Finding Text
2023-002 – Gramm-Leach-Bliley Act – Student Information Security – Significant Deficiency in
Internal Controls over Compliance
Student Financial Assistance Cluster
U.S Department of Education
Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379, 84.038
Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal
Supplemental Educational Opportunity Grants, Federal Work-Study Program, Teacher Education
Assistance for College and Higher Education Grants
Federal Award Number: P063P220416, P268K230416, P007A224401, P033A224401, P379T230416
Award Year: 2022-23
Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and
maintain a comprehensive information security program that is written in one or more readily accessible
parts and contains administrative, technical, and physical safeguards that are appropriate to the size and
complexity, the nature and scope of their activities, and the sensitivity of any customer information at
issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be
reasonably designed to achieve the objectives of 16 CFR 314.3(b). These requirements were effective as
of June 9, 2023.
Condition/context: Based on our review of the information provided by the University, they are currently
in the process of reviewing and finalizing their information security program. The written draft provided did
not appear to have been updated in several years and did not clearly address all of the required elements
in 16 CFR 314.4.
Questioned costs: None.
Cause/Effect: The Integrated Technology Services, the department primarily charged with oversight of
Saint Martin’s information security program, has experienced turnover in recent years including the
unexpected death of a staff member in spring 2023. The staff shortages have contributed to the delay in
implementation of this standard. The absence of a well-designed and documented policy addressing the
standards set forth under the act could put the security, confidentiality, and integrity of student information
at risk.
Repeat finding: No
Recommendation: We recommend the University review the compliance requirements and update their
written policy to ensure that it addresses all the required elements.
Views of responsible officials and planned corrective actions: Saint Martin’s University will review
the requirements of 16 CFR 314.4, update our written policy to ensure that it addresses all the required
elements 16 CFR 314.3(b), and perform an annual review of our updated policy to ensure that it
continues to comply with all relevant regulations. The University is currently in the process of formally
adopting a cybersecurity framework as well as securing a vendor to perform an IT security assessment.
This ongoing work in the interest of the security, confidentiality, and integrity of student information will
position us well to make the recommended updates to our policy.