Finding Reference Number: 2024-001
Initial Fiscal Year: 2023
Summary of Finding: Significant Deficiency: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education,
William D. Ford Direct Loan Program, ALN #84.268) (Repeat Finding: 2023-001)
In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a comprehensive
information security program that is written in one or more readily accessible parts and contains administrative,
technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your
activities, and the sensitivity of any customer information at issue and must contain all of the elements that are
further described in 16 CFR 314.4 During the audit, it was noted that the University’s Gramm-Leach-Bliley Act
Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the application of the
comprehensive information security program was not effectively administered by the University during the 2024
year. An updated policy was put into place in July 2024, which addressed several of the deficiencies noted in the
existing policy, but not all. The University should continue to update their Gramm-Leach-Bliley Act Policy to be in
accordance with the requirements and put in place effective controls and practices to ensure the policy is
monitored in a way to ensure it is administered effectively and timely.
Entity’s Corrective Action Plan: The Johnson University IT Department has consistently worked to improve
compliance with GLBA regulations since July 2023. The leadership of Johnson University has taken a proactive and
measured approach to GLBA compliance that ensures a balance between reaching compliance quickly and reaching
compliance with long-term strategic planning. This has led to a GLBA implementation that will take 2 or more years
but will set up the university for long-term excellence in compliance and security. The University understands the
importance of GLBA requirements and is committed to ensuring student data is protected from all foreseeable
threats. It will continue to iterate on its GLBA corrective action plan to ensure proper compliance for long-term
security.
The Johnson University IT Department has developed a plan to address deficiencies in GLBA compliance in each of
the following areas:
Requirement 1 - Qualified Individual: 16 CFR 314.4(a)
Johnson University has designated Tim Fisher as our Qualified Individual. Tim Fisher is an employee of Johnson
University, serving in the IT Systems Analyst role, and will work alongside Johnson University’s IT Director to
oversee the information security program and its implementation. While Tim has over 15 years of on-the-job
cybersecurity experience, additional training resources have already been provided to Tim Fisher to pursue the
CompTIA Security+ certification. Tim Fisher expects to complete the training and gain the certification by the end
of 2025. This was deemed sufficient for GLBA compliance in the audit report provided by Blackburn, Childers &
Steagall, PLC dated November 6, 2024.
Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this
attribute.”
Requirement 2 - Risk Assessment: 16 CFR 314.4(b)
Johnson University partnered with HORNE, a cybersecurity company, to conduct a risk assessment in November
2023. The assessment covered several topics and recorded inherent risk levels, existing mitigating controls, and
the residual risk levels of each topic covered. Residual risk levels, the level of risk existing despite the existing
controls, were found to be considered high in termination procedures and review of security logs. GLBA policy
development and implementation decisions were based heavily on this initial risk assessment. A more
comprehensive cybersecurity company with experience serving customers in Higher Education, DeapSeas, has
been selected for ongoing cybersecurity assistance and will be conducting future risk assessments. Additional risk
assessments are planned to be performed every 2 years to reexamine reasonably foreseeable risks and to account
for changes in cybersecurity controls. The next risk assessment shall be completed by the end of 2025.
Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be
sufficient; the newly implemented policy does sufficiently address this requirement.
Requirement 3.1 - Access Controls: 16 CFR 314.4(c)(1)
Johnson University policy ensures that employee supervisors dictate appropriate access for each employee to the
IT Department when they are hired or change positions. Supervisors are responsible for ensuring employees have
appropriate access to locations where sensitive information is stored, such as file servers and Jenzabar (Student
Information System) software access. The IT Department processes permission changes and does not provide
permissions without explicit request from the employee supervisor. Auditing existing permissions is a weak spot
that has, in the past, taken hours of manual work. We have purchased software, AD Manager, to assist with access
reviews. We expect this software to be ready to audit necessary permission groups by the end of 2024. This should
significantly reduce the time it takes to audit permissions through additional reporting and easy remediation
features.
Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented
policy does address this requirement, instituting a continuous monitoring process undertaken at periodic
intervals. The University has contracted with a new software to assist with this, which is expected to be live by
December 31, 2024.
Note from JU IT: Requirement 3.1, access control reviews, is complicated as each department supervisor is
responsible for setting access permissions. The IT Department will need to engage department supervisors for
review and approval. Due to the transition in the I.T. Director position, the expectation to be live should be
adjusted to March 31, 2025.
Requirement 3.2 – Data Identification: 16 CFR 314.4(c)(2)
Informal identification has been completed by the IT Department through generalized asset inventory procedures.
DeapSeas, our selected cybersecurity vendor, has been contracted to conduct a more formal data identification
procedure in early 2025. This will identify critical items and analyze risks and responsibilities associated with each
party. This procedure will take place through scanning the corporate network and interviewing departments on
their data storage procedures.
Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this
requirement. Resolution to this matter is expected to be addressed and incorporated into the policy by
December 31, 2024.”
Note from JU IT: For requirement 3.2, data inventory, we’re already under contract with DeapSeas to do this. It will be
completed by March 31, 2025.
Requirement 3.3 – Encryption: 16 CFR 314.4(c)(3)
Johnson University has had encryption in transit for several years but has not had encryption at rest. Johnson
University purchased licenses to enable encryption at rest in October 2023 and finished a project to encrypt most
virtual machines containing sensitive data using AES-256 and XTS-AES-256 encryption on April 29, 2024. The
remaining virtual machines are planned to be encrypted before the end of 2024.
Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented
policy does address this requirement.”
Requirement 3.4 – Secure Development: 16 CFR 314.4(c)(4)
Johnson University does not develop in-house applications for transmitting, accessing, or storing customer
information. A combination of the risk assessment, vendor analysis, and penetration testing will assess the security
of externally developed applications. The risk assessment has already been completed, but further vendor analysis
and penetration testing are planned to be completed by the end of June 2025.
Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this
requirement. However, the University does not develop in-house applications for transmitting, accessing, or
storing customer information.”
Requirement 3.5 – Multi-factor Authentication: 16 CFR 314.4(c)(5)
Johnson University has enabled multi-factor authentication on all connections to the server where our student
information system (Jenzabar One) is accessed. Multi-factor authentication is also enabled for all logins to Office
365 and integrated applications, such as Zoom videoconferencing, our student/employee portal, Jenzabar
Financial Aid (financial aid management system), and Jenzabar Recruitment (admissions software). Multi-factor
authentication is also enabled on connections to our administrative systems, such as our network firewall,
hypervisor, door access control, and security camera management systems. With multi-factor authentication
requirements for all these systems, we believe that multi-factor authentication is enabled on all critical systems to
protect student information.
Evaluation of low-risk systems, such as our classroom audiovisual systems, for feasibility of multi-factor
authentication are ongoing and expect to be completed by the end of 2024.
Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this
requirement. However, the University utilizes multi-factor authentication on all connections to the server
where student information system is accessed, as well as administrative and financial applications.”
Requirement 3.6 – Data Retention: 16 CFR 314.4(c)(6)
Organizational data retention policies, developed by the Finance Department, are currently in effect. These policies
were originally written for other means but have some overlap with GLBA regulations. Evaluation of these policies
for effectiveness is ongoing and expected to be completed by the end of 2024. Future evaluations for the
effectiveness of data retention policies will take place every other year in a joint venture with the Finance and IT
Departments.
Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this
requirement. Evaluation of organizational data retention policies for effectiveness is ongoing and expected to
be completed by December 31, 2024.
Note from JU IT: Requirement 3.6, data retention policies, will require collaboration between Finance and IT.
Finance’s existing policies on data retention need to be enhanced. This just takes time and decisions from the
CFO (how long to retain and when to delete – IT will be enforcing the policy technically). Evaluation will be
completed by June 30, 2025.
Requirement 3.7 – Change Management: 16 CFR 314.4(c)(7)
Change management procedures have been discussed and official policies are being developed. Evaluation of
security risk and risk of downtime or other degradation of service are being considered in change management
procedures. Official policies should be in place in 2025.
Note from 2024 audit report: “This attribute was not addressed in the existing policy; the newly implemented
policy does address this requirement. Official policies should be in place by December 31, 2024.
Note from JU IT: A change management plan will be completed by March 31, 2025.
Requirement 3.8 – User Logging: 16 CFR 314.4(c)(8)
User logging is in place for all log-ins to Office 365 log-ins to its services and integrated applications. Microsoft
Entra sign-in risk and user-risk policies are in place to enforce stronger security measures during sign-in, force
password resets, or deny sign-ins altogether based on risk analysis. Sign-ins to on-premises resources are logged
through new software, Log360, implemented in March 2024. Log360 analyses log-ins and sends notifications to IT
Department technicians via email for suspicious activity. IT will then process these reports to take appropriate
action to resolve the threat unless there is sufficient evidence of a false positive.
Note from 2024 audit report: “Both the existing policy and the newly implemented policy are silent on this
requirement. Office 365 user logging has been in place; sign-ins to on-premises resources was implemented in
March 2024. IT has processes in place for addressing suspicious activity.”
Requirement 4 – Security Assessment: 16 CFR 314.4(d)(1)
DeapSeas, a cybersecurity vendor, has been chosen to conduct security assessments. A security assessment is
planned for early 2025. Ongoing, internal security assessments are planned on an annual basis to be conducted by
the IT Department. These assessments will assist in evaluating the effectiveness of existing controls and the
ongoing development of the security program.
Software has also been purchased and implemented for continuous monitoring of vulnerabilities within
organizational software. The software, Vulnerability Manager, provides notice of known vulnerabilities and
available patches for software installed on devices within our organization. These notifications are distributed
through the software and through email. Automated and semi-automated patches are available through the
software to be deployed to organizational devices over the internet. Patching known vulnerabilities within our
software portfolio is a priority for us. This system should reduce overall risk and patch effectiveness will be verified
with penetration testing. Our first annual penetration test is planned for early 2025.
Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be
sufficient; the newly implemented policy does sufficiently address this requirement.
Requirement 5 – Security Training: 16 CFR 314.4(e)
Security training has been made mandatory for all employees beginning in Fall 2024. Security training is done
through our online video training platform, KnowBe4. This system allows for video, quizzes, and other learning
material to be presented to the employees. KnowBe4 develops this content and ensures accuracy and
appropriateness. Johnson University IT Department selects available materials and assigns them to employees.
Security training was last updated after the initial risk assessment and will be reviewed every 6 months.
Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this
attribute.”
Requirement 6 – Service Providers: 16 CFR 314.4(f)
Collection of SOC2 security reports from vendors that have access to systems with student information is in
progress. The collection and analysis of these reports is expected to be completed by the end of 2024. Review of
these reports is planned to be conducted annually, with requests for updated security reports every 3 years. \
Note from 2024 audit report: “This attribute was addressed in the existing policy but was not considered to be
sufficient; the newly implemented policy does sufficiently address this requirement.
Requirement 7 – Security Control Monitoring: 16 CFR 314.4(g)
Security controls are being monitored using Log360 wherever possible. Continuous evaluation of these controls is
underway and adjustments will be made to security controls as needed. New change management policies and
penetration testing will influence the way we evaluate these controls and will likely include changes to monitoring
systems and evaluation methods.
Note from 2024 audit report: “Both the existing policy and the newly implemented sufficiently address this
attribute.”
Anticipated Completion Date: Fall 2026
Name and Title of Responsible Person: Luke Edwards, Director of IT.