Finding Text
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency
DEPARTMENT OF EDUCATION
ALN #: 84.268, 84.063, 84.007, 84.033, and 84.038-Student Financial Assistance Cluster
Federal Award Identification #: 2022-2023 Financial Aid Year
Condition: The University did not sufficiently comply with the updated requirements of GLBA.
Criteria: 16 CFR 314.3, 16 CFR 314.4
Questioned Costs: $-0-
Context: The University has not fully updated its written information security program and security risk assessment and safeguards, including multi-factor authentication on all systems containing personally identifiable information (PII) in light of the revised regulations. Additionally, the University has not fully implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented sufficient employee and information security staff training, implemented sufficient vendor management policies and reviews, or provided a written, annual report to the board covering all required areas.
Cause: The University has not allocated sufficient resources to address and document compliance with the requirements of GLBA.
Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks.
Identification as repeat finding, if applicable: Yes, 2022-002
Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA.
Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.