Finding Text
Criteria: 16 CFR Part 314 requires the University to implement information safeguard standards prescribed
by the Gramm-Leach-Bliley Act (GLBA). GLBA requires institutions and servicers to develop, implement,
and maintain a written, comprehensive information security program which contains administrative,
technical, and physical safeguards that are appropriate to the size and complexity of the institution or
servicer, the nature and scope of their activities, and the sensitivity of any student information.
An institution’s written information security program must include the following elements:
• Element 1: Designates a Qualified Individual responsible for overseeing and implementing the
institution’s or servicer’s information security program and enforcing the information security program
(16 C.F.R. 314.4(a)).
• Element 2: Provides for the information security program to be based on a risk assessment
that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and
integrity of customer information (as the term customer information applies to the institution or
servicer) that could result in the unauthorized disclosure, misuse, alteration, destruction, or
other compromise of such information, and assesses the sufficiency of any safeguards in place to
control these risks (16 C.F.R. 314.4(b)).
• Element 3: Provides for the design and implementation of safeguards to control the risks the institution
or servicer identifies through its risk assessment (16 C.F.R. 314.4(c)). At a minimum, the written
information security program must address the implementation of the minimum safeguards identified
in 16 C.F.R. 314.4(c)(1) through (8).
• Element 4: Provides for the institution or servicer to regularly test or otherwise monitor the
effectiveness of the safeguards it has implemented (16 C.F.R. 314.4(d)).
• Element 5: Provides for the implementation of policies and procedures to ensure that personnel are
able to enact the information security program (16 C.F.R. 314.4(e))
• Element 6: Addresses how the institution or servicer will oversee its information system service
providers (16 C.F.R. 314.4(f)).
• Element 7: Provides for the evaluation and adjustment of its information security program in light of
the results of the required testing and monitoring; any material changes to its operations or business
arrangements; the results of the required risk assessments; or any other circumstances that it knows or
has reason to know may have a material impact the information security program (16 C.F.R. 314.4(g)).
• Element 8: For an institution or servicer maintaining student information on 5,000 or more consumers,
addresses the establishment of an incident response plan (16 C.F.R. 314.4(h)).
• Element 9: For an institution or servicer maintaining student information on 5,000 or more consumers,
addresses the requirement for its Qualified Individual to report regularly and at least annually to those
with control over the institution on the institution’s information security program (16 C.F.R. 314.4(i)).
Context: We conducted inquiries with the University’s Information Security Officer to determine whether
the University had a written information security program that addressed the elements required by GLBA.
Although the University has a designated security officer (i.e. Qualified Individual), management
confirmed that the University did not have a written comprehensive program in place as prescribed by the
GLBA.
Cause: Management indicated there was a lack of awareness regarding the requirement to establish an
information security program that addressed the required elements.
Effect: The University was not in compliance with the GLBA requirement which could result in
administrative action by the Department of Education and may impact the University’s participation in Title
IV programs.
Questioned Costs: None
Identification of repeat finding: N/A.
Recommendations: We recommend the University develop and implement an Information Security
Program that includes the required elements prescribed by GLBA. The University should develop and retain
documentation supporting the completion and implementation of each of the required elements. Once
completed, the University should conduct periodic internal assessments of the Information Security
Programs’ compliance or consider engaging a third-party consultant to conduct such a review.
Views of responsible officials: The Information Security Officer has developed a comprehensive project
plan to implement the core 9 elements as listed under FTC Safeguards. The plan is backed by HPU’s 3rd
party risk assessment conducted in November of 2024. The addition of a new hire and a part-time resource
has facilitated significant progress. Budget for necessary tools, software, and services such as penetration
testing are being actively quoted for review by the Budget Office and CFO for both current and future fiscal
years. Checkpoints have been established every two weeks to review and confirm substantial progress
towards meeting all requirements and address any barriers or setbacks that may occur. The Vice President
of Operations and CIO will review the progress support efforts to meet the requirements and targeted
delivery date. The HPU Cybersecurity Committee will be provided with the 2024 Risk Assessment and the
Information Security Program documentation and policies for both initial and ongoing review of the
programs with the objective to further strengthen the program beyond minimum requirement.