Finding Text
Federal Agency: U.S. Department of Education
Federal Program Name: Student Financial Assistance Cluster
Assistance Listing Number: 84.007, 84.033, 84.038, 84.063, 84.268
Federal Award Identification Number and Year: P007A224513-2023; P033A224513-2023; P268K232439-2023;
P063P222439-2023; P379T232439-2023
Award Period: March 25, 2022 to August 31, 2028 (84.077, 84.033, 84.063)
January 1, 2022 to July 29, 2044 (84.268)
January 1, 2022 to September 30, 2043 (84.379)
Type of Finding:
Significant Deficiency in Internal Control over Compliance
Other Matters
Criteria or specific requirement: Provides for the design and implementation of safeguards to control the risks
the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written
information security program must address the implementation of the minimum safeguards identified in 16 CFR
314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must
address are summarized as follows:
Implement and periodically review access controls.
Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
Encrypt customer information on the institution’s system and when it’s in transit.
Assess apps developed by the institution.
Implement multi-factor authentication for anyone accessing customer information on the institution’s
system.
Dispose of customer information securely.
Anticipate and evaluate changes to the information system or network.
Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
Condition: The University's 'Information Security Plan' does not include the required elements of the assessment
of applications developed by the institution as included in the stated criteria.
Questioned costs: There are no questioned costs.
Context: The University does not have the required element included in the stated criteria.
Cause: The University is in process of developing a policy for internally developed applications, but has not
completed the policy as of the end of the fiscal year under audit.
Effect: There is a risk that the University may not follow the policy for internally developed applications to ensure
the security related to the maintenance and transmission of sensitive information.
Repeat Finding: No
Recommendation: We recommend that the University work to formally document the policy as a part of the
University's 'Information Security Plan' as included in the stated criteria.
Views of responsible officials: There is no disagreement with the audit finding.