FAC Explorer

Finding 524699 (2024-001)

Significant Deficiency
Requirement
N
Questioned Costs
-
Year
2024
Accepted
2025-02-27
Audit: 344132
Organization: Utica University (NY)
Auditor: Bonadio & CO LLP

AI Summary

  • Core Issue: The University lacks essential written policies required by the Gramm Leach Bliley Act (GLBA), including change management, staff training, and vendor management policies.
  • Impacted Requirements: Non-compliance with GLBA puts the University at risk regarding the protection of sensitive student information.
  • Recommended Follow-Up: Develop and implement a comprehensive information security program and formal policies for staff training and vendor management to ensure GLBA compliance.

Finding Text

Finding 2024-001 U.S. Department of Education Student Financial Assistance Cluster Gramm Leach Bliley Act (GLBA) Criteria - Institutions participating in the Student Financial Assistance (SFA) program are required to comply with GLBA. GLBA requires institutions to implement certain written policies. Condition - The University does not have the following required written policies that are required under GLBA: • The written information security program does not include a change management policy. • A written information security staff training policy is not in place. • A written vendor management policy is not in place. Cause - The University has not established formal policies to ensure compliance with the GLBA requirements. Resource constraints and competing priorities were contributing factors. Effect - The University is not fully compliant with GLBA requirements. Recommendation - We recommend that the University develop and implement a comprehensive written information security program that addresses all minimum elements required by GLBA. Additionally, we recommend that the University establish a formal written policy for staff training on data security and privacy and develop and implement a vendor management policy to ensure third-party service providers safeguard customer information appropriately. Views of Responsible Officials – The University acknowledges the recommendation and is committed to implementing a comprehensive written information security program that fully addresses all GLBA requirements. The University has drafted a formal data security and privacy training policy for staff. The University currently requires faculty and staff to complete annual security and privacy trainings as directed through the employee handbook. The University has drafted a vendor management policy to ensure third-party service providers maintain appropriate safeguards for customer information. A dedicated security team will oversee the development and implementation of these measures, ensuring compliance with GLBA regulations and the protection of sensitive student data.

Corrective Action Plan

The University has drafted a comprehensive written information security program to address the minimum requirements for compliance with GLBA, including the following: -The University has drafted a formal data security and privacy training policy for faculty and staff to be incorporated within the comprehensive written information security program. This is in addition to the mandatory annual security and privacy training for all faculty and staff, as directed through the employee handbook. -The University has drafted a vendor management policy to ensure thirdparty providers maintain appropriate safeguards for customer information. - The University has also drafted a change and patch management policy. A dedicated team from the Integrated Information Technology Services department will oversee the development and implementation of the above policies to ensure compliance with GLBA and the protection of sensitive student data. The University has completed a draft of a comprehensive written information security program to address the minimum requirements noted above. TheUniversity plans to have the comprehensive written information plan reviewed and finalized by February 28, 2025.

Categories

No categories assigned yet.

Other Findings in this Audit

  • 524700 2024-001
    Significant Deficiency
  • 524701 2024-001
    Significant Deficiency
  • 524702 2024-001
    Significant Deficiency
  • 1101141 2024-001
    Significant Deficiency
  • 1101142 2024-001
    Significant Deficiency
  • 1101143 2024-001
    Significant Deficiency
  • 1101144 2024-001
    Significant Deficiency

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $33.75M
84.063 Federal Pell Grant Program $5.00M
84.033 Federal Work-Study Program $425,392
47.076 Stem Education (formerly Education and Human Resources) $316,635
84.042 Trio Student Support Services $271,316
84.007 Federal Supplemental Educational Opportunity Grants $197,542
11.620 Science, Technology, Business And/or Education Outreach $102,911
16.525 Grants to Reduce Domestic Violence, Dating Violence, Sexual Assault, and Stalking on Campus $48,784
47.050 Geosciences $42,881
10.559 Summer Food Service Program for Children $11,908