FAC Explorer

Audit 10482

FY End
2023-06-30
Total Expended
$36.55M
Findings
12
Programs
19
Organization: College of St Scholastica INC (MN)
Year: 2023 Accepted: 2024-01-09
Auditor: Cliftonlarsonallen LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
8008 2023-001 Significant Deficiency - N
8009 2023-001 Significant Deficiency - N
8010 2023-001 Significant Deficiency - N
8011 2023-001 Significant Deficiency - N
8012 2023-001 Significant Deficiency - N
8013 2023-001 Significant Deficiency - N
584450 2023-001 Significant Deficiency - N
584451 2023-001 Significant Deficiency - N
584452 2023-001 Significant Deficiency - N
584453 2023-001 Significant Deficiency - N
584454 2023-001 Significant Deficiency - N
584455 2023-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $27.17M Yes 1
84.063 Federal Pell Grant Program $2.23M Yes 1
93.364 Nursing Student Loans $1.08M Yes 1
84.038 Perkins Loan Program $986,575 Yes 1
93.247 Advanced Nursing Education Grant Program $574,333 - 0
84.033 Federal Work-Study Program $387,425 Yes 1
84.042 Trio_student Support Services $359,737 Yes 0
93.359 Nurse Education, Practice Quality and Retention Grants $354,602 - 0
93.732 Mental and Behavioral Health Education and Training Grants $350,874 - 0
93.884 Grants for Primary Care Training and Enhancement $328,011 - 0
84.044 Trio_talent Search $294,518 Yes 0
84.047 Trio_upward Bound $270,521 Yes 0
84.217 Trio_mcnair Post-Baccalaureate Achievement $197,126 Yes 0
84.007 Federal Supplemental Educational Opportunity Grants $179,342 Yes 1
47.076 Education and Human Resources $131,875 Yes 0
47.070 Computer and Information Science and Engineering $79,018 Yes 0
84.184 Safe and Drug-Free Schools and Communities_national Programs $53,062 - 0
43.001 Science $21,517 Yes 0
84.425 Education Stabilization Fund $301 Yes 0

Contacts

Name Title Type
ZXADPB9Q8S65 Terry Marholz Auditee
2187237008 Deirdre Hodgson, CPA Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The purpose of the schedule of expenditures of federal awards (the Schedule) is to present a summary of those activities of College of St. Scholastica, Inc. that have been financed by the United States government (federal awards). Federal awards received directly from federal agencies are included in the Schedule, as are federal guaranteed loans disbursed by other sources. Additionally, all federal awards passed through from other entities have been included in the Schedule. The College is required to match certain grant agreements, as defined in the grants, and these matching amounts are not included in the Schedule. The information in the Schedule is presented in accordance with requirements of 2 CFR Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, it is not intended to, and does not, present the financial position, changes in net assets, or cash flows of College of St. Scholastica, Inc.
Title: FEDERAL LOAN PROGRAMS Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. Negative amounts shown on the Schedule represent adjustments or credits made in the normal course of business to amounts reported as expenditures in prior years. De Minimis Rate Used: N Rate Explanation: The College has elected not to use the 10% de minimis indirect cost rate allowed under the Uniform Guidance. The loan balances of federal loan programs as of June 30, 2023 are as follows Program Title: Federal Perkins Loan Program (ALN 84.038) Loan Balance: $643,156 Loans Advanced in current Year: - Program Title: Federal Nursing Loan Program (ALN 93.364) Loan Balance: $840,116 Loans Advanced in current Year: $272,455 Program Title: Noyce Loan Program (ALN 47.076) Loan Balance: $276,482 Loans Advanced in current Year: -

Finding Details

Finding 2023-001
2023-001 Gramm-Leach-Bliley Act (GLBA) Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were multiple missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of the College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were multiple elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023-001 Gramm-Leach-Bliley Act (GLBA) Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were multiple missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of the College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were multiple elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023-001 Gramm-Leach-Bliley Act (GLBA) Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were multiple missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of the College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were multiple elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023-001 Gramm-Leach-Bliley Act (GLBA) Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were multiple missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of the College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were multiple elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023-001 Gramm-Leach-Bliley Act (GLBA) Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were multiple missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of the College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were multiple elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023-001 Gramm-Leach-Bliley Act (GLBA) Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were multiple missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of the College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were multiple elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023-001 Gramm-Leach-Bliley Act (GLBA) Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were multiple missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of the College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were multiple elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023-001 Gramm-Leach-Bliley Act (GLBA) Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were multiple missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of the College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were multiple elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023-001 Gramm-Leach-Bliley Act (GLBA) Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were multiple missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of the College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were multiple elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023-001 Gramm-Leach-Bliley Act (GLBA) Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were multiple missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of the College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were multiple elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023-001 Gramm-Leach-Bliley Act (GLBA) Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were multiple missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of the College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were multiple elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.
Finding 2023-001
2023-001 Gramm-Leach-Bliley Act (GLBA) Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were multiple missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of the College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were multiple elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.