2024-003. FINDING (Noncompliance with Gramm-Leach-Bliley Act)
Federal Department: U.S. Department of Education, U.S. Department of Health and Human Services
Assistance Listing Number: 84.268, 84.063, 84.038, 84.033, 84.007, 84.379, 93.925, 93.264
Cluster Name: Student Financial Assistance Cluster
Program Name: Federal Direct Student Loans, Federal Pell Grant Program, Federal Perkins Loan Program, Federal Work-Study Program, Federal Supplemental Educational Opportunity Grants, Teacher Education Assistance for College and Higher Education Grants, Scholarships for Health Professions Students from Disadvantaged Backgrounds, and Nurse Faculty Loan Program
Award Numbers: P268K240567, P268K230567, P063P230567, P063P220567, P033A231156, P033A221156, P007A231156, P007A221156, P379T240567, 5 T08HP39308‐04‐00, and E01HP27019
Questioned Cost: None
Program Expenditures: $21,113,430; $7,760,752; $1,938,618; $512,881; $227,850; $31,236; $576,000; $621,137
Cluster Expenditures: $32,781,904
Governors State University (University) did not establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in their control.
CONDITION
During our audit, we noted the University was unable to complete the development of the written incident response plan as of the end of the audit period.
CRITERIA
On December 9, 2021, the Federal Trade Commission issued final regulations to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers.
The Code of Federal Regulations (16 CFR 314.4(h)) requires the University to develop, implement and maintain an information security program which includes establishing a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in its control.
At a minimum, such incident response plan shall address the following areas:
• the goals of the incident response plan;
• the internal processes for responding to a security event;
• the definition of clear roles, responsibilities, and levels of decision-making authority;
• external and internal communications and information sharing;
• identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
• documentation and reporting regarding security events and related incident response activities; and
• the evaluation and revision as necessary of the incident response plan following a security event.
Additionally, the Uniform Guidance (2 CFR 200.303(a)) requires nonfederal entities receiving federal awards to establish and maintain effective internal control designed to reasonably ensure compliance with federal laws, statutes, regulations, and the terms and conditions of the federal award.
CAUSE
University officials stated the University has been actively engaged in the development of a written incident response plan; however, the plan was not completed by the end of Fiscal Year 2024 due to the extensive range of tasks required for its completion.
EFFECT
The intent of the GLBA Safeguards Rule is to enhance security over confidential information. Without a documented response to all applicable requirements, the University is more susceptible to vulnerabilities as it relates to protecting the privacy and personal information of students than it will be following full implementation. (Finding Code No. 2024-003, 2023-003)
RECOMMENDATION
We recommend the University continue towards completion and full implementation of the written incident response plan.
UNIVERSITY RESPONSE
The University agrees with this finding and accepts the recommendation. The University has recently completed the development of the written incident response plan during Fiscal Year 2025.