FAC Explorer

Audit 305421

FY End
2023-08-31
Total Expended
$14.76M
Findings
10
Programs
12
Organization: Dutchess Community College (NY)
Year: 2023 Accepted: 2024-05-03
Auditor: Bonadio & CO LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
395765 2023-001 Significant Deficiency - N
395766 2023-001 Significant Deficiency - N
395767 2023-001 Significant Deficiency - N
395768 2023-001 Significant Deficiency - N
395769 2023-001 Significant Deficiency - N
972207 2023-001 Significant Deficiency - N
972208 2023-001 Significant Deficiency - N
972209 2023-001 Significant Deficiency - N
972210 2023-001 Significant Deficiency - N
972211 2023-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.063 Federal Pell Grant Program $6.31M Yes 1
84.268 Federal Direct Student Loans $5.06M Yes 1
84.048 Career and Technical Education -- Basic Grants to States $615,604 - 0
84.031 Higher Education_institutional Aid $393,089 - 0
84.042 Trio_student Support Services $268,499 - 0
20.112 Aviation Maintenance Technical Workforce Grant Program $158,394 - 0
84.007 Federal Supplemental Educational Opportunity Grants $135,405 Yes 1
84.033 Federal Work-Study Program $119,490 Yes 1
84.425 Covid-19 - Education Stabilization Fund $31,011 Yes 0
93.364 Nursing Student Loans $19,669 Yes 1
84.335 Child Care Access Means Parents in School $5,913 - 0
47.076 Education and Human Resources $733 - 0

Contacts

Name Title Type
VFW3KAT2NVJ3 Donna Rocap Auditee
8454318066 Alan Walther Auditor
No contacts on file

Notes to SEFA

Title: BASIS OF PRESENTATION Accounting Policies: The Schedule is prepared using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: The auditee did not elect to use the 10% de minimis cost rate. The accompanying schedule of expenditures of federal awards (Schedule) includes the federal grant activity of the Dutchess Community College (College), under programs of the federal government for the year ended August 31, 2023. The information in the Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a portion of the operations of the College, it is not intended to and does not present the financial position, changes in net position, or cash flows for the College as a whole.
Title: BASIS OF ACCOUNTING Accounting Policies: The Schedule is prepared using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: The auditee did not elect to use the 10% de minimis cost rate. The Schedule is prepared using generally accepted accounting principles, as described in the College’s basic financial statements.
Title: INDIRECT COSTS Accounting Policies: The Schedule is prepared using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: The auditee did not elect to use the 10% de minimis cost rate. Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance.
Title: MATCHING COSTS Accounting Policies: The Schedule is prepared using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: The auditee did not elect to use the 10% de minimis cost rate. Matching costs, i.e., the College’s share of certain program costs, are not included in the reported expenditures.
Title: SUBRECIPIENTS Accounting Policies: The Schedule is prepared using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: The auditee did not elect to use the 10% de minimis cost rate. No amounts were provided to subrecipients.
Title: STUDENT LOAN PROGRAMS Accounting Policies: The Schedule is prepared using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: The auditee did not elect to use the 10% de minimis cost rate. Nursing Student Loan Program (Assistance Listing # 93.364) For the year ended August 31, 2023, the College made no loans under the Nursing Student Loan Program and there was no administrative cost allowance claimed. Previous loans were funded with federal expenditures, the College’s institutional funds under its matching requirement, and principal and interest repaid to the College related to previous loans. The outstanding balance of loans receivable under this program was $9,615 at August 31, 2023. The expended funds reported on the Schedule represents the September 1, 2022 outstanding loan balance. Federal Direct Student Loan Program (Assistance Listing # 84.268) During the year ended August 31, 2023, the College processed $5,063,517 of new loans under the Federal Direct Student Loan Program (which includes subsidized and unsubsidized Direct Loans and Direct Parents’ Loans for Undergraduate Students). With respect to the Federal Direct Student Loan Program, the College is only responsible for the performance of certain administrative duties; therefore, the College’s financial statements do not include any amounts relative to these loans. The cumulative amount of total loans guaranteed and outstanding at August 31, 2023 is undeterminable.

Finding Details

Finding 2023-001
Finding Reference: 2023-001 U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Nursing Student Loans (Assistance Listing #93.364) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: While the IT Systems Team is the assigned resource for information security matters, the College communicated that it does not have a single qualified individual designated with the responsibility for implementing and enforcing the College’s information security program.  An annual IT risk assessment was not performed.  A vendor management program is not in place.  Mobile device management is not in place.  Backup media is not encrypted.  A full set of policies and procedures is not in place. Finding Reference: 2023-001 (Continued) U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees with the findings and is in process of developing a corrective action plan to address. In addition, the College has made it a top priority to hire both a Chief Information Officer and a Chief Information Security Officer but has experienced difficulty getting a qualified pool of candidates.
Finding 2023-001
Finding Reference: 2023-001 U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Nursing Student Loans (Assistance Listing #93.364) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: While the IT Systems Team is the assigned resource for information security matters, the College communicated that it does not have a single qualified individual designated with the responsibility for implementing and enforcing the College’s information security program.  An annual IT risk assessment was not performed.  A vendor management program is not in place.  Mobile device management is not in place.  Backup media is not encrypted.  A full set of policies and procedures is not in place. Finding Reference: 2023-001 (Continued) U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees with the findings and is in process of developing a corrective action plan to address. In addition, the College has made it a top priority to hire both a Chief Information Officer and a Chief Information Security Officer but has experienced difficulty getting a qualified pool of candidates.
Finding 2023-001
Finding Reference: 2023-001 U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Nursing Student Loans (Assistance Listing #93.364) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: While the IT Systems Team is the assigned resource for information security matters, the College communicated that it does not have a single qualified individual designated with the responsibility for implementing and enforcing the College’s information security program.  An annual IT risk assessment was not performed.  A vendor management program is not in place.  Mobile device management is not in place.  Backup media is not encrypted.  A full set of policies and procedures is not in place. Finding Reference: 2023-001 (Continued) U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees with the findings and is in process of developing a corrective action plan to address. In addition, the College has made it a top priority to hire both a Chief Information Officer and a Chief Information Security Officer but has experienced difficulty getting a qualified pool of candidates.
Finding 2023-001
Finding Reference: 2023-001 U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Nursing Student Loans (Assistance Listing #93.364) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: While the IT Systems Team is the assigned resource for information security matters, the College communicated that it does not have a single qualified individual designated with the responsibility for implementing and enforcing the College’s information security program.  An annual IT risk assessment was not performed.  A vendor management program is not in place.  Mobile device management is not in place.  Backup media is not encrypted.  A full set of policies and procedures is not in place. Finding Reference: 2023-001 (Continued) U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees with the findings and is in process of developing a corrective action plan to address. In addition, the College has made it a top priority to hire both a Chief Information Officer and a Chief Information Security Officer but has experienced difficulty getting a qualified pool of candidates.
Finding 2023-001
Finding Reference: 2023-001 U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Nursing Student Loans (Assistance Listing #93.364) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: While the IT Systems Team is the assigned resource for information security matters, the College communicated that it does not have a single qualified individual designated with the responsibility for implementing and enforcing the College’s information security program.  An annual IT risk assessment was not performed.  A vendor management program is not in place.  Mobile device management is not in place.  Backup media is not encrypted.  A full set of policies and procedures is not in place. Finding Reference: 2023-001 (Continued) U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees with the findings and is in process of developing a corrective action plan to address. In addition, the College has made it a top priority to hire both a Chief Information Officer and a Chief Information Security Officer but has experienced difficulty getting a qualified pool of candidates.
Finding 2023-001
Finding Reference: 2023-001 U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Nursing Student Loans (Assistance Listing #93.364) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: While the IT Systems Team is the assigned resource for information security matters, the College communicated that it does not have a single qualified individual designated with the responsibility for implementing and enforcing the College’s information security program.  An annual IT risk assessment was not performed.  A vendor management program is not in place.  Mobile device management is not in place.  Backup media is not encrypted.  A full set of policies and procedures is not in place. Finding Reference: 2023-001 (Continued) U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees with the findings and is in process of developing a corrective action plan to address. In addition, the College has made it a top priority to hire both a Chief Information Officer and a Chief Information Security Officer but has experienced difficulty getting a qualified pool of candidates.
Finding 2023-001
Finding Reference: 2023-001 U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Nursing Student Loans (Assistance Listing #93.364) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: While the IT Systems Team is the assigned resource for information security matters, the College communicated that it does not have a single qualified individual designated with the responsibility for implementing and enforcing the College’s information security program.  An annual IT risk assessment was not performed.  A vendor management program is not in place.  Mobile device management is not in place.  Backup media is not encrypted.  A full set of policies and procedures is not in place. Finding Reference: 2023-001 (Continued) U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees with the findings and is in process of developing a corrective action plan to address. In addition, the College has made it a top priority to hire both a Chief Information Officer and a Chief Information Security Officer but has experienced difficulty getting a qualified pool of candidates.
Finding 2023-001
Finding Reference: 2023-001 U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Nursing Student Loans (Assistance Listing #93.364) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: While the IT Systems Team is the assigned resource for information security matters, the College communicated that it does not have a single qualified individual designated with the responsibility for implementing and enforcing the College’s information security program.  An annual IT risk assessment was not performed.  A vendor management program is not in place.  Mobile device management is not in place.  Backup media is not encrypted.  A full set of policies and procedures is not in place. Finding Reference: 2023-001 (Continued) U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees with the findings and is in process of developing a corrective action plan to address. In addition, the College has made it a top priority to hire both a Chief Information Officer and a Chief Information Security Officer but has experienced difficulty getting a qualified pool of candidates.
Finding 2023-001
Finding Reference: 2023-001 U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Nursing Student Loans (Assistance Listing #93.364) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: While the IT Systems Team is the assigned resource for information security matters, the College communicated that it does not have a single qualified individual designated with the responsibility for implementing and enforcing the College’s information security program.  An annual IT risk assessment was not performed.  A vendor management program is not in place.  Mobile device management is not in place.  Backup media is not encrypted.  A full set of policies and procedures is not in place. Finding Reference: 2023-001 (Continued) U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees with the findings and is in process of developing a corrective action plan to address. In addition, the College has made it a top priority to hire both a Chief Information Officer and a Chief Information Security Officer but has experienced difficulty getting a qualified pool of candidates.
Finding 2023-001
Finding Reference: 2023-001 U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Nursing Student Loans (Assistance Listing #93.364) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: While the IT Systems Team is the assigned resource for information security matters, the College communicated that it does not have a single qualified individual designated with the responsibility for implementing and enforcing the College’s information security program.  An annual IT risk assessment was not performed.  A vendor management program is not in place.  Mobile device management is not in place.  Backup media is not encrypted.  A full set of policies and procedures is not in place. Finding Reference: 2023-001 (Continued) U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees with the findings and is in process of developing a corrective action plan to address. In addition, the College has made it a top priority to hire both a Chief Information Officer and a Chief Information Security Officer but has experienced difficulty getting a qualified pool of candidates.