Finding FA 2023‑03: Special Tests and Provision: Gramm Leach Bliley Act ‑ Student Information
Security – Formally Establish and Document Risk Acceptance Process, Perform Regular Backup
Restoration Tests, Perform Timely Access Revocation and Regular Access Reviews, Perform
Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards, Maintain and Review Logs
of Users' Activity for both SAP and PS SIS, Implement Data-at-Rest Encryption for Devices Storing
Customer Data, Enforce Strict Compliance on Controls over SAP Direct to Production Changes (Repeat
Finding)
Federal Program Information
Assistance Listing Number: ALN 84.007, 84.033, 84.038, 84.048, 84.063 and 84.268
Federal Program Name: Student Financial Assistance Cluster
Federal Agency: U.S. Department of Education
Passed Through Entity: N/A
Federal Award Number: Various
Federal Award Year: July 1, 2022, to June 30, 2023
Compliance Requirement: Special Tests and Provisions – Gramm Leach Bliley Act –
Student Information Security
Criteria or Specific Requirement:
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their
information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal
Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance
Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act because they appear to be
significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with
GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid
information, with particular attention to information provided to institutions by ED or otherwise obtained in
support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E)
and HEA 485B(d)(2)).
On December 9, 2021, the FTC issued final regulations for 16 CFR Part 314 to implement the GLBA
information safeguarding standards that institutions must implement. These regulations significantly modified
the requirements that institutions must meet under GLBA. The regulations established minimum standards that
institutions must meet. The FTC stated that it “believes many of the requirements outlined in the Final Rule are
so fundamental to any information security program that the information security programs of many financial
institutions will already include them if those programs are in compliance with the current Safeguards Rule.”
Institutions are required to be in compliance with the revised requirements no later than June 9, 2023.
Institutions are required to develop, implement, and maintain a comprehensive information security program
that is written in one or more readily accessible parts. The regulations require the written information security
program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written
information security program for institutions with fewer than 5,000 customers must address seven elements
(16 CFR 314.3(a) and 16 CFR 314.6). In the preamble to the Final Rule, the FTC stated, “Proposed § 314.4
[Elements] altered the current Rule’s required elements of an information security program and added several
new elements.” The FTC also stated, “[t]he elements for the information security programs set forth in this
section [16 CFR 314.4} are high-level principles that set forth basic issues the programs must address, and do
not prescribe how they will be addressed.” The elements that an institution must address in its written
information security program are at 16 CFR 314.4. At a minimum, an institution’s written information security
program:
• Designates a qualified individual responsible for overseeing and implementing the institution’s information
security program and enforcing the information security program in compliance (16 CFR 314.4(a)).
• Provides for the information security program to be based on a risk assessment that identifies reasonably
foreseeable internal and external risks to the security, confidentiality, and integrity of customer information
(as the term customer information applies to the institution) that could result in the unauthorized disclosure,
misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of
any safeguards in place to control these risks (16 CFR 314.4(b)).
• Provides for the design and implementation of safeguards to control the risks the institution identifies
through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security
program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1)
through (8). The eight minimum safeguards that the written information security program must address are
summarized as follows:
– Implement and periodically review access controls.
– Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
– Encrypt customer information on the institution’s system and when it’s in transit.
– Assess apps developed by the institution.
– Implement multi-factor authentication for anyone accessing customer information on the institution’s
system.
– Dispose of customer information securely
– Anticipate and evaluate changes to the information system or network.
– Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
• Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has
implemented (16 CFR 314.4(d)).
• Provides for the implementation of policies and procedures to ensure that personnel are able to enact the
information security program (16 CFR 314.4(e)(1)).
• Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)).
• Provides for the evaluation and adjustment of its information security program in light of the results of the
required testing and monitoring; any material changes to its operations or business arrangements; the
results of the required risk assessments; or any other circumstances that it knows or has reason to know
may have a material impact the institution’s information security program (16 CFR 314.4(g)).
The first element that an institution’s written information security program must address is the designation of an
individual with responsibility for implementing and enforcing an institution’s written information security
program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a
Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate
responsibility and accountability for implementing and enforcing the institution’s information security program
(16 CFR 314.4(a)). The regulations do provide for an institution to use a service provider as a Qualified
Individual. In cases where an institution uses a service provider as the Qualified Individual, the institution must:
• Retain responsibility for compliance with GLBA.
• Designate a senior member of its personnel responsible for direction and oversight of the Qualified
Individual; and
• Require the service provider or affiliate to maintain an information security program that protects the
institution in accordance with the requirements of the regulations at 16 CFR Part 314(a)(1) through (3).
Because the written information security program may be in one or more readily accessible parts and the
Qualified Individual is responsible for implementing and monitoring the information security program, ED
expects that the Qualified Individual would be able to provide the written information security program that
addresses the elements required for the written information security program to the auditors.
Identified Conditions:
A. Formally Establish and Document Risk Acceptance Process (repeat finding)
The District’s Written Information Security Program does not explicitly define the criteria for accepting
potential risks. A related process document, which was committed to be completed in the prior year, is
still in development as of September 2023.
B. Perform Regular Backup Restoration Tests (repeat finding)
The District performed a comprehensive Tabletop Disaster Recovery (DR) exercise for both SAP and
SIS during the audit period. As part of the exercise, the DR Team simulated a scenario, fully supported
with recovery considerations, steps, results, recovery challenges, and key recommendations to
improve moving forward – the exercise was also reviewed and approved by the Vice Chancellor and
Chief Information Officer. However, a key activity which is the actual backup restoration testing was not
performed as part of the tabletop exercise or at any point during the audit period.
C. Perform Timely Access Revocation and Regular Access Reviews (repeat finding)
Based on a test of controls to verify that access of terminated employees is timely removed in Active
Directory (AD), SAP, and PeopleSoft Student Information System (PS SIS), we noted that out of the
terminated employees subject to testing:
1. 13 users were active in AD, three (3) of whom have logged in after their termination.
2. 76 users were still active in SAP, 19 of whom have logged in after their termination.
3. 81 users were still active in PS SIS, 42 of whom have logged in after their termination.
Moreover, while a privileged user access review is performed for AD, there is no review performed to
check the validity of regular users in AD and the validity and appropriateness of users in SAP and SIS.
Employee functions and/or responsibilities may change over time; thus, previously provisioned access
may no longer be valid. Furthermore, a new compliance requirement, which requires institutions to
perform periodic access reviews for physical access in the data centers where the critical student
information systems are hosted [16 CFR 314.4(c)(1)], was also not performed during the audit period.
D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards
16 CFR 314.4(f), a new compliance requirement, requires institutions to periodically assess service
providers based on the risk they present and the continued adequacy of their safeguards. However, we
noted that contracts for the following service providers were renewed by the District without sufficient
information security review from 2020 to 2022 and the period thereafter.
a. XAP – used for requesting, sending, and receiving electronic transcripts.
b. Bank Mobile – used for student refund processing.
c. Campus Logic – used for student online verification processing.
These contracts were instituted before the adoption of the District’s Information Security Program and
thus, were adopted and renewed thereafter without an Information Security Review.
E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
A new compliance requirement, which requires institutions to monitor and log the activity of authorized
users and detect unauthorized access or use of, or tampering with, customer information by such users
[16 CFR 314.4(c)(8)], is not currently implemented by the District.
F. Implement Data-at-Rest Encryption for Devices Storing Customer Data
A new compliance requirement, which requires institutions to protect by encryption all students’ data
held at rest [16 CFR 314.4(c)(3)], is not currently implemented by the District (e.g., SAP and SIS
servers).
G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes
SAP production client was opened on 10/03/2022 and 11/09/2022 without sufficient documentation that
it was authorized and approved. Opening the production client, if not controlled, carries a significant
risk since changes can be made directly to the production environment without transport requests,
thereby circumventing any established change management controls.
Cause and Effect:
A. Formally Establish and Document Risk Acceptance Process
The absence of a formal risk acceptance process can lead to inappropriate risk treatment and a lack of
oversight in managing risks, resulting in inconsistent approaches that may not align with the District’s
overall risk tolerance.
B. Perform Regular Backup Restoration Tests
Lack of proper restoration testing may hinder the District from recovering its data completely and
accurately.
C. Perform Timely Access Revocation and Regular Access Reviews
Failure to deactivate or remove accounts of terminated employees timely may result in unauthorized
access to the District’s resources and sensitive information. Furthermore, the absence of user access
reviews increases the risk of inappropriate users or access remaining undetected over time which may
be used to process unauthorized transactions or view confidential information.
D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards
Non-performance of review may result in the District relying on IT service providers with ineffective
information security controls making them susceptible to data breaches. A breach in a third-party
system may expose the District to financial, operational, legal, and reputational damages.
E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
Without adequate logging and monitoring of users’ activity, security incidents, including suspicious and
unauthorized activities may not be detected and responded to in a timely manner.
F. Implement Data-at-Rest encryption for Devices Storing Customer Data
Data that is held to devices without encryption is vulnerable to unauthorized access, especially if
physical and logical controls are compromised. In the event of a breach, sensitive data, such as
students’ information may be exposed.
G. Enforce Strict Compliance on Controls over SAP Direct to Production Changes
Insufficient controls over client opening may result in the implementation of unauthorized changes
directly into the production environment. This increases the risk that changes to the system may not
follow the District’s change management process (documentation, authorization, testing, and approval)
prior to the implementation of the change to the production environment.
Recommendation:
A. Formally Establish and Document Risk Acceptance Process
We recommend that the District establish and implement the District’s Risk Acceptance process that
details the criteria and conditions for accepting potential risks. We also recommend that the District
ensure this is aligned with the District’s objectives, overall risk tolerance, and current practices in
identifying, assessing, and mitigating risks.
B. Perform Regular Backup Restoration Tests
Together with the DR tabletop exercises, we recommend that backup restoration tests should be
performed at least once per year. Detailed testing schedules should be drafted based on DRP
specifications and required restoration of the critical systems. Documentation of such tests should be
maintained for full management awareness and approval.
C. Perform Timely Access Revocation and Regular Access Reviews
1. We recommend that the District revoke the access of terminated employees and review the
activities performed by those accounts after their termination date to ensure the validity and
appropriateness of activities/transactions performed by these accounts, if any.
2. Concurrently, the District should improve the account termination procedures to ensure that access
to terminated employees is timely revoked.
3. We also recommend that regular access reviews for AD, SAP, PS SIS, and the physical accesses
to data centers where these systems are hosted, are performed, and documented (for both regular
and privileged users) to ensure that only valid and appropriate users remain in the system and
have access to relevant information. The review may include, but is not limited to the following:
a. Document management control over the completeness and accuracy of the reports used in the
review.
b. Define designated functions/roles to perform the review.
c. Monitor timeliness of the performance of the review and execution of corrective actions as a
result of the review
D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards
Revisit the District’s current practices for evaluating third-party provider’s information security to ensure
that all third-party are reviewed and evaluated regularly. At the minimum, the process should involve
continuous monitoring, contractual provisions summarizing security requirements, and a strategy for
addressing security vulnerabilities identified during reviews.
E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
Formally establish a process for logging and monitoring users’ activity which includes collection,
retention, regular review, and documentation of user activity logs. The review should be aligned with
the District’s access management practices to ensure that only authorized users are allowed to access
information that is aligned with their functions and responsibilities.
F. Implement Data-at-Rest encryption for Devices Storing Customer Data
The District should establish and implement data-at-rest encryption for endpoint devices to ensure that
data is inaccessible to unauthorized users in cases when logical and physical measures are
compromised.
G. Strictly Implement Processes and Control for Direct Changes in the SAP Production
Environment
Ensure that production client openings, particularly those related to direct production changes, strictly
adhere to the District’s Change Management Procedure. These client openings and the related
changes should be properly documented, authorized, and validated prior to implementation.
Views of Responsible Officials and Planned Corrective Actions:
A. Formally Establish and Document Risk Acceptance Process
Requirements for risk assessments and risk acceptance processes to comply with GLBA were
expanded in June of 2023. The District engaged a third-party consultant to conduct a GLBA-compliant
risk assessment and advise on recommended changes to the District’s Written Information Security
Plan (WISP) to comply with the new requirements. The findings and recommendations were presented
to the District in October of 2023 and are currently under review. The District will initiate a project to
formalize risk acceptance by December 31st, 2023, and implement the risk acceptance process by
June 30, 2024.
B. Perform Regular Backup Restoration Tests
The District has engaged with a third party to build a testing environment to physically test restoration
of the SIS environment. Initiation of the project is pending processing of the Purchase Order. The
District anticipates completion of the restoration by December 31st, 2023.
With respect to SAP, the District is currently engaged in an effort to migrate the SAP database to
HANA. When this project is complete, the same test environment will be capable of performing physical
recovery tests for SAP. The HANA migration is estimated to be completed on February 28th, 2024.
C. Perform Timely Access Revocation and Regular Access Reviews
With respect to the District’s Single Sign-On (ADFS or SSO) environments, the District engaged
professional services consultants to address this item by automating the disablement of employee
accounts based upon the termination of assignment. The work is currently underway. The target
completion of the process is December 15, 2023. With respect to the SAP environment, the District has
engaged with a vendor to implement Multifactor Authentication (MFA) in the SAP environment. Work
will begin upon processing the Purchase Order. Once both efforts are complete, disabling employee
accounts in SSO, SIS and SAP will be performed automatically based upon the termination of
assignments according to criteria established by Human Resources.
With respect to access reviews of SIS and SAP, the District is currently researching the export of user
audit logs to the District’s analysis environment to enable regular reviews. The new target to perform
regular access reviews for SAP and SIS is the end of Q1 2024.
With respect to physical access reviews, the District Information Security Team will perform an annual
review of relevant operational protocols for data center access with the appropriate internal teams and
perform an audit of data access at a minimum of once per year. The first annual protocol review will be
completed by December 1st, 2023. The first annual audit will commence no later than March 1st, 2024.
D. Perform Necessary Due Diligence to Regularly Evaluate All Third-party Safeguards
To prevent recurrence, the LACCD Information Security Team will coordinate an annual review of
Administrative Protocol 3723A: Information Security Evaluation of Third-Party Providers with District
Financial Aid, Procurement and Educational Programming and Institutional Effectiveness (EPIE)
leadership teams to help assure future relevant contracts are provided to the Information Security
Team prior to renewal to allow for timely security review.
E. Maintain and Review Logs of Users’ Activity for both SAP and PS SIS
The District is currently researching the export of user audit logs to the District’s analysis environment
to enable regular reviews. The new target to perform regular access reviews for SAP and SIS is the
end of Q1 2024.
F. Implement data encryption for Devices Storing Customer Data
The District engaged a third-party consultant to perform a comprehensive review of PeopleSoft security
controls, including the implementation of encryption of financial aid data within PeopleSoft. The results
are pending. Based upon those recommendations, the District will work with encryption providers to
develop and implement field-level encryption of financial aid data in SIS as appropriate.
With respect to end-user devices storing sensitive data, the District recently adopted workstation
hardening requirements that include whole-disk encryption for desktop and laptop computers used by
personnel who routinely access sensitive information, including financial aid data. The District will
implement the standards on workstations used by employees in financial aid and institutional research
by June 30, 2024. Once this is complete, additional workstations will be encrypted in order of potential
risk.
G. Strictly Implement Processes and Control for Direct Changes in the SAP Production
Environment
The requests for direct changes in SAP production will be tracked and included in our help desk
requests so that an auditable trail can be created leading to the purpose and completion of the
production changes. Additionally, direct production change requests will be reviewed and approved
following the LACCD Change Control process. Minor updates that do not fall within the change control
guidelines will require managerial approval within the help desk system.
Personnel Responsible for Implementation: Carmen V. Lidz
Position of Responsible Personnel: Vice Chancellor & Chief Information Officer