Finding Text
2023–001 GLBA Risk Assessment Requirements
Federal Agency: U.S. Department of Education
Federal Program Name: Student Financial Aid Cluster
Assistance Listing Number: 84.007, 84.033, 84.063, 84.268
Federal Award Identification Number and Year: P007A234487-2023, P268K242432-2023, P063P222432-2023, P033A224487-2023
Award Period: August 1, 2022 to July 31, 2023
Type of Finding:
• Significant Deficiency in Internal Control over Compliance
• Other Matters
Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows:
• Implement and periodically review access controls.
• Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network.
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
• Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).
• Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)).
• Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)).
• Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Condition: Upon reviewing the GLBA policies and procedures it was noted that University did not include the following required components as required in the stated criteria:
• Multi-factor authentication,
• Security program including vendor due diligence.
Questioned costs: None noted.
Context: The noncompliance with the stated criteria was identified in conjunction with our review of the GLBA policies and procedures manual and related supporting documentation.
Cause: The University failed to include the multi-factor authentication and the security program including vendor due diligence in its GLBA policy and procedures manual and related supporting documentation.
Effect: The University does not comply with certain requirements of the GLBA, as noted in the condition, which governs the treatment of nonpublic personal information about consumers.
Repeat Finding: No
Recommendation: We recommend that the University consider any modifications to the GLBA policy and procedures manual and related supporting documentation to ensure compliance with the stated criteria.
Views of responsible officials: There is no disagreement with the audit finding.