Finding Text
The Gramm-Leach-Bliley Act (Public Law 106-102) (“GLBA”) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (“16 CFR 314”). Under 16 CFR 314 f(d), the University should regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Under 16 CFR 314.4 (e)(1), the University should implement policies and procedures to ensure that personnel are able to enact the information security program. The University does not have a formalized information security program to document the policies and procedures relevant with respect to requirements under 16 CFR 314.4(e)(1). The University does not regularly conduct vulnerability assessments, penetration testing, or other procedures to monitor its implemented safeguards as required under 16 CFR 314 f(d). Without a formalized policy in place surrounding its information security program, the University is not able to fully determine its compliance under the GLBA requirements, including the requirement to regularly test or otherwise monitor the effectiveness of its safeguards. Lack of regular testing or monitoring the effectiveness of the safeguards established could lead to the lack of timely identification of ineffectiveness or missing safeguards that could help detect or prevent breaches or other similar issues.