Finding 909 (2023-002)

Requirement

Questioned Costs

Year

2023

Accepted

2023-10-30

Audit: 1692

Organization: John Brown University and Affiliates (AR)

Auditor: Capincrouse LLP

AI Summary

Core Issue: The University is not fully compliant with the updated GLBA requirements, specifically lacking multi-factor authentication for a system containing non-financial PII.
Impacted Requirements: Compliance with 16 CFR 314.4, including the need for enhanced security measures and comprehensive reporting to the board.
Recommended Follow-up: Implement the remaining components of the revised GLBA regulations to mitigate security risks and ensure full compliance.

Finding Text

Gramm-Leach-Bliley Act (GLBA) Compliance Other Matter DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038 and 84.379; Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The University has gaps in two areas with the updated requirements of GLBA. Criteria: 16 CFR 314.4 Questioned Costs: $0 Context: The University has not implemented multi-factor authentication on one system containing non-financial personally identifiable information (PII). Additionally, the written annual report to the board does not include all the required areas based on the updated regulations. Cause: The University has made significant progress on GLBA and has a couple of components to be in full compliance with the updated requirements of GLBA. University personnel were unaware of the system’s ability to support MFA. Effect: The University may have unintended exposure of non-financial student information to security risks. Identification as repeat finding, if applicable: n/a Recommendation: We recommend the University implement the remaining components of the revised regulations. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm-Leach-Bliley Act (GLBA) Compliance Planned Corrective Action:  The Registrar’s Office employee account used for access to the National Student Clearinghouse (NSC) website has been configured for multi-factor authentication (MFA).  The board report documentation has been modified to include the required sections and will be presented as a written supplement at the fall meeting, October 6, 2023. Person Responsible for Corrective Action Plan: Paul Nast, CIO Anticipated Date of Completion: Implemented September 26, 2023

Other Findings in this Audit

907 2023-001

Significant Deficiency
908 2023-001

Significant Deficiency
910 2023-002

-
911 2023-002

-
912 2023-002

-
913 2023-002

-
914 2023-002

-
577349 2023-001

Significant Deficiency
577350 2023-001

Significant Deficiency
577351 2023-002

-
577352 2023-002

-
577353 2023-002

-
577354 2023-002

-
577355 2023-002

-
577356 2023-002

-

Programs in Audit

ALN	Program Name	Expenditures
84.268	Federal Direct Student Loans	$9.17M
84.063	Federal Pell Grant Program	$2.06M
84.038	Federal Perkins Loan Program	$496,194
84.042	Trio_student Support Services	$272,066
84.425	Covid-19 Education Stabilization Fund American Rescue Plan--Elementary and Secondary School Emergencuy Relief	$271,191
84.033	Federal Work-Study Program	$149,454
84.425	Covid-19 Education Stabilization Fund Governor's Emergency Education Relief Fund	$143,136
84.007	Federal Supplemental Educational Opportunity Grants	$107,622
97.008	Non-Profit Security Program	$18,149
84.379	Teacher Education Assistance for College and Higher Education Grants (teach Grants)	$18,104
93.859	Biomedical Research and Research Training	$17,309
43.008	National Aeronautics and Space Administration Education	$806