Finding Text
Federal agency: Department of Education
Federal program title: Student Financial Aid Cluster
CFDA Numbers: Various
Award Period: July 1, 2022 through June 30, 2023
Type of Finding: Significant Deficiency in Internal Control over Compliance (Other Matters)
Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions
to explain their information-sharing practices to their customers and to safeguard sensitive data (16
CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information
security program that is written in one or more readily accessible parts. The regulations require the
written information security program to include nine elements for institutions with 5,000 or more
customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with
fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The
elements that an institution must address in its written information security program are at 16 CFR
314.4. At a minimum, the institution’s written information security program must address the
implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including:
Assess apps developed by the institution. In addition, the written security program provides for the
institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented
(16 CFR 314.4(d)).
Condition: Under an institution’s Program Participation Agreement with the Department of Education
and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid information, with
particular attention to information provided to institutions by the Department or otherwise obtained in
support of the administration of the federal student financial aid programs.
Questioned costs: None
Context: These GLBA requirements were applicable beginning on June 9, 2023. During our testing, we
noted certain components of the GLBA requirements that, although they have been implemented by the
University, were not included in the University’s written information security program (WISP). The
specific components were identified in requirement B.3, pertaining to the implementation of periodic
review and implementation of user access controls, encryption controls, the use of multi-factor
authentication, and change management policy. Furthermore, it was noted that the WISP did not
describe the University’s policies for penetration testing or vulnerability scans.
Cause: There was not a formal process in place to compare the WISP against all the new GLBA
requirements to ensure compliance.
Effect: The University’s WISP does not include all of the required elements.
Repeat finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and
ensure their WISP includes all required elements. We do note that after June 30, 2023 the University
has updated the WISP to include all of the required elements.
Views of responsible officials: There is no disagreement with the audit finding.