Chatham University’s Response to Schneider Downs’ Finding 2023 - 002 - Student Financial Assistance - Cluster, Department of Education Programs, in connection with their audit of the University’s financial statements for the year ended June 30, 2023.
The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314). The audit finding was based on 16 CFR 314.4(f), which requires the University to have a policy addressing how the institution will oversee its information system service providers.
Issue and Cause:
The University does not have a vendor management review process for information system service providers.
Action Plan:
The University acknowledges the specific requirements outlined in the finding and presents the following action plan to address the requirements of 16 CFR 314.
• The University has a draft Vendor Access to Internal Systems Policy developed in 2021 that needs to be finalized and formally adopted.
• The Chief Information Officer will review, update, and finalize this policy to ensure compliance with 16 CFR 314, 4(f).
• The policy will be added to the University’s Cyber & Regulatory Compliance Policy document on the Intranet and any public-facing web pages as necessary.
• The policy will be distributed to applicable information system service providers.
• A process for the mandatory annual review and acknowledgment of the policy with applicable vendors will be implemented.
• The University will consider the costs and benefits of using external resources or firms to advise and help implement this action plan.
Chatham University’s Chief Information Officer, Paul Steinhaus, is responsible for implementing this corrective action by May 1, 2024.