Finding Text
Federal Agency: Department of Education
Federal Program Name: Student Financial Aid Cluster
Assistance Listing Number: 84.007, 84.033, 84.063, 84.268
Federal Award Identification Number and Year: N/A
Award Period: June 1, 2023 to May 31, 2024
Type of Finding:
• Significant Deficiency in Internal Control over Compliance
• Other Matters
Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).
Condition: There were five items missing entirely from the Written Information Security Program:
B.2 CLA was not able to verify that the WISP provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.
B.3 The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were in draft form in the WISP:
o Implement multi-factor authentication for anyone accessing customer information on the institution’s system
o Dispose of customer information securely
o Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
B.4 In addition, CLA was not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented.
Questioned costs: None
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were four elements missing from the WISP at the end of the fiscal year.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance as well as there was a general lack of capacity in IT staffing to formally implement the WISP during the year.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements and is formally implemented.
Views of responsible officials: There is no disagreement with the audit finding.