Finding Text
Federal Program Information:
Student Financial Assistance Cluster (ALN: Various), U.S. Department of Education. 2022-2023 Federal Award Year.
Criteria or Specific Requirement:
The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314). The audit finding was based on 16 CFR 314.4(f), which requires that the University have a policy that addresses how the institution will oversee its information system service providers.
Condition:
The University does was not able to demonstrate its compliance with 16 CFR 314.4(f).
Cause:
The University does not currently have a vendor management review process in place.
Effect or potential effect:
Without consideration for oversight of its information system service providers, the University’s information system security program may not adequately address the risks that these service providers, and their systems, have on the University’s environment.
Questioned Costs:
None noted.
Context:
We were unable to verify that the University has a vendor management review process in place.
Identification as a Repeat Finding:
This is not a repeat finding.
Recommendation:
We recommend that policies and procedures be put in place to ensure that regular vendor management reviews on information system service providers are conducted in an appropriate manner.
Views of Responsible Officials:
Management concurs with this finding. See management’s corrective action plan document.