Finding Text
Agency: U.S. Department of Education
Federal Program Name: Student Financial Assistance Cluster
Assistance Listing Number: Various
Award Period: July 1, 2023 to June 30, 2024
Type of Finding:
Significant Deficiency in Internal Control over Compliance
Other Matters
Criteria or Specific Requirement: GLBA requires financial institutions to explain their information sharing
practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program (WISP) to include nine elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The WISP for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its WISP are outlined in 16 CFR 314.4. At a minimum, the institution’s WISP must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8), including assessing apps developed by the institution. Additionally, the written security program must provide for the institution to
regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).
Condition: During our testing, there was evidence obtained of five procedures being performed during the year; however, these five items were missing from the formally documented Written Information Security Program (WISP).
The following minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) were not included in the WISP:
Implement and periodically review access controls
Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted
Encrypt customer information on the institution’s system and when it’s in transit
Dispose of customer information securely
In addition, we were not able to verify that the WISP provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented.
Questioned Costs: N/A
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were five elements missing from the WISP.
Cause: The current processes in place did not ensure 100% compliance with the new GLBA requirements.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Auditor’s Recommendation: We recommend that the University review the updated GLBA requirements and ensure their WISP includes all required elements.
Views of Responsible Officials: There is no disagreement with the audit finding.