Finding 2023-002 Sept. 27, 2023
Criteria: The College is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including a written information security program policy that addresses the six required minimum safeguard elements identified within 16 Code of Federal Regulations (CFR) 314.4 (b).
Statement of Condition: A formal written policy was not completed and documented in fiscal 2023 which would have addressed the required written policy noted in 16 CFR 314.4 (b).
Corrective Action Plan:
• The College agrees and concurs with the audit finding.
• The College is working with a cybersecurity partner, OculusIT (OculusIT.com) to assist us with GLBA compliance and cybersecurity hardening of the college’s IT infrastructure. OculusIT will assist us in preparing the required documentation that addresses risk assessment of all three areas noted in the finding. Many elements of GLBA compliance have already been put in place as elaborated below.
• Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). Vince Vargiya is the College’s designated qualified individual.
• Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). OculusIT will undertake a GLBA risk assessment covering the following areas of the College:
o Senior Management
o IT Security
o Admissions
o Registrar Office
o Financial Aid Office
o HR and Payroll
o Student Financial Services
o Library
Work on completing pre-audit questionnaires for each area is in progress.
• Regarding a written information security policy that addresses the minimum safeguard requirements, see below.
• Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows:
o Implement and periodically review access controls. We regularly review access controls to systems containing financial data. Our formal policy will document this.
o Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. We maintain a server inventory, noting which sites contain financial information. Our formal policy will document this.
o Encrypt customer information on the institution’s system and when it’s in transit. Our server data is encypted using standard SQL TDE encryption. All data transmitted to off campus partners uses the sftp protocol. Our formal policy will document this.
o Assess apps developed by the institution. The College’s enterprise apps are commercially sourced, updated using vendor supplied processes per annual support contracts, and not developed in-house. Our formal policy will document this.
o Implement multi-factor authentication for anyone accessing customer information on the institution’s system. All users who access Jenzabar (SIS, Financials), PowerFaids (Financial Aid) must use DUO MFA. RaisersEdge (Advancement/Donor Management) employs text or email MFA. All email accounts are secured with google 2 step authentication. Our formal policy will document this.
o Dispose of customer information securely. When server hardware is decommissioned, the data drives are physically smashed. When leased endpoint systems are returned to the leasing company, their hard drives are wiped using standard software. Our formal policy will document this.
o Anticipate and evaluate changes to the information system or network. We meet regularly with OculusIT to discuss changes to the network. Our endpoints are monitored for malware via a managed detection and response system. Our servers and network switches are monitored 24/7 by the Oculus SOC, and unusual events are flagged and presented to us for analysis. Our formal policy will document this.
o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. We have implemented a SIEM server which monitors server and network access and activity and is monitored by the OculusIT SOC. Our formal policy will document this.
• Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). We have implemented a SIEM server which monitors server and network access and activity and is monitored by the OculusIT SOC. We receive weekly reports on any server vulnerabilities. We actively work to remediate identified vulnerabilities. We have implemented annual penetration testing, and have completed testing for 2023. We have remediated identified penetration issues. Our formal policy will document this.
• Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). We require semi annual security awareness training and monthly phishing testing through KnowBe4. Our formal policy will document this.
• Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). We require providers to submit SOC1 or HECVAT documentation. Our formal policy will document this.
• Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). We work with OculusIT to follow up on results of testing and risk assessments. For example, we rescan our network to follow up on the results of pen testing. We meet with the Oculus SOC team to discuss server vulnerabilities uncovered on a monthly basis. Our formal policy will document this process.
Names of Contact Persons Responsible for Corrective Action Plan:
Gary Rodman (Senior Director of Information Technology), rodmang@ripon.edu, 920-748-8343
Vince Vargiya (Vice President Information Security | CISO, OculusIT) vince_varigiya@oculusit.com 844-462-8587 ext. 193
Anticipated Completion Date: Implementation of this plan began in March 2023, focusing on infrastructure hardening. Formal written polices will be put in place no later than June 30, 2024.