Finding Text
Federal Agency: Department of Education
Federal Program Title: Student Financial Assistance Cluster
Assistance Listing Number: 84.007, 84.033, 84.063, 84.268
Federal Award Identification Number: P007A223424-2023, P033A223424-2023, P063P220352-2023,
and P268K220352-2023
Award Period: 7/1/22-6/30/23
Type of Finding: Significant Deficiency in Internal Control over Compliance; Compliance, Other Matters
Condition: The University has a Written information Security Program; however, the University did not meet
the minimum requirements stated in the Gramm-Leach-Bliley Act. Additionally, the University did not
designate a qualified individual responsible for overseeing and implementing the information and security
program.
Criteria or specific requirement: The Gramm-Leach Bliley Act (GLBA) requires financial institutions to
explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314).
The regulation states that the college must designate a qualified individual responsible for overseeing and
implementing your information security program and enforcing your information security program. (16 CFR
314.4(a)). The entity shall have a Written Information Security Program (WISP) that outlines the design and
implementation of the risk assessment procedures. (16 CFR 314.4(b)). At a minimum, the institution’s
written information security program must address the implementation of the minimum safeguards identified
in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written
security program provides for the institution to regularly test or otherwise monitor the effectiveness of the
safeguards it has implemented (16 CFR 314.4(d)). Per 2 CFR 200.303, nonfederal entities receiving federal
awards are required to establish and maintain internal controls designed to reasonably ensure compliance
with federal laws, regulations, and program compliance requirements.
Context: These new GLBA requirements were applicable beginning on June 9, 2023, and there were seven
elements missing from their Written Information Security Program.
Questioned costs: N/A
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure
compliance.
Effect: The University was not in compliance with Gramm-Leach-Bliley compliance standards.
Repeat finding: Yes, 2022-017
Recommendation: We recommend that the University review the updated GLBA requirements and ensure
their WISP includes all required elements.
Views of responsible officials: Management agrees with the finding and has developed a plan to correct
the finding.