FAC Explorer

Finding 386239 (2023-001)

-
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2024-03-27
Audit: 298663
Organization: Upper Iowa University (IA)
Auditor: Baker Tilly US LLP

AI Summary

  • Core Issue: The University lacks a written information security program that meets all GLBA requirements.
  • Impacted Requirements: Compliance with GLBA standards is essential for safeguarding consumer nonpublic personal information.
  • Recommended Follow-Up: Conduct and document an annual risk assessment to identify and address all required GLBA elements.

Finding Text

Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The University does not have a written information security program that addresses all elements that apply. Cause: The University did not have procedures and processes in place specific to GLBA and therefore, did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the University at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: The University should perform and document an annual risk assessment to determine the University's specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the University should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The cause of the reported issue stems from the lack of written documentation of policies and procedures specific to GLBA requirements. The issue is being addressed by the Director of Information Technology and a campus-wide committee overseeing information security. The documented information security program has been drafted and will address the GLBA cybersecurity requirements.

Corrective Action Plan

UIU has acknowledged the issues presented and will be working with Columbia Advisory group to address them. This contract began January of 2024, UIU commits to having the Executive Director of Information Technology Systems monitor requirements.

Categories

Subrecipient Monitoring

Other Findings in this Audit

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $19.80M
84.063 Federal Pell Grant Program $4.93M
84.007 Federal Supplemental Educational Opportunity Grants $241,491
47.076 Stem Education $199,134
84.033 Federal Work-Study Program $177,418
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $84,637
66.951 Environmental Education Grants $57,563
16.525 Grants to Reduce Domestic Violence, Dating Violence, Sexual Assault, and Stalking on Campus $26,150
84.038 Federal Perkins Loan Program $23,506