Finding 375640 (2023-001)

Program: Federal Direct Student Loans Assistance Listing Number: 84.268 Federal Agency: U.S. Department of Education Federal Award Identification Number: P268K236290 Federal Award Year: June 30, 2023 Criteria: In accordance with Title IV regulations (16 CFR 314), an Institution must protect student financial aid information by designating a Qualified Individual responsible for implementing and monitoring the Institution's information security program. In addition, the Institution's information security program must be written and address these six required minimum elements: (1) provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, (2) provides for the design and implementation of safeguards to control the risks the Institution identifies through its risk assessment, (3) provides for the Institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented, (4) provide for the implementation of policies and procedures to ensure that personnel are able to enact the information security program, (5) addresses how the Institution will oversee its information system service providers, and (6) provides for the evaluation and adjustment of its information security program in light of the results of the requested testing and monitoring or any other circumstances that it knows or has reason to know may have a material impact on the Institution's information security program. Condition: The University has not designated a Qualified Individual responsible for implementing and monitoring the University's information security program, nor does the University have a written information security program that addresses the six required minimum elements as required by the Gramm-Leach Bliley Act (GLBA). Questioned Costs: Not applicable. Context: Not applicable Effect: Failure to comply with the requirements of the GLBA's standards puts the University at risk of compromising consumer, nonpublic personal information, which could result in penalties ranging from monetary fines to restriction or loss of eligibility for Title IV funding. Cause: There was turnover in the Qualified Individual position who is responsible for implementing and monitoring the University's information security program. Recommendation: The University should designate a Qualified Individual responsible for implementing and monitoring the University's information security program. Additionally, the University should create and implement an information security program that addresses the six required minimum elements as required by the GLBA. Management's Response: At the time that we replied to the question, our former Qualified Individual responsible for implementing and monitoring the Institution's information security program had left the organization a month previously. Upon reflecting on the significance of this position, I have elevated this role to a higher priority in the organization and named Darrin Burns, Director of ERP and IT, as Fielding’s Qualified Individual. In collaboration with Darrin and CIO Solutions, our MSP, we will draft the written information security program using the cybersecurity assessment results and recommendations as a starting point. In addition, we will ensure that the final document will include all six required minimum elements per Title IV regulations (16 CFR 314). The expected date of completion is April 1, and implementation will follow immediately afterward.