Finding Text
Gramm-Leach-Bliley Act (GLBA) Compliance Significant Deficiency
DEPARTMENT OF EDUCATION
ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster
Federal Award Identification #: 2022-2023 Financial Aid Year
Condition: The University did not sufficiently comply with all the requirements of GLBA.
Criteria: 16 CFR 314.3, 16 CFR 314.4
Questioned Costs: $0
Context: The University has not sufficiently documented its written information security program, its security risk assessment and safeguards, including general threats, implemented multi-factor authentication on all systems containing personally identifiable information (PII), implemented continuous monitoring, such as penetration testing and vulnerability scanning, implemented a sufficient employee training program, implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. We understand the University has expanded its contract with its third party to address monitoring requirements, updating vendor management requirements, and additional employee training requirements. We also understand the University has subsequently documented an incident response plan and an annual report to the board.
Cause: The University uses a third party to assist in addressing and documenting compliance with the requirements of GLBA, and all updates with the changes in regulations were not documented.
Effect: The University has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks.
Identification as repeat finding, if applicable: Not applicable
Recommendation: We recommend the University allocate sufficient resources to address all requirements of GLBA.
Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.