Finding 41798 (2022-001)

Award Year: July 1, 2021 - June 30, 2022 Federal Agency: U.S. Department of Education Pass Through Entity: Not applicable Criteria: In accordance with Title IV regulations (CFR 314.1 (b)), an Institution must protect student financial aid information by designating an individual to coordinate the information security program, perform a risk assessment that addresses (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures, and document safeguards for identified risks. Condition: The University has not performed a risk assessments to address (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures, and document safeguards for identified risks as required by the Gramm-Leach Bliley Act (GLBA). In addition, the University has not documented safeguards for identified risks. Cause: The University did not have procedures and processes in place specific to GLBA and therefore, did not document the required risk assessment or risk mitigation. Effect: With no formal policies and procedures surrounding student information security, the University may be susceptible to threats of consumer nonpublic personal information. Failure to comply with GLBA standards may bring penalties ranging from monetary fines to restriction or loss of eligibility for Title IV funding. Questioned Costs: None. Recommendation: The University should perform and document an annual risk assessment to determine the University's specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the University should have at least one risk statement aligned or referenced to each of the three required areas noted in the GLBA law at 16 CFR 314.4 (b). Finally, the University should identify and document at least one safeguard (i.e., control) for each of the risks identified and document in the risk assessment. Each control should be aligned or referenced to the risk(s) to which the safeguard applies. Management Response: While a specific GLBA audit has not been performed, the general guidance from the National Institute of Standard and Technology (NIST) is well aligned with the controls needed to protect data as required by the Family Educational Rights and Privacy Act (FERPA) guidance.In addition to these policies and procedures in place at the University, in November 2021, an Interim CIO consultant was engaged to assess the technology environment and make recommendations. Risk-based priorities were established that included strengthening the network, firewalls, email access (including Multi-Factor Authentication (MFA)), applications and policies/procedures. The Interim CIO consultant was hired as a fulltime employee as of January 1, 2022. A significant investment was made to upgrade and enhance the security features of the network. Moving forward, management plans to address 1) designing a student portal to mitigate risks associated with data in transit from students and 2) reviewing and updating policies to align with stronger security measures required by employees, account deactivation, guidance/consolidation of data storage and new processes being streamlined across the University initiated by new leadership and organizational re-alignment.