Finding Text
Federal Program – Student Financial Assistance Cluster – Assistance Listing Numbers 84.063, 84.007, 84.033, and 84.268 – U.S. Department of Education Program Year 2023-2024
Criteria or Specific Requirement – Gramm-Leach-Bliley Act (GLBA) – Student Information Security – 16 CFR §314
Condition – The University’s written information security program did not adequately include three of the six required minimum elements.Questioned Costs – N/A
Context – Out of the six elements that are required to be included in the written information security program, all six were tested. Of these elements, three were not adequately included in the written program.
Effect – The University failed to include the minimum elements in its written information security program to meet GLBA requirements, as agreed to within its Program Participation Agreement with the Department of Education (ED). This could potentially result in the failure to secure student financial aid information.
Cause – The University did not have appropriate controls in place to ensure compliance with relevant requirements.
Identification as a Repeat Finding, if Applicable – N/A
Recommendation – The University should ensure the design and appropriate operating effectiveness of controls surrounding GLBA compliance to ensure that all required elements are included in the information security program.
Views of Responsible Officials and Planned Corrective Actions – Management agrees with the finding. Policies are being reviewed and approved to add the documentation and testing that was not covered in previous policies.