Finding Text
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency
DEPARTMENT OF EDUCATION
ALN #: 84.268, 84.063, 84.007, and 84.033 - Student Financial Assistance Cluster
Federal Award Identification #: 2022-2023 Financial Aid Year
Condition: The University did not sufficiently comply with all the requirements of GLBA.
Criteria: 16 CFR 314.3, 16 CFR 314.4
Questioned Costs: $0
Context: The University has not:
• fully updated its written information security program in compliance with the revised regulations and with organizational practices
• sufficiently documented its security risk assessment and safeguards
• implemented multi-factor authentication on all systems containing personally identifiable information (PII)
• implemented continuous monitoring, such as penetration testing and vulnerability scanning
• implemented sufficient vendor management policies and reviews
• provided a written, annual report to the board.
Cause: The University shares information technology resources with another organization and is in the process of determining which pieces are fully addressed with that organization and which pieces the University will need to address and document compliance with the requirements of GLBA.
Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks.
Identification as repeat finding, if applicable: Not applicable.
Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA.
Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.