Finding Text
Finding 2023-001
Federal Program: U.S. Department of Education - Student Financial Aid Cluster:
Federal Pell Grant, 84.063
Federal Supplemental Education Opportunity Grant, 84.007
Federal Work Study Program, 84.033
Federal Perkins Loan Program, 84.038
Federal Direct Loan Program, 84.268
Nursing Student Loan Program, 93.364
Scholarships for Disadvantaged Students, 93.925
Criteria:
The University is required to comply with the Gramm-Leach-Bliley Act (GLBA) section 16 CFR
314.4(b).
Condition:
During our audit procedures, we noted that a GLBA compliance risk assessment was not performed
within the last fiscal year. Various vulnerability assessments have been conducted since 2020,
however updated GLBA compliance guidance has more specific requirements for what must be
performed as part of an IT risk assessment in order to identify reasonable, foreseeable internal and
external risks to the security, confidentiality, and integrity of student information that addresses the
following areas:
a. Information systems, including network and software design, as well as information
processing, storage, transmission and disposal.
b. Detecting, preventing and responding to attacks, intrusions, or other systems failures.
c. Documented safeguards for each identified risk.
d. Appropriate mitigated risk levels for each identified risk.
Updated GLBA guidance requires that a Qualified Individual who oversees the Information Security
Program makes a written report to the Board of Trustees on the status of the Information Security
Program at least annually. Lastly, in reviewing the University's Information Security Program and IT policies, it was noted that four attributes were not appropriately documented for GLBA compliance:
a. Conduct a periodic inventory of data, noting where its collected, stored, or transmitted.
b. Encrypt customer information on the University's system and when it's in transit.
c. Assess apps developed by the University.
d. Implement multi-factor authentication for anyone accessing customer information on the
University's system.
Cause:
The University did not have controls in place to ensure all GLBA requirements were met.
Effect:
The University is not in compliance with GLBA requirements.
Recommendation:
We recommend the following to ensure compliance with GLBA requirements:
a. The University conduct an annual IT risk assessment that includes all components required
by GLBA and periodically update the Information Security Program in response to identified
risks.
b. Ensure the status of the University's Information Security Program is reported, in writing, to
the Board of Trustees at least annually and that the Qualified Individual signs off on this
report.
c. Update the policy library to ensure that the policies are appropriately documented to reduce
the risk of GLBA noncompliance.
Views of responsible officials and planned corrective actions: The University agrees that GLBA
requirements are to be implemented and has taken steps to change the process. See corrective
action plan.