Finding Text
Gramm Leach Bliley Act (GLBA) Significant Deficiency
DEPARTMENT OF EDUCATION
ALN #: 84.268, 84.063, 84.007, 84.033, 84.038 and 84.379 (Student Financial Assistance Cluster)
Federal Award Identification #: 2022-23 Financial Aid Year
Condition: The University did not sufficiently comply with the updated requirements of GLBA.
Criteria: 16 CFR 314.4
Questioned Costs: $-0-
Context: The University has not sufficiently documented its security risk assessment and safeguards, implemented multi-factor authentication on all systems containing personally identifiable information (PII), or implemented a continuous monitoring solution, such as once a year penetration testing and twice a year vulnerability scanning. Additionally, the University has not implemented sufficient vendor management policies and reviews, or provided a written, annual report to the board.
Cause: The University has not allocated sufficient resources to address and document compliance with the requirements of GLBA.
Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks.
Identification as repeat finding, if applicable: Not applicable.
Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA.
Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.