FAC Explorer

Finding 544141 (2024-006)

Significant Deficiency
Requirement
N
Questioned Costs
-
Year
2024
Accepted
2025-03-31
Audit: 350924
Organization: Washington Adventist University (MD)
Auditor: Cliftonlarsonallen LLP

AI Summary

  • Core Issue: The College's information security program does not meet key requirements of the Gramm-Leach-Bliley Act (GLBA).
  • Impacted Requirements: Missing approval from an appropriate individual, inadequate safeguards for customer information, and lack of regular testing or monitoring of security measures.
  • Recommended Follow-Up: Update the information security program to include all required elements as specified in 16 CFR 314.4.

Finding Text

Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include eight elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Additionally, institutions must conduct penetration testing and vulnerability assessments to ensure the effectiveness of their safeguards. Condition: Certain elements of the College’s information security program were not meeting GLBA requirements. Questioned costs: None Context: The College’s written information security program did not cover the following requirements: 1. The requirement to have the written information security program be approved by an appropriate individual. 2. The requirement to provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). a. The element missing is the requirement to encrypt customer information on the institution’s system and when it’s in transit. 3. The requirement to provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d) Cause: The College has not fully implemented its written information security program to meet all GLBA requirements. Effect: The College's written information security program is non-compliant with GLBA requirements, potentially exposing customer information to risks due to inadequate approval, missing safeguards, and lack of regular testing or monitoring. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: There is no disagreement with the audit finding.

Corrective Action Plan

Action taken in response to finding: To address the identified deficiencies in WAU’s written information security program and ensure compliance with 16 CFR § 314.4, the following actions have been taken: 1. Approval of the Information Security Program: o Action: We have updated the written information security program as formally approved by the appropriate individual within the institution, Rosalee Pedapudi, ITS Director. This step designates a qualified individual responsible for overseeing and implementing the information security program as a requirement under 16 CFR § 314.4(a). 2. Design and Implementation of Safeguards: o Action: According to 16 CFR § 314.4(c), institutions must implement safeguards to control identified risks, including encryption of customer information in transit and at rest. We have documented specific safeguards to control the risks identified through the institution's risk assessment, including a policy mandating the encryption of customer information both on the institution's systems and during transmission. As such, the university encrypts Non-Public Financial information both at rest and in transit using industry-standard encryption protocols (e.g. VPN). Where encryption is not feasible, compensating controls are implemented to protect sensitive data. The university also requires Multifactor Authentication (MFA) for systems that process, store, or transmit protected financial information. Access is governed by the principle of least privilege, with privileged access granted by authorized university officers, ensuring that only approved personnel can access sensitive data. 3. Regular Testing and Monitoring of Safeguards: o Action: According to 16 CFR § 314.4(d), WAU is required to regularly test and monitor the effectiveness of their safeguards to ensure the security of customer information. We have established procedures for annual penetration testing through Applied Technology Services and monitoring of the effectiveness of the implemented safeguards. Name(s) of the contact person(s) responsible for corrective action: Rosalee Pedapudi Planned completion date for corrective action plan: July 15, 2025.

Categories

Subrecipient Monitoring Student Financial Aid

Other Findings in this Audit

  • 544138 2024-002
    Material Weakness
  • 544139 2024-003
    Significant Deficiency
  • 544140 2024-005
    Significant Deficiency Repeat
  • 544142 2024-002
    Material Weakness
  • 544143 2024-003
    Significant Deficiency
  • 544144 2024-005
    Significant Deficiency Repeat
  • 544145 2024-006
    Significant Deficiency
  • 544146 2024-002
    Material Weakness
  • 544147 2024-003
    Significant Deficiency
  • 544148 2024-005
    Significant Deficiency Repeat
  • 544149 2024-006
    Significant Deficiency
  • 544150 2024-002
    Material Weakness
  • 544151 2024-003
    Significant Deficiency
  • 544152 2024-005
    Significant Deficiency Repeat
  • 544153 2024-006
    Significant Deficiency
  • 544154 2024-002
    Material Weakness
  • 544155 2024-004
    Significant Deficiency
  • 544156 2024-006
    Significant Deficiency
  • 544157 2024-002
    Material Weakness
  • 544158 2024-006
    Significant Deficiency
  • 544159 2024-007
    Significant Deficiency
  • 544160 2024-007
    Significant Deficiency
  • 1120580 2024-002
    Material Weakness
  • 1120581 2024-003
    Significant Deficiency
  • 1120582 2024-005
    Significant Deficiency Repeat
  • 1120583 2024-006
    Significant Deficiency
  • 1120584 2024-002
    Material Weakness
  • 1120585 2024-003
    Significant Deficiency
  • 1120586 2024-005
    Significant Deficiency Repeat
  • 1120587 2024-006
    Significant Deficiency
  • 1120588 2024-002
    Material Weakness
  • 1120589 2024-003
    Significant Deficiency
  • 1120590 2024-005
    Significant Deficiency Repeat
  • 1120591 2024-006
    Significant Deficiency
  • 1120592 2024-002
    Material Weakness
  • 1120593 2024-003
    Significant Deficiency
  • 1120594 2024-005
    Significant Deficiency Repeat
  • 1120595 2024-006
    Significant Deficiency
  • 1120596 2024-002
    Material Weakness
  • 1120597 2024-004
    Significant Deficiency
  • 1120598 2024-006
    Significant Deficiency
  • 1120599 2024-002
    Material Weakness
  • 1120600 2024-006
    Significant Deficiency
  • 1120601 2024-007
    Significant Deficiency
  • 1120602 2024-007
    Significant Deficiency

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $3.42M
84.063 Federal Pell Grant Program $1.25M
84.038 Federal Perkins Loan Program_federal Capital Contributions $632,870
84.007 Federal Supplemental Educational Opportunity Grants $89,142
93.364 Nursing Student Loans $50,104
84.033 Federal Work-Study Program $49,443
64.028 Post-9/11 Veterans Educational Assistance $36,927