Finding Text
Federal Agency: U.S. Department of Education
Federal Program Name: Student Financial Aid Cluster
Assistance Listing Number: 84.063, 84.268, 84.007, 84.033
Federal Award Identification Number: P007A233144, P063P231946, P033A233144, P268K241946
Award Period: July 1, 2023 – June 30, 2024
Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters
Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires
financial institutions to explain their information-sharing practices to their customers and to safeguard
sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that
participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the
Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and
maintain a comprehensive information security program that is written in one or more readily accessible
parts. The regulations require the written information security program to include nine elements for
institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must
address in its written information security program are at 16 CFR 314.4.
Condition: Certain elements of the University’s information security program were not maintained in
written form.
Questioned Costs: N/A
Context: As of June 2024, the University’s written information security program did not address the
following requirements:
• Encrypting customer information on the institution’s system and during transit.
• Anticipating and evaluating changes to the information system or network.
• Regularly testing or monitoring the effectiveness of implemented safeguards (16 CFR 314.4(d)).
• Evaluating and adjusting the information security program based on testing and monitoring
results, material changes to operations or business arrangements, risk assessment results, or
any other circumstances that may materially impact the program (16 CFR 314.4(g)).
Cause: The University’s written policy did not explicitly address the required elements, and there was
no process in place to ensure the written information security program aligned with the requirements.
Effect: Information security management may not be optimized and responses delayed without the
written plan.
Repeat Finding: No
Recommendation: We recommend the University ensure its written information security program
addresses the required minimum elements as outlined in 16 CFR 314.4.
Views of responsible officials: There is no disagreement with the audit finding and the University is in
the process of implementing corrective procedures.