Finding 394867 (2023-003)

Significant Deficiency

Requirement

Questioned Costs

Year

2023

Accepted

2024-04-26

Audit: 304756

Organization: North Park University (IL)

Auditor: Capincrouse LLP

AI Summary

Core Issue: The University is not fully compliant with the updated requirements of the Gramm-Leach-Bliley Act (GLBA), risking student information security.
Impacted Requirements: Key areas include information security program updates, security risk assessments, multi-factor authentication, vendor management, incident response planning, and annual reporting.
Recommended Follow-Up: Allocate necessary resources to meet GLBA requirements and implement corrective actions as agreed upon by management.

Finding Text

Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 93.964-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University did not sufficiently comply with the updated requirements of GLBA. Criteria: 16 CFR 314.3, 16 CFR 314.4 Questioned Costs: $0 Context: The University has not sufficiently updated its information security program, sufficiently documented its security risk assessment and safeguards, implemented multi-factor authentication on all systems containing personally identifiable information (PII), or implemented sufficient vendor management policies and reviews. Additionally, the University has not implemented an incident response plan or provided a written annual report to the board that covers all required areas. Cause: The University has not allocated sufficient resources to address and document compliance with the requirements of GLBA. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: N/A Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm-Leach-Bliley Act (GLBA) Compliance Planned Corrective Action: The University will proceed with approval and implementation of draft policies and procedures and will expand the information security program to address identified issues. The University will allocate necessary resources and will contract with necessary third-party providers to meet existing resource and technology gaps. Person Responsible for Corrective Action Plan: Jeff Lundblad, AVP and Chief Information Officer Anticipated Date of Completion: October, 2024

Other Findings in this Audit

394868 2023-003

Significant Deficiency
394869 2023-003

Significant Deficiency
394870 2023-003

Significant Deficiency
394871 2023-003

Significant Deficiency
394872 2023-003

Significant Deficiency
971309 2023-003

Significant Deficiency
971310 2023-003

Significant Deficiency
971311 2023-003

Significant Deficiency
971312 2023-003

Significant Deficiency
971313 2023-003

Significant Deficiency
971314 2023-003

Significant Deficiency

Programs in Audit

ALN	Program Name	Expenditures
84.268	Federal Direct Student Loans	$11.43M
84.063	Federal Pell Grant Program	$4.24M
84.038	Federal Perkins Loan Program	$734,430
93.364	Nursing Student Loans	$606,294
84.007	Federal Supplemental Educational Opportunity Grants	$469,820
84.425	Covid-19 Education Stabilization Fund Heerf - Student Aid Portion	$186,415
84.033	Federal Work-Study Program	$179,921
47.076	Stem Education	$92,829
84.425	Covid-19 Education Stabilization Fund Governor's Emergency Education Relief Funds	$72,499
19.009	Academic Exchange Programs - Undergraduate Programs	$17,361