Finding 386593 (2023-001)

Special Tests and Provisions: Gramm-Leach-Bliley Act Student Information Security (Significant Deficiency) and Compliance Federal Agency: U.S. Department of Education (“ED”) Program Title: Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program Assistance Listing Numbers: 84.007, 84.063 Federal Award Source: Direct funding Pass-Through Entity: N/A Pass-Through Identifying Number: N/A Criteria – Title IV-eligible institutions are subject to the Gramm-Leach-Bliley Act (the “Act”). The Act requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Act because they appear to be significantly engaged in wiring funds to consumers. Institutions agree to comply with the Act in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs. Institutions are required to be in compliance with the Act’s requirements by June 9, 2023. Institutions are required to develop, implement and maintain a written comprehensive information security program that addresses seven required elements, including the design and implementation of several key safeguards. One of these safeguards is the implementation of multi-factor authentication for anyone accessing customer information on the institution’s system. Condition and Context – During our testing of special tests and provisions related to the Act, auditor obtained the Organization’s written information security program, made inquiries with the Organization’s management and qualified individual responsible for overseeing, implementing and enforcing the Organization’s information security program, and noted multi-factor authentication was not implemented for the Organization’s general ledger system, Jenzabar, nor its student financial aid software, PowerFAIDS, both of which contain sensitive customer information. In addition, a reasonable equivalent to multi-factor authentication was not implemented. Lastly, the written information security program was not implemented by the June 9, 2023 deadline. Cause and Effect – Per our discussions with the Organization’s qualified individual responsible for overseeing, implementing and enforcing the Organization’s information security program, it was noted that configuration of multi-factor authentication is currently not available for the versions of Jenzabar and PowerFAIDS the Organization has and the Organization has had discussions with one of the software providers thereto. However, due to the lack of multi-factor authentication, there is an increased risk of unauthorized access to sensitive student information. Questioned Costs - None identified. Recommendation - We recommend that the Organization implement multi-factor authentication, or a reasonable equivalent as allowed by the Act, for its computer software programs containing sensitive customer information, Jenzabar and PowerFAIDS. View of Responsible Officials - We agree with the finding and are in the process of developing multi-factor authentication, or a reasonable equivalent, for our computer software programs containing sensitive customer information, Jenzabar and PowerFAIDS. See our Corrective Action Plan for the fiscal year ended June 30, 2023 for additional detail.