software: Crowdstrike Falcon Complete -Drafted a Written Information Security Program (WISP) Person Responsible for Corrective Action Plan: Ryan Opfer, IT Director Anticipated Date of Completion: 4/30/2024

Other Findings in this Audit

33521 2022-002

Significant Deficiency Repeat
33522 2022-002

Significant Deficiency Repeat
33523 2022-002

Significant Deficiency Repeat
33524 2022-002

Significant Deficiency Repeat
33525 2022-003

Significant Deficiency Repeat
33526 2022-003

Significant Deficiency Repeat
38581 2022-004

-
609962 2022-002

Significant Deficiency Repeat
609963 2022-002

Significant Deficiency Repeat
609964 2022-002

Significant Deficiency Repeat
609965 2022-002

Significant Deficiency Repeat
609966 2022-002

Significant Deficiency Repeat
609967 2022-003

Significant Deficiency Repeat
609968 2022-003

Significant Deficiency Repeat
615023 2022-004

-

Programs in Audit

ALN	Program Name	Expenditures
84.268	Federal Direct Student Loans	$6.12M
84.063	Federal Pell Grant Program	$1.79M
84.425	Covid-19 Education Stabilization Fund Heerf - Student Aid Portion	$1.55M
84.425	Covid-19 Education Stabilization Fund Heerf - Institutional Portion	$1.18M
84.334	Gaining Early Awareness and Readiness for Undergraduate Programs	$544,688
84.047	Trio_upward Bound - Dunsmuir	$350,224
84.047	Trio_upward Bound - West Valley	$338,451
84.047	Trio_upward Bound - Anderson	$299,684
84.042	Trio_student Support Services	$283,383
84.047	Trio_upward Bound - Mount Shasta	$279,061
84.038	Federal Perkins Loan Program	$246,482
84.007	Federal Supplemental Educational Opportunity Grants	$85,098
84.033	Federal Work-Study Program	$78,587