Finding Text
Federal Program Information: Gramm-Leach-Bliley Act – Student Information Security
Criteria or Specific Requirement: Special Tests and Provisions – Gramm-Leach-Bliley Act – Student Information Security - The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). On December 9, 2021, the Federal Trade Commission (FTC) issued final regulations for 16 CFR Part 314 to implement the GLBA information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet.
Condition: The University did not fully comply with 1 out of the 9 elements included in the FTC’s regulations.
Cause: Lack of administrative oversight with respect to the new GLBA requirements.
Effect or Potential Effect: The penetration and vulnerability assessments were not completed as of June 30, 2023.
Questioned Costs: None.
Context: The penetration and vulnerability assessments were not completed as of June 30, 2023.
Identification as a Repeat Finding: There was no similar finding in the prior year.
Recommendation: We recommend that the University annually reviews the GLBA requirements for updates on a timely basis and implement the requirements before the due date.
Views of Responsible Officials: The University has executed an agreement with a vendor to perform penetration and vulnerability assessments, which is expected to be completed by June 30, 2024.