Finding Text
Criteria Under the University’s Program Participation Agreement and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid. According to 16 CFR 314.4(b), a school must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including: Employee training and management; Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and Detecting, preventing, and responding to attacks, intrusions, or other systems failures. Condition Although the University has documented various IT policies around access, they are not comprehensive enough to cover the Gramm-Leach-Bliley Act requirements with respect to the process of identifying the internal and external risks to data security. Cause The University has not conducted a formal risk assessment since January 2021. Effect Student information may be at risk of unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Questioned Costs There were no questioned costs related to this finding. Context During our review of the University’s Information Technology system, we noted through inquiry that a formal risk assessment of the University’s documented safeguards had not been performed since January 2021. Identification as a Repeat Finding This finding is a repeat of finding 2022-002 in the immediately prior audit. Recommendation We recommend that the University re-engage the outside resource to independently perform and develop a formal risk assessment, along with recommendations for remediation of any open items and/or deficiencies. Views of Responsible Officials We agree with the recommendation.