Finding Text
Finding 2022-01 - Gramm-Leach Bliley Act (GLBA) ALN: 84.268 Federal Direct Loan Program; 84.063 Federal Pell Grant Program, 84.033 Federal Work Study Program, 84.007 Federal Supplemental Education Opportunity Grant; 84.038 Federal Perkins Loan Program Award Year: July 1, 2021 - June 30, 2022 Federal Agency: U.S. Department of Education Pass Through Entity: Not applicable Criteria: In accordance with Title IV regulations (CFR 314.1 (b)), an Institution must protect student financial aid information by designating an individual to coordinate the information security program, perform a risk assessment that addresses (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Condition: The University has not performed a risk assessments to address (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks as required by the Gramm-Leach Bliley Act (GLBA). In addition, the University has not documented safeguards for identified risks. Cause: The University did not have an updated security assessment completed during the year to address procedures and processes in place specific to GLBA and therefore, did not document the required risk assessment or risk mitigation. Effect: With no updated policies and procedures surrounding student information security, the University may be susceptible to threats of consumer nonpublic personal information. Failure to comply with GLBA standards may bring penalties ranging from monetary fines to restriction or loss of eligibility for Title IV funding. Questioned Costs: None. Recommendation: The University should perform and document an annual risk assessment to determine the University's specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the University should have at least one risk statement aligned or referenced to each of the three required areas noted in the GLBA law at 16 CFR 314.4 (b). Finally, the University should identify and document at least one safeguard (i.e., control) for each of the risks identified and document in the risk assessment. Each control should be aligned or referenced to the risk(s) to which the safeguard applies. Management Response: While a specific GLBA audit has not been performed, the University does have a well-developed document titled "Institutional Policies for Safety, Security and Technology" which was released in September 2020. There are policies and procedures within that indirectly address the requirements of GLBA. The Chief Information Officer (CIO) position was transitioned in 2022 and the new CIO noted that the University had not engaged with any new vendor to produce a Security Assessment Report during fiscal year 2022. The University has since engaged with the Cybersecurity and Infrastructure Agency (CISA) to perform vulnerability scanning and penetration testing reporting, so they now have operational security assessment reports from CISA that serve as the framework for applying patches and identifying equipment that needs attention. The University implemented the security assessments in the Fall of 2022. The University has taken the following steps to address the risks identified during the audit: 1. Employee Training and Management a. The University deployed the Knowbe4 Security Awareness Program to all full time staff. The program provides training for managing user data and email messages. To date the University has distributed two campaigns to combat email phishing attempts. 2. Information systems, including network and software design, as well as information processing, storage, transmission and disposal a. The University has formulated a digital transformation strategy to reduce on premises systems and applications. All the critical business systems are hosted at a colocation or are SaaS solutions. b. The University performs backups of all on premises systems using technology that creates immutable storage. c. The University leverages the cybersecurity experience of resellers and manufacturers to ensure all core network technology is installed and configured to minimize any attack surface. 3. Detecting, preventing, and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks as required by the Gramm-Leach Bliley Act (GLBA). a. The University has deployed a redundant pair of Fortinet Advanced Firewalls to monitor and block traffic with suspicious payloads. b. The University has updated to the latest version of Microsoft Advanced Threat Defender to serve as optimal end point protection for managing email traffic. c. The University contracted with the Cybersecurity and Infrastructure Security Agency (CISA) to perform vulnerability scans and penetration testing. The IT department evaluates the weekly reports and remediates highlighted deficiencies. d. The University has removed all admin rights from school managed computers, eliminating the ability to install local software. e. The University has deployed an updated VPN client to all school managed computers providing a secure tunnel for access network services. f. The University manages web browsers of all school managed computers.