Finding Text
2023-001 Material Weakness: Gramm-Leach-Bliley Act (GLBA) (U.S. Department of Education, William
D. Ford Direct Loan Program, ALN #84.268)
Criteria: In accordance with 16 CFR 314.4, a University shall develop, implement, and maintain a
comprehensive information security program that is written in one or more readily accessible parts
and contains administrative, technical, and physical safeguards that are appropriate to your size and
complexity, the nature and scope of your activities, and the sensitivity of any customer information
at issue and must contain all of the elements that are further described in 16 CFR 314.4.
Statement of Condition: During the 2023 audit, it was noted that the University’s Gramm-Leach-Bliley
Act Policy did not fully address all of the requirements as described by 16 CFR 314.4. In addition, the
application of the comprehensive information security program was not effectively administered by
the University for the 2023 year.
Questioned Costs: Such information is not applicable for this finding since it is nonmonetary in nature.
Perspective Information: The 2023 audit included testing of the University’s Gramm-Leach-Bliley Act
Policy as outlined in Part 5 of the Compliance Supplement including the application of this program
for the year.
Cause and Effect: Due to oversight by the director of the program, the GLBA policy was not reviewed
and updated for changes to the program as required by the Compliance Supplement.
Recommendation: The University should update their Gramm-Leach-Bliley Act Policy to be in
accordance with the requirements and put in place effective controls and practices to ensure the
policy is monitored in a way to ensure it is administered effectively.
View of Responsible Officials: Due to turnover within the IT Department, GLBA requirements were
not communicated well to incoming staff or to the organization. Once GLBA requirements were
discovered, a plan was developed to begin implementing GLBA controls and revise our security plan.
The plan to bring the organization into GLBA compliance was developed for the 2023-2024 school
year and was not in effect before this audit. The IT Department, and key stakeholders within the
organization, are working to ensure GLBA compliance within the next year.