Finding Text
Federal agency: Department of Education
Federal program title: Student Financial Aid Cluster
Assistance Listing Number: 84.033, 84.063, 84.007, 84.379, 84.268
Federal Award Identification Number and Year: P033A223771 (CWS 22‐23), P063P220377 (Pell 22‐23),
P007A223771 (SEOG 22‐23), P268K230377 (Direct Loan 2023)
Award Period: July 1, 2022, through June 30, 2023
Type of Finding: Significant Deficiency in Internal Control over Compliance (Other Matters)
Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions
to explain their information-sharing practices to their customers and to safeguard sensitive data (16
CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information
security program that is written in one or more readily accessible parts. The regulations require the
written information security program to include nine elements for institutions with 5,000 or more
customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with
fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The
elements that an institution must address in its written information security program are at 16
CFR 314.4. At a minimum, the institution’s written information security program must address the
implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including:
Assess apps developed by the institution. In addition, the written security program provides for the
institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented
(16 CFR 314.4(d)). Under an institution’s Program Participation Agreement with the Department of
Education and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid
information, with particular attention to information provided to institutions by the Department or
otherwise obtained in support of the administration of the federal student financial aid programs.
Condition: The University was not in compliance with GLBA.
Questioned costs: None
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and we identified
that the university does not meet the compliance requirements outlined in the GLBA Safeguards Rule.
Specifically, discrepancies were identified in requirement B.6, which addresses how the institution will
oversee its information system service providers (16 CFR 314.4(f)). The University does not have
Vendor Management Program that has standards in place to oversee critical system service providers.
This includes the due diligence, risk assessments, and annual reviews that the University is not
performing as it relates to 3rd party service providers.
Cause: There was not a formal process in place to review against all the new GLBA requirements to
ensure compliance.
Effect: The University and student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the University review the updated GLBA requirements and
ensure their WISP includes all required elements.
Views of responsible officials: There is no disagreement with the audit finding.