Finding 387183 (2023-001)

Criteria (A)Per 16 CFR 314.3 the institutions with 5,000 or more customers must stablish written information securityprogram to include nine elements. The elements that an institution must address in its written informationsecurity program are at 16 CFR 314.4. At a minimum, an institution’s written information security programshould include: 1.Designates a qualified individual responsible for overseeing and implementing the institutions or servicer’sinformation security program and enforcing the information security program (16 C.F.R. 314.4(a)). 2.Provides for the information security program to be based on a risk assessment that identifies reasonablyforeseeable internal and external risks to the security, confidentiality, and integrity of customer information(as the term customer information applies to the institution or servicer) that could result in the unauthorizeddisclosure, misuse, alteration, destruction, or other compromise of such information, and assesses thesufficiency of any safeguards in place to control these risks (16 C.F.R. 314.4(b)). 3.Provides for the design and implementation of safeguards to control the risks the institution or serviceridentifies through its risk assessment (16 C.F.R. 314.4(c)). At a minimum, the written information securityprogram must address the implementation of the minimum safeguards identified in 16 C.F.R. 314.4(c)(1)through (8). 4.Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it hasimplemented (16 CFR 314.4(d)). 5.Provides for the implementation of policies and procedures to ensure that personnel are able to enact theinformation security program (16 C.F.R. 314.4(e)). 6.Addresses how the institution will oversee its information system service providers (16 C.F.R. 314.4(f)). 7.Provides for the evaluation and adjustment of its information security program in light of the results of therequired testing and monitoring; any material changes to its operations or business arrangements; theresults of the required risk assessments; or any other circumstances that it knows or has reason to knowmay have a material impact the information security program (16 C.F.R. 314.4(g)). 8.For an institution or servicer maintaining student information on 5,000 or more consumers, addresses theestablishment of an incident response plan (16 C.F.R. 314.4(h)). 9.For an institution or servicer maintaining student information on 5,000 or more consumers, addresses therequirement for its Qualified Individual to report regularly and at least annually to those with control over theinstitution on the institution’s information security program (16 C.F.R. 314.4(i)). (B)Per 2 CFR 200.303, a non-federal entity mush establish and maintain internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations and the terms and conditions of the federal award.Condition and ContextDuring our audit of the internal controls over compliance and compliance requirements, we noted that the University did not have written procedures or formal policies to ensure compliance with all the elements included in the criteria. We were no able to identify formal written procedures for the elements: 4,5,7 and 9.