FAC Explorer

Finding 385023 (2023-006)

Material Weakness
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2024-03-26
Audit: 298113
Organization: Morris Brown College (GA)
Auditor: Capincrouse LLP

AI Summary

  • Core Issue: The College is not fully compliant with the Gramm-Leach-Bliley Act (GLBA), risking student information security.
  • Impacted Requirements: Key areas lacking include a written information security program, risk assessments, continuous monitoring, vendor management, incident response, employee training, and board reporting.
  • Recommended Follow-Up: Allocate resources to meet GLBA requirements and consider hiring an external company for compliance assistance.

Finding Text

Gramm-Leach-Bliley Act (GLBA) Compliance Material Weakness DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, and 84.033 Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The College did not sufficiently comply with all the requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The College has not: • completed a written information security program • sufficiently documented its security risk assessment and safeguards, including general threats • implemented continuous monitoring, such as penetration testing and vulnerability scanning • implemented sufficient vendor management policies and reviews • sufficiently implemented an incident response plan • sufficiently implemented employee training • provided a written, annual report to the board Cause: The College has been searching for an external company to assist with addressing and documenting compliance with the requirements of GLBA. Effect: The College has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend the College allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm-Leach-Bliley Act (GLBA) Compliance Planned Corrective Action: The school’s IT firm has taken the following steps to address GLBA Compliance in the following manner. Element 1: ADB Network Consultants LLC and its Delegated Partners will serve as the Morris Brown College Managed Cybersecurity Service Provider. ADB is responsible for overseeing and implementing and enforcing the institution’s information security program. Element 2: The risk assessment for MBC’s Cyber Security program is covered within the MBC Cyber-Security -Incident-Response document on pages 8 through 12 which includes Appendix B (Incident Categorization), Appendix C (Incident Impact Definitions and IRT Incident Severity & Response Classification Matrix), and Appendix D (IRT Incident Record Form). The system is designed to provide ongoing and updated Reporting. Element 3: Access to MBC’s network, data, and email system is permitted only to authorized users. Access is granted by MBC Authorized Personnel and/or IT service providers through the administrative console of the respective environment (Active Directory Domain Controller for network and data access, Microsoft 365 Admin Center for Outlook email access, and MBC Authorized Personnel and/or Security Guards for physical facilities access). Element 4: MBC Authorized Personnel and IT service providers will test the Cyber Security Incident Response Plan periodically, but at least annually to monitor the effectiveness of the safeguards it has implemented. Element 5: MBC’s IT service provider created a Cyber Security Incident Response Plan, which documents who and how MBC Authorized Personnel and IT service providers will respond to Cyber Security incidents. Element 6: MBC has a 2-year contract with its IT service provider, ADB Network Consultants LLC. The service contract lists and governs the services that the IT service provider and its partners will perform monthly. Element 7: Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program (16 C.F.R. 314.4(g)). ADB Network Consultants LLC implemented a system that will log the activity of authorized users and prevent unauthorized network access. Email Threat Protection has also been setup. Person Responsible for Corrective Action Plan: Shermanetta Carter, CFO Anticipated Date of Completion: June 30, 2024

Categories

Subrecipient Monitoring Material Weakness

Other Findings in this Audit

  • 385024 2023-006
    Material Weakness
  • 385025 2023-006
    Material Weakness
  • 385026 2023-006
    Material Weakness
  • 961465 2023-006
    Material Weakness
  • 961466 2023-006
    Material Weakness
  • 961467 2023-006
    Material Weakness
  • 961468 2023-006
    Material Weakness

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $1.24M
84.063 Federal Pell Grant Program $1.03M
84.007 Federal Supplemental Educational Opportunity Grants $244,739
93.243 Substance Abuse and Mental Health Services_projects of Regional and National Significance $168,902
84.033 Federal Work-Study Program $119,983
15.932 Preservation of Historic Structures on the Campuses of Historically Black Colleges and Universities (hbcus). $95,097
84.425 Covid-19 Heerf-Supplemental Support $24,718
21.027 Covid-19 Coronavirus State and Local Fiscal Recovery Funds $20,000