Finding Text
Gramm-Leach-Bliley Act (GLBA) Compliance DEPARTMENT OF EDUCATION
ALN #: 84.268, 84.063, 84.007, and 84.033
Federal Award Identification #: 2022-2023 Financial Aid Year
Condition: The University did not sufficiently comply with the updated requirements of GLBA.
Criteria: 16 CFR 314.4
Questioned Costs: $0
Context: The University has not:
- implemented multi-factor authentication on one vendor system containing personally identifiable information (PII) - implemented sufficient vendor management policies and reviews - provided a written, annual report to the board
We noted the University has been evaluating vendors, and the criteria for evaluating vendors is being revised to incorporate the updated regulations of GLBA. Additionally, while information related to the information security program has been shared with the board, a more robust written report will be implemented. We commend the University for the work completed related to GLBA.
Cause: The University has not formalized all documentation of processes and upcoming revised vendor management processes to address and document compliance with the updated requirements of GLBA.
Effect: The University has not adequately addressed the updated requirements of GLBA, which may lead to unintended exposure of student information to security risks.
Identification as repeat finding, if applicable: Not applicable
Recommendation: We recommend the University formalize and document processes to address all requirements of GLBA.
Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.