Finding 369311 (2023-003)

Material Weakness

Requirement

Questioned Costs

Year

2023

Accepted

2024-02-15

Audit: 290552

Organization: Cleary University (MI)

Auditor: Capincrouse LLP

AI Summary

Core Issue: The University failed to meet key requirements of the Gramm-Leach-Bliley Act (GLBA), risking student information security.
Impacted Requirements: Lack of documentation for security programs, risk assessments, multi-factor authentication, continuous monitoring, vendor management, and annual reporting.
Recommended Follow-Up: Allocate adequate resources to ensure full compliance with GLBA requirements.

Finding Text

Gramm-Leach-Bliley Act (GLBA) Compliance Material Weakness DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, and 84.033-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not documented each component of GLBA as required. This includes documenting an information security program, documenting the security risk assessment and safeguards, including general threats, implementing multi-factor authentication on all systems containing personally identifiable information (PII), implementing continuous monitoring, such as penetration testing and vulnerability scanning, implementing sufficient vendor management policies and reviews, and providing a written, annual report to the board covering all required areas. Cause: The University has not allocated sufficient resources to address and document compliance with the requirements of GLBA. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm-Leach-Bliley Act (GLBA) Compliance Planned Corrective Action: Cleary understands that GLBA requires universities and other institutions to create controls concerning the handling of data in conformance with best practices in cybersecurity. We realize that it is vital for us to be fully compliant to safeguard our institution's and our students' sensitive information, and we have put in place a robust set of activities and services. The GLBA requires us to implement administrative, technical, and physical safeguards to protect the security and confidentiality of non-public personal information (NPI). Some of these requirements have been addressed in the past fiscal year, and the rest are currently being implemented in this fiscal year. Person Responsible for Corrective Action Plan: Eric Riddering, Director of Information Technology Anticipated Date of Completion: October 2024

Other Findings in this Audit

369312 2023-003

Material Weakness
369313 2023-003

Material Weakness
369314 2023-003

Material Weakness
369315 2023-004

Material Weakness Repeat
369316 2023-004

Material Weakness Repeat
369317 2023-004

Material Weakness Repeat
369318 2023-005

- Repeat
369319 2023-005

- Repeat
945753 2023-003

Material Weakness
945754 2023-003

Material Weakness
945755 2023-003

Material Weakness
945756 2023-003

Material Weakness
945757 2023-004

Material Weakness Repeat
945758 2023-004

Material Weakness Repeat
945759 2023-004

Material Weakness Repeat
945760 2023-005

- Repeat
945761 2023-005

- Repeat

Programs in Audit

ALN	Program Name	Expenditures
84.268	Federal Direct Student Loans	$4.85M
84.063	Federal Pell Grant Program	$1.26M
84.007	Federal Supplemental Educational Opportunity Grants	$68,262
84.033	Federal Work-Study Program	$6,056