Finding Text
Criteria or specific requirement – Special Tests and Provisions – Gramm-Leach-Bailey Act (16 CFR 314) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bailey Act (GLBA) because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)).
Condition – The University must have a written information security program that addresses the required minimum seven elements.
Questioned costs – $0
Context – The University does not have a written information security program that addresses the required elements. The University has designated their Chief Information Officer as the qualified individual responsible for implementing and monitoring their information security program. They have started addressing the additional required elements, including reviewing access controls, implementing multi-factor authentication for students, disposing of student information securely, and performing annual penetration testing, reviewing the log for unauthorized access, implementing multi-factor authentication for staff and faculty with access to student information, implementing policies and procedures to ensure that personnel are able to enact the information security program and encrypting all information, on the institution’s system and when it’s in transit.
Effect – The University did not implement the revised GLBA regulations by the required date.
Cause – The University’s controls did not ensure the revised GLBA regulations were implemented by the required date.
Identification of a repeat finding, if applicable – N/A
Recommendation – The University should complete the written information security program and ensure the additional required GLBA elements are included.
Views of responsible officials and planned corrective accounts – On July 19, 2024, the University of Dallas received a notification from Forvis Mazars concerning several outstanding items from the latest Gramm-Leach-Bliley Act (GLBA) requirements in the compliance audit. The Chief Information Security Officer (CISO), IT security personnel and Chief Information Officer (CIO) compiled the necessary information to provide an accurate status update on the remediation efforts for each item.
See corrective action plan for the current remediation status as of September 5, 2024.