Finding Text
2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security Federal Agency: U.S. Department of Education Assistance Listing Numbers: 84.007; 84.033; 84.038; 84.063; 84.268; 84.379; 93.925 Program Names: Student Financial Assistance Cluster - Federal Supplemental Educational Opportunity Grants Federal Work-Study Program Federal Perkins Loan Program Federal Pell Grant Program Federal Direct Student Loans Teacher Education Assistance for College and Higher Education Grants Scholarships for Health Professions Students from Disadvantaged Background Program Expenditures: $359,412; $432,302; $1,264,604; $4,213,853; $20,166,174; $26,878; $860,306 Award Numbers: P007A221121; P033A221121; P063P211351; P268K221351; P379T221351 Questioned Costs: None The Chicago State University (University) did not perform risk assessment procedures and document safeguards for each risk identified in relation to student financial aid information. According to the University?s Program Participation Agreement with the Department of Education, the University is required to protect student financial aid information. During our testing, we noted the University had not conducted a risk assessment identifying internal and external risks to the security, confidentiality, and integrity of student information. The Standards for Safeguarding Customer Information, required by the Gramm-Leach-Bliley Act (GLBA) (16 CFR ? 314.4 (b)), require the University to identify reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of student information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risk in each relevant area of operations, including: 2022-004. FINDING Noncompliance with Special Tests and Provisions ? Student Financial Aid Information Security (Continued) (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other system failures. Additionally, the Uniform Guidance (2 CFR ? 200.303) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award. In addition, the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) requires entities to perform a risk assessment and establish a risk mitigation plan to minimize identified risks. University management indicated the issues were due to the vacancy of an Information Technology Security Officer position. Without a risk assessment, the University is at risk of noncompliance with the GLBA. In addition, the University?s systems and information could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner. (Finding Code No. 2022-004) RECOMMENDATION We recommend the University strengthen controls to ensure adequate risk assessment procedures are performed and documentation of safeguards for each risk identified in relation to student information security is maintained. UNIVERSITY RESPONSE The University agrees with the finding and is developing a corrective action plan for implementation.