Finding 386728 (2023-001)

Agencies: US Department of Education Assistance Listing Numbers: Student Financial Assistance Cluster: 84.033, 84.007, 84.063, 84.268, 84.038, 84.379 Programs: Federal Work Study Program, Federal Supplemental Educational Opportunity Grant Program, Federal Pell Grant Program, Federal Direct Student Loans, Federal Perkins Loan Program, Criteria: The University is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it "believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule." Institutions are required to be in compliance with the revised requirements no later than June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. Statement of Condition: The University did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. Questioned Costs: The amount of any questioned costs could not be determined. Context: The University is required to have documented controls in place to ensure the University has a completed information security program available on or before June 9, 2023. Cause: The University did not have the proper controls in place to ensure that the University was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314. Effect: The ability to adequately safeguard student electronic data may be compromised if the University does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed. Recommendation: We recommend the University review their policies and procedures in place to ensure that the information security program review is documented to support the University's compliance under the Uniform Guidance. Management's Response: Management agrees with the finding and recommendation. New controls will be implemented in fiscal year 2024 to ensure that the information security review is appropriately documented and there is evidence of review.