Finding 3760 (2023-001)

Significant Deficiency

Requirement

Questioned Costs

Year

2023

Accepted

2023-12-08

Audit: 5944

Organization: Southern Wesleyan University (SC)

Auditor: Capincrouse LLP

AI Summary

Core Issue: The University is not fully compliant with the updated requirements of the Gramm-Leach-Bliley Act (GLBA).
Impacted Requirements: Key areas include the written information security program, security risk assessments, vendor management, incident response plans, and annual reporting to the board.
Recommended Follow-Up: Allocate more resources to ensure compliance with GLBA requirements and implement necessary updates and documentation.

Finding Text

Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379 - Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with the updated requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not updated its written information security program in light of regulation changes, sufficiently documented its security risk assessment and safeguards, including general threats, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. Cause: The University has not allocated sufficient resources to address and document compliance with the requirements of GLBA due to turnover in the IT department. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm-Leach-Bliley Act (GLBA) Compliance Planned Corrective Action: In order to remediate cited deficiencies and to bring Southern Wesleyan University into compliance with updated regulation changes to the Gramm-Leach-Bliley Act, the Department of Information Technology will update its written information security program. In addition, the department will also sufficiently document its security risk assessment and safeguards. This documentation will include sufficient information on general threats, the implementation of vendor management policies and reviews, and the implementation of an incident response plan. After all the aforementioned documentation has been compiled, the department will provide a report to the Board at the university's fall 2024 Board of Trustee’s meeting, detailing the measures enacted. Person Responsible for Corrective Action Plan: Warren Dennis, Assistant Director of Information Technology Anticipated Date of Completion: 06/01/2024

Other Findings in this Audit

3761 2023-001

Significant Deficiency
3762 2023-001

Significant Deficiency
3763 2023-001

Significant Deficiency
3764 2023-001

Significant Deficiency
3765 2023-001

Significant Deficiency
580202 2023-001

Significant Deficiency
580203 2023-001

Significant Deficiency
580204 2023-001

Significant Deficiency
580205 2023-001

Significant Deficiency
580206 2023-001

Significant Deficiency
580207 2023-001

Significant Deficiency

Programs in Audit

ALN	Program Name	Expenditures
84.268	Federal Direct Student Loans	$6.99M
84.063	Federal Pell Grant Program	$1.82M
84.031	Higher Education_institutional Aid	$255,409
84.027	Special Education_grants to States	$241,255
84.038	Federal Perkins Loan Program	$176,160
84.116	Fund for the Improvement of Postsecondary Education	$129,292
84.007	Federal Supplemental Educational Opportunity Grants	$104,579
84.033	Federal Work-Study Program	$95,950
84.379	Teacher Education Assistance for College and Higher Education Grants (teach Grants)	$56,580