Finding Text
Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in
Internal Controls over Compliance
Student Financial Assistance Cluster
U.S. Department of Education
Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038
Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal
Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education
Assistance for College and Higher Education Grants
Federal Award Number: P063P230416, P268K240416, P007A234401, P033A234401, P379T240416
Award Year: 2023-24, 2022-23
Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and
maintain a comprehensive information security program that is written in one or more readily accessible
parts and contains administrative, technical, and physical safeguards that are appropriate to the size and
complexity, the nature and scope of their activities, and the sensitivity of any customer information at
issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be
reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as
of June 9, 2023.
Condition/context: Based on our review of the information provided by the University, they are currently
in the process of reviewing and finalizing their information security program. The written draft provided did
not appear to have been updated in several years and did not clearly address all of the required elements
in 16 CFR 314.4.
Questioned costs: None.
Cause/effect: The Integrated Technology Services department has experienced staff shortages which
have contributed to the delay in implementation of this standard. The absence of a well-designed and
documented policy addressing the standards set forth under the act could put the security, confidentiality,
and integrity of student information at risk.
Repeat finding: Yes, 2023-002
Recommendation: We recommend the University review the compliance requirements and update their
written policy to ensure that it addresses all the required elements.
Views of responsible officials and planned corrective actions: Saint Martin’s University management
agrees with the finding. The University will review the requirements of 16 CFR 314.4, update our written
policy to ensure that it addresses all the required elements 16 CFR 314.3(b), and perform an annual
review of our updated policy to ensure that it continues to comply with all relevant regulations. The
University is currently in the process of formally adopting a cybersecurity framework as well as securing a
vendor to perform an IT security assessment. This ongoing work in the interest of the security,
confidentiality, and integrity of student information will position us well to make the recommended updates
to our policy.