Finding Text
Federal Agency: U.S. Department of Education
Federal Program Name: Student Financial Assistance Cluster
Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program), 93.364 (Nursing Student Loans)
Federal Award Identification Number and Year: N/A; 2023-2024
Award Period: August 1, 2023 – July 31, 2024
Pass-Through Agency: N/A
Pass-Through Numbers: N/A
Type of Finding:
• Significant Deficiency in Internal Control over Compliance
• Other Matters
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.
Questioned costs: None
Context: During our testing of the University’s information technology, we noted the following items in the University’s written security program did not meet the following compliance requirements:
• Identify the approval of the appropriate individual leading the information security program
• The use of encryption controls in transit on the University's systems
• The standards for evaluating, assessing or testing the security of externally developed applications that transmit sensitive information
• The use of multi-factor authentication for individuals accessing sensitive information across systems
• The processes to perform an annual penetration test and semi-annual vulnerability assessments
Cause: The University has continued to make progress in updating the University’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the University designate an individual to oversee the information security function and work to update the University’s written security program to ensure compliance with all the standards.
Views of responsible officials: There is no disagreement with the audit finding.