FAC Explorer

Finding 388269 (2023-003)

Significant Deficiency
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2024-03-28
Audit: 300046
Organization: Governors State University (IL)
Auditor: Adelfia LLC

AI Summary

  • Core Issue: Governors State University lacks a written incident response plan, violating the Gramm-Leach-Bliley Act's requirements for protecting customer information.
  • Impacted Requirements: The absence of this plan increases vulnerability to security events, failing to meet both the GLBA Safeguards Rule and Uniform Guidance for federal compliance.
  • Recommended Follow-Up: The University should prioritize completing and implementing the incident response plan to enhance security and compliance.

Finding Text

2023-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act) Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services Assistance Listing Number: 84.038, 84.033, 84.007, 84.063, 84.268, 84.379, 93.925,93.264 Cluster Name: Student Financial Assistance Cluster Program Name: Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program Award Numbers: P033A221156, P033A211156, P033A171156, P007A221156, P007A211156, P063P220567, P063P210567, P268K230567, P268K220567, P379T230567, P379T220567, 5T08HP39308‐03‐00, and E01HP27019 Questioned Cost: None Program Expenditures: $2,474,974; $503,715; $265,650; 7,216,654, $21,864,079; $25,930; $576,000; $622,305 Cluster Expenditures: $33,549,307 Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control. During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period. On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The Code of Federal Regulations (16 CFR 314.4 (h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control. At a minimum, such incident response plan shall address the following areas: • the goals of the incident response plan; • the internal processes for responding to a security event; • the definition of clear roles, responsibilities, and levels of decision-making authority; • external and internal communications and information sharing; • identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; • documentation and reporting regarding security events and related incident response activities; and • the evaluation and revision as necessary of the incident response plan following a security event. Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. University officials stated the University has started the process of developing the written incident response plan but has not been completed to date due to resource constraints and competing priorities. The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2023-003) RECOMMENDATION We recommend the University continue towards completion and full implementation of the written incident response plan. UNIVERSITY RESPONSE The University agrees with this finding and accepts the recommendation. The University is currently drafting the incident response plan and is working to secure a contract with an incident response firm. Additionally, the University recently hired an Information Security Analyst, a newly created position designed to address smaller-scale alerts and incidents.

Categories

Student Financial Aid Matching / Level of Effort / Earmarking Reporting

Other Findings in this Audit

  • 388265 2023-002
    Significant Deficiency Repeat
  • 388266 2023-003
    Significant Deficiency
  • 388267 2023-003
    Significant Deficiency
  • 388268 2023-003
    Significant Deficiency
  • 388270 2023-003
    Significant Deficiency
  • 388271 2023-003
    Significant Deficiency
  • 388272 2023-003
    Significant Deficiency
  • 388273 2023-003
    Significant Deficiency
  • 388274 2023-004
    Significant Deficiency
  • 388275 2023-005
    -
  • 964707 2023-002
    Significant Deficiency Repeat
  • 964708 2023-003
    Significant Deficiency
  • 964709 2023-003
    Significant Deficiency
  • 964710 2023-003
    Significant Deficiency
  • 964711 2023-003
    Significant Deficiency
  • 964712 2023-003
    Significant Deficiency
  • 964713 2023-003
    Significant Deficiency
  • 964714 2023-003
    Significant Deficiency
  • 964715 2023-003
    Significant Deficiency
  • 964716 2023-004
    Significant Deficiency
  • 964717 2023-005
    -

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $21.86M
84.063 Federal Pell Grant Program $7.22M
84.038 Federal Perkins Loan Program $2.47M
84.425 Education Stabilization Fund $883,945
93.264 Nurse Faculty Loan Program (nflp) $622,305
93.925 Scholarships for Health Professions Students From Disadvantaged Backgrounds $576,000
93.575 Child Care and Development Block Grant $515,426
84.033 Federal Work-Study Program $503,715
93.732 Mental and Behavioral Health Education and Training Grants $346,490
84.066 Trio_educational Opportunity Centers $289,060
84.007 Federal Supplemental Educational Opportunity Grants $265,650
93.959 Block Grants for Prevention and Treatment of Substance Abuse $242,645
21.027 Coronavirus State and Local Fiscal Recovery Funds $200,614
11.020 Cluster Grants $172,623
10.558 Child and Adult Care Food Program $100,614
84.335 Child Care Access Means Parents in School $88,499
84.153 Business and International Education Projects $63,705
93.859 Biomedical Research and Research Training $57,089
84.016 Undergraduate International Studies and Foreign Language Programs $54,711
45.024 Promotion of the Arts_grants to Organizations and Individuals $45,000
93.243 Substance Abuse and Mental Health Services_projects of Regional and National Significance $40,307
84.116 Fund for the Improvement of Postsecondary Education $37,652
93.600 Head Start $28,224
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $25,930
59.075 Shuttered Venue Operators Grant Program $18,298
47.076 Education and Human Resources $15,822
84.220 Centers for International Business Education $11,285
93.077 Family Smoking Prevention and Tobacco Control Act Regulatory Research $8,682
16.835 Body Worn Camera Policy and Implementation $8,500
47.084 Nsf Technology, Innovation, and Partnerships $1,149