Finding Text
U.S. Department of Education
Student Financial Assistance Programs Cluster
Gramm-Leach Bliley Act – Student Information Security (84.007, 84.268, 84.038,
84.063, 84.378)
Federal Award Year: 2023-2024
Finding: The University created and implemented a comprehensive information security
policy, but did not have it done in a timely manner.
Criteria: 2 CFR 200.303(a) requires that the non-Federal entity must establish and maintain
effective internal control over the Federal award that provides reasonable assurance that the
non-Federal entity is managing the Federal award in compliance with Federal statutes,
regulations, and the terms and conditions of the federal award. These internal controls
should be in compliance with guidance in Standards for Internal Control in the Federal
Government issued by the Comptroller General of the United States or the Internal Control
Integrated Framework, issued by the Committee of Sponsoring Organizations of the
Treadway Commission.
The Program Participation Agreement (PPA) with the U.S. Department of Education requires
the institution to comply with the Standards for Safeguarding Customer Information as
described in 16 CFR Part 314 which includes the development of a comprehensive written
security program that includes the following parts:
16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for
overseeing and implementing the institution’s information security program and
enforcing the information security program.
16 CFR 314.4(b) requires institutions to provide for the information security program to
be based on a risk assessment that identifies reasonably foreseeable internal and
external risks to the security, confidentiality and integrity of customer information (as
the term customer information applies to the institution) that could result in the
unauthorized disclosure, misuse, alteration, destruction or other compromise of such
information, and assesses the sufficiency of any safeguards in place to control these
risks.
16 CFR 314.4(c) requires institutions to provide for the design and implementation of
safeguards to control the risks the institution provides through its risk assessment.
16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the
effectiveness of the safeguards it has implemented
16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that
personnel are able to enact the information security program.
16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its
information system service providers.
Condition: The institution’s written information security program was not done in a timely
manner to include the following elements required by regulation as agreed to in the PPA:
The written information security program does not designate an individual responsible
for overseeing and implementing the institution’s information security program or
enforcing the information security program.
The institution has performed a risk assessment utilizing internal resources but has not
based the information security program on the results of this assessment, nor has the
institution included all required elements of internal and external risks to the security,
confidentiality or integrity of customer information. The institution’s risk assessment is
missing an inventory of IT systems that process and store customer information and
the compliance with information security elements related to multifactor authentication,
access control, change management, logging and alerting and encryption.
The institution has not identified, designed or implemented safeguards for all of the
risks identified in the risk assessment. The safeguards do not include the identification
of security events or detection and response capabilities to support incident response.
The institution has not been able to test safeguards because safeguards have not been
designed or implemented in response to the risk assessment.
The institution has not developed written policies and procedures to ensure that
personnel are able to enact the information security program. There is a lack of
evidence of leadership being required to report to the board or an appropriate
supervisory council to ensure those charged with governance are informed on the
current state of the information security program.
The institution has not developed policies and procedures to oversee information
service providers.
Cause: The institution did not create and implement a comprehensive information security
policy in a timely manner.
Effect: The institution did not create and implement a comprehensive information security
policy in a timely manner. The absence of internal controls and policies and procedures
could result in the unauthorized disclosure, misuse, alteration, destruction or other
compromise of student account information.
Questioned costs: None.
Context: Under an institution’s PPA with the U.S. Department of Education, schools must
protect student financial aid information, with particular attention to information provided to
institutions by the U.S. Department of Education or otherwise obtained in support of the
administration of federal student financial aid programs.
Repeat finding: This is not a repeat finding.
Recommendation: We recommend that the University completes these requirements in a
timely manner in the future.
Views of responsible officials: Management agrees with this finding. See corrective action
plan.