FAC Explorer

Finding 9460 (2023-001)

Significant Deficiency
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2024-01-23
Audit: 12966
Organization: Warner University, Inc. (CO)
Auditor: Capincrouse LLP

AI Summary

  • Core Issue: The University is not fully compliant with the updated requirements of the Gramm Leach Bliley Act (GLBA).
  • Impacted Requirements: Insufficient documentation of security risk assessments, lack of multi-factor authentication for systems with PII, and inadequate vendor management policies.
  • Recommended Follow-Up: Allocate more resources to ensure compliance with GLBA requirements and implement necessary security measures.

Finding Text

Gramm Leach Bliley Act (GLBA) Significant Deficiency DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038 and 84.379 (Student Financial Assistance Cluster) Federal Award Identification #: 2022-23 Financial Aid Year Condition: The University did not sufficiently comply with the updated requirements of GLBA. Criteria: 16 CFR 314.4 Questioned Costs: $-0- Context: The University has not sufficiently documented its security risk assessment and safeguards, implemented multi-factor authentication on all systems containing personally identifiable information (PII), or implemented a continuous monitoring solution, such as once a year penetration testing and twice a year vulnerability scanning. Additionally, the University has not implemented sufficient vendor management policies and reviews, or provided a written, annual report to the board. Cause: The University has not allocated sufficient resources to address and document compliance with the requirements of GLBA. Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm Leach Bliley Act Planned Corrective Action: The current Information Security Program was created using Capin's template last year and was acceptable. Moving forward, we will document the safeguards we're putting in place by including them in the Information Security Program and documenting the decreased mitigated risk level. We have a legacy on­ premise legacy SIS application software that doesn't have the capacity for MFA. We will attempt to either move our on-premise application software and database to our vendor's location where MFA is required to get into their network, or we will source a third-party vendor that will work with a legacy application without MFA capacity and require MFA on the front-end before calling the application. We will also consider application software on University-owned computer workstations and laptops that require MFA upon logging into our campus network. We will source an outside company for penetration testing and vulnerability scanning. Then, review the results and put in a plan to address the critical items and track progress. We will document each vendor that hosts PII data. We will collect SOC reports, privacy statements, GLBA compliance documents, and other related documents. We will provide the Board of Trustees - Business/Finance Committee a written report on the current status of the Information Security Program document. Person Responsible for Corrective Action Plan: Kelvin D Tohme, Senior Director of Information Technology Anticipated Date of Completion: Spring 2024

Categories

Subrecipient Monitoring Significant Deficiency

Other Findings in this Audit

  • 9461 2023-001
    Significant Deficiency
  • 9462 2023-001
    Significant Deficiency
  • 9463 2023-001
    Significant Deficiency
  • 9464 2023-001
    Significant Deficiency
  • 9465 2023-001
    Significant Deficiency
  • 9466 2023-002
    - Repeat
  • 9467 2023-002
    - Repeat
  • 9468 2023-002
    - Repeat
  • 9469 2023-002
    - Repeat
  • 585902 2023-001
    Significant Deficiency
  • 585903 2023-001
    Significant Deficiency
  • 585904 2023-001
    Significant Deficiency
  • 585905 2023-001
    Significant Deficiency
  • 585906 2023-001
    Significant Deficiency
  • 585907 2023-001
    Significant Deficiency
  • 585908 2023-002
    - Repeat
  • 585909 2023-002
    - Repeat
  • 585910 2023-002
    - Repeat
  • 585911 2023-002
    - Repeat

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $5.56M
84.063 Federal Pell Grant Program $2.18M
84.038 Federal Perkins Loan Program $142,347
84.007 Federal Supplemental Educational Opportunity Grants $107,206
84.033 Federal Work-Study Program $80,763
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $16,974
84.425 Covid-19 Education Stabilization Fund Heerf - Institutional Portion $14,136