Finding 366598 (2023-001)

Criteria: The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR 314.4(b). Condition: A GLBA compliance risk assessment was not performed within the last fiscal year. Various vulnerability assessments have been conducted since 2020, however updated GLBA compliance guidance has more specific requirements for what must be performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and external risks to the security, confidentiality, and integrity of student information that addresses the following areas: a. Information systems, including network and software design, as well as information processing, storage, transmission and disposal. b. Detecting, preventing and responding to attacks, intrusions, or other systems failures. c. Documented safeguards for each identified risk. d. Appropriate mitigated risk levels for each identified risk. Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security Program makes a written report to the Board of Trustees on the status of the Information Security Program at least annually. The University's Information Security Program and IT policies has four attributes that were not appropriately documented for GLBA compliance: a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted. b. Encrypt customer information on the University's system and when it's in transit. c. Assess apps developed by the University. d. Implement multi-factor authentication for anyone accessing customer information on the University's system. Cause: The University did not have controls in place to ensure all GLBA requirements were met. Effect: The University is not in compliance with GLBA requirements. Corrective Actions Taken or Planned: Items that have been resolved: a. Customer data, and backups of customer data, is now encrypted at rest and in transit. b. All users with access to customer data are required to use multi-factor authentication.c. The University password policy has been updated to strengthen passwords and increase minimum length to 12 characters with complexity. The University has also implemented a tool to block the reuse of compromised passwords from the HIBP database. Items to be resolved: a. An update on the University’s information security program draft has been shared with the Board of Trustees and a final report will be issued by February 1, 2024. b. The University has begun an inventory of customer data and systems storing customer data. The University does not have any University developed apps that handle or store customer data (this will be documented in the customer data inventory). This inventory will be completed by April 15, 2024. c. The University is evaluating proposals for an assessment to include a risk assessment and internal and external vulnerability scans. The IT risk assessment is planned to be completed by June 1, 2024. d. Updated GLBA policies, including a disaster recovery policy, will be completed by June 1, 2024 Person Responsible for Implementing Correction Action: Ezra Krumhansl, Chief Financial Officer Implementation Date: Through June 1, 2024