FAC Explorer

Audit 328105

FY End
2024-05-31
Total Expended
$12.65M
Findings
10
Programs
7
Organization: Lake Forest College (IL)
Year: 2024 Accepted: 2024-11-12
Auditor: Rsm US LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
505400 2024-001 Significant Deficiency - N
505401 2024-001 Significant Deficiency - N
505402 2024-001 Significant Deficiency - N
505403 2024-001 Significant Deficiency - N
505404 2024-001 Significant Deficiency - N
1081842 2024-001 Significant Deficiency - N
1081843 2024-001 Significant Deficiency - N
1081844 2024-001 Significant Deficiency - N
1081845 2024-001 Significant Deficiency - N
1081846 2024-001 Significant Deficiency - N

Programs

ALN Program Spent Major Findings
84.268 Federal Direct Student Loans $7.79M Yes 1
84.063 Federal Pell Grant Program $3.15M Yes 1
84.038 Federal Perkins Loan Program $778,326 Yes 1
84.007 Federal Supplemental Educational Opportunity Grants $477,510 Yes 1
84.033 Federal Work-Study Program $298,829 Yes 1
47.074 Biological Sciences $134,966 - 0
47.075 Social, Behavioral, and Economic Sciences $8,290 - 0

Contacts

Name Title Type
NCHSEV4M47D9 Aj Rodino Auditee
8477355039 Craig Wories Auditor
No contacts on file

Notes to SEFA

Title: Note 1. Basis of Presentation Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: Y Rate Explanation: The College has elected to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (the Schedule) includes the federal award activity of Lake Forest College (the College) under programs of the federal government for the year ended May 31, 2024. The information in this Schedule is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the College.
Title: Note 2. Summary of Significant Accounting Policies Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: Y Rate Explanation: The College has elected to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement.
Title: Note 3. Indirect Cost Rate Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: Y Rate Explanation: The College has elected to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. The College has elected to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance.
Title: Note 4. Federal Student Loan Programs Accounting Policies: Expenditures reported on the Schedule are reported on the accrual basis of accounting. Such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. De Minimis Rate Used: Y Rate Explanation: The College has elected to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. The Federal Perkins Loan Program is administered directly by the College, and balances and transactions relating to this program are included in the College’s financial statements. No new loans are allowed to be issued; therefore, the collections received on past loans including interest will be held until the liquidation process occurs and the final federal share of the remaining Federal Perkins Loan Program cash is remitted to the Department of Education. The beginning balance on these loans is disclosed in the Schedule. The balance of the loans outstanding under the Federal Perkins Loan Program (Assistance Listing Number 84.038) was $570,386 as of May 31, 2024. There were no administrative costs recovered for the year ended May 31, 2024. The College is responsible only for the performance of certain administrative duties with respect to the Federal Direct Loan Program (Assistance Listing Number 84.268). Accordingly, these loans are not included in the College’s financial statements and it is not practical to determine the balance of loans outstanding to students and former students of the College under this program as of May 31, 2024.

Finding Details

Finding 2024-001
Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security Federal Agency – U.S. Department of Education (ED) Federal Program – Student Financial Assistance Cluster Federal Assistance Listing Numbers – 84.007, 84.033, 84.063, 84.268, 84.038 Federal Award Years: Year Ended May 31, 2024 Criteria: The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. • 16 CFR 314.4(g) requires institutions to evaluate and adjust its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. The institution was required to be in compliance with the revised requirements no later than June 9, 2023. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Condition: The institution revised its’ information security policies in response to the revised requirements; however, these policies were not formally approved and adopted until January 2024. The policies implemented as of January 2024 contained all required elements; however, the College’s existing information security policies as of June 9, 2023, did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • Element 1: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • Element 2: The institution had performed a risk assessment in November 2022, however, did not have policies that specifically addressed methodologies for conducting risk assessment. • Element 3: While the institution has some safeguards in place, the institution’s policies did not include written policies and procedures for the following: periodic review of access controls, periodic review of inventory of data including when it’s collected, store or transmitted, encryption of customer information, implementation of multi-factor authentication, disposal of customer information security, and maintaining a log of authorized users’ activity. • Element 4: The institution’s Information Security Policy referenced monitoring network activity and configuring hardware and software to control access, but did not explicitly mention systematic testing or vulnerability assessments as required by the regulation. • Element 5: The institution’s policy lacked written procedures over comprehensive training, awareness programs, and role-specific procedures to ensure that all personnel, including employees and contractors, were equipped to handle their responsibilities in implementing the security program. • Element 6: The institution’s policy lacked written detailed requirements for vendor selection, evaluation, contract assessment, or periodic reviews of third party vendor performance or compliance compared to the risk(s) they present. • Element 7: The institution’s policy did not have a formalized process codified in policy to consistently evaluate and update the information security program based on the results of testing, risk assessments, or significant operational changes. • Element 8: The institution’s policy lacked written procedures over requirements for the Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program. Cause: The institution was in process of modifying existing policies to comply with federal requirements. These policies were not approved and adopted until January 2024. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Recommendation: We recommend that the institution continue to monitor information security requirements and modify or implement new policies as necessary. We recommend that the institution monitor changes in requirements to ensure compliance in a timely manner. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-001
Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security Federal Agency – U.S. Department of Education (ED) Federal Program – Student Financial Assistance Cluster Federal Assistance Listing Numbers – 84.007, 84.033, 84.063, 84.268, 84.038 Federal Award Years: Year Ended May 31, 2024 Criteria: The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. • 16 CFR 314.4(g) requires institutions to evaluate and adjust its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. The institution was required to be in compliance with the revised requirements no later than June 9, 2023. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Condition: The institution revised its’ information security policies in response to the revised requirements; however, these policies were not formally approved and adopted until January 2024. The policies implemented as of January 2024 contained all required elements; however, the College’s existing information security policies as of June 9, 2023, did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • Element 1: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • Element 2: The institution had performed a risk assessment in November 2022, however, did not have policies that specifically addressed methodologies for conducting risk assessment. • Element 3: While the institution has some safeguards in place, the institution’s policies did not include written policies and procedures for the following: periodic review of access controls, periodic review of inventory of data including when it’s collected, store or transmitted, encryption of customer information, implementation of multi-factor authentication, disposal of customer information security, and maintaining a log of authorized users’ activity. • Element 4: The institution’s Information Security Policy referenced monitoring network activity and configuring hardware and software to control access, but did not explicitly mention systematic testing or vulnerability assessments as required by the regulation. • Element 5: The institution’s policy lacked written procedures over comprehensive training, awareness programs, and role-specific procedures to ensure that all personnel, including employees and contractors, were equipped to handle their responsibilities in implementing the security program. • Element 6: The institution’s policy lacked written detailed requirements for vendor selection, evaluation, contract assessment, or periodic reviews of third party vendor performance or compliance compared to the risk(s) they present. • Element 7: The institution’s policy did not have a formalized process codified in policy to consistently evaluate and update the information security program based on the results of testing, risk assessments, or significant operational changes. • Element 8: The institution’s policy lacked written procedures over requirements for the Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program. Cause: The institution was in process of modifying existing policies to comply with federal requirements. These policies were not approved and adopted until January 2024. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Recommendation: We recommend that the institution continue to monitor information security requirements and modify or implement new policies as necessary. We recommend that the institution monitor changes in requirements to ensure compliance in a timely manner. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-001
Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security Federal Agency – U.S. Department of Education (ED) Federal Program – Student Financial Assistance Cluster Federal Assistance Listing Numbers – 84.007, 84.033, 84.063, 84.268, 84.038 Federal Award Years: Year Ended May 31, 2024 Criteria: The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. • 16 CFR 314.4(g) requires institutions to evaluate and adjust its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. The institution was required to be in compliance with the revised requirements no later than June 9, 2023. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Condition: The institution revised its’ information security policies in response to the revised requirements; however, these policies were not formally approved and adopted until January 2024. The policies implemented as of January 2024 contained all required elements; however, the College’s existing information security policies as of June 9, 2023, did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • Element 1: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • Element 2: The institution had performed a risk assessment in November 2022, however, did not have policies that specifically addressed methodologies for conducting risk assessment. • Element 3: While the institution has some safeguards in place, the institution’s policies did not include written policies and procedures for the following: periodic review of access controls, periodic review of inventory of data including when it’s collected, store or transmitted, encryption of customer information, implementation of multi-factor authentication, disposal of customer information security, and maintaining a log of authorized users’ activity. • Element 4: The institution’s Information Security Policy referenced monitoring network activity and configuring hardware and software to control access, but did not explicitly mention systematic testing or vulnerability assessments as required by the regulation. • Element 5: The institution’s policy lacked written procedures over comprehensive training, awareness programs, and role-specific procedures to ensure that all personnel, including employees and contractors, were equipped to handle their responsibilities in implementing the security program. • Element 6: The institution’s policy lacked written detailed requirements for vendor selection, evaluation, contract assessment, or periodic reviews of third party vendor performance or compliance compared to the risk(s) they present. • Element 7: The institution’s policy did not have a formalized process codified in policy to consistently evaluate and update the information security program based on the results of testing, risk assessments, or significant operational changes. • Element 8: The institution’s policy lacked written procedures over requirements for the Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program. Cause: The institution was in process of modifying existing policies to comply with federal requirements. These policies were not approved and adopted until January 2024. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Recommendation: We recommend that the institution continue to monitor information security requirements and modify or implement new policies as necessary. We recommend that the institution monitor changes in requirements to ensure compliance in a timely manner. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-001
Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security Federal Agency – U.S. Department of Education (ED) Federal Program – Student Financial Assistance Cluster Federal Assistance Listing Numbers – 84.007, 84.033, 84.063, 84.268, 84.038 Federal Award Years: Year Ended May 31, 2024 Criteria: The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. • 16 CFR 314.4(g) requires institutions to evaluate and adjust its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. The institution was required to be in compliance with the revised requirements no later than June 9, 2023. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Condition: The institution revised its’ information security policies in response to the revised requirements; however, these policies were not formally approved and adopted until January 2024. The policies implemented as of January 2024 contained all required elements; however, the College’s existing information security policies as of June 9, 2023, did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • Element 1: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • Element 2: The institution had performed a risk assessment in November 2022, however, did not have policies that specifically addressed methodologies for conducting risk assessment. • Element 3: While the institution has some safeguards in place, the institution’s policies did not include written policies and procedures for the following: periodic review of access controls, periodic review of inventory of data including when it’s collected, store or transmitted, encryption of customer information, implementation of multi-factor authentication, disposal of customer information security, and maintaining a log of authorized users’ activity. • Element 4: The institution’s Information Security Policy referenced monitoring network activity and configuring hardware and software to control access, but did not explicitly mention systematic testing or vulnerability assessments as required by the regulation. • Element 5: The institution’s policy lacked written procedures over comprehensive training, awareness programs, and role-specific procedures to ensure that all personnel, including employees and contractors, were equipped to handle their responsibilities in implementing the security program. • Element 6: The institution’s policy lacked written detailed requirements for vendor selection, evaluation, contract assessment, or periodic reviews of third party vendor performance or compliance compared to the risk(s) they present. • Element 7: The institution’s policy did not have a formalized process codified in policy to consistently evaluate and update the information security program based on the results of testing, risk assessments, or significant operational changes. • Element 8: The institution’s policy lacked written procedures over requirements for the Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program. Cause: The institution was in process of modifying existing policies to comply with federal requirements. These policies were not approved and adopted until January 2024. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Recommendation: We recommend that the institution continue to monitor information security requirements and modify or implement new policies as necessary. We recommend that the institution monitor changes in requirements to ensure compliance in a timely manner. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-001
Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security Federal Agency – U.S. Department of Education (ED) Federal Program – Student Financial Assistance Cluster Federal Assistance Listing Numbers – 84.007, 84.033, 84.063, 84.268, 84.038 Federal Award Years: Year Ended May 31, 2024 Criteria: The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. • 16 CFR 314.4(g) requires institutions to evaluate and adjust its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. The institution was required to be in compliance with the revised requirements no later than June 9, 2023. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Condition: The institution revised its’ information security policies in response to the revised requirements; however, these policies were not formally approved and adopted until January 2024. The policies implemented as of January 2024 contained all required elements; however, the College’s existing information security policies as of June 9, 2023, did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • Element 1: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • Element 2: The institution had performed a risk assessment in November 2022, however, did not have policies that specifically addressed methodologies for conducting risk assessment. • Element 3: While the institution has some safeguards in place, the institution’s policies did not include written policies and procedures for the following: periodic review of access controls, periodic review of inventory of data including when it’s collected, store or transmitted, encryption of customer information, implementation of multi-factor authentication, disposal of customer information security, and maintaining a log of authorized users’ activity. • Element 4: The institution’s Information Security Policy referenced monitoring network activity and configuring hardware and software to control access, but did not explicitly mention systematic testing or vulnerability assessments as required by the regulation. • Element 5: The institution’s policy lacked written procedures over comprehensive training, awareness programs, and role-specific procedures to ensure that all personnel, including employees and contractors, were equipped to handle their responsibilities in implementing the security program. • Element 6: The institution’s policy lacked written detailed requirements for vendor selection, evaluation, contract assessment, or periodic reviews of third party vendor performance or compliance compared to the risk(s) they present. • Element 7: The institution’s policy did not have a formalized process codified in policy to consistently evaluate and update the information security program based on the results of testing, risk assessments, or significant operational changes. • Element 8: The institution’s policy lacked written procedures over requirements for the Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program. Cause: The institution was in process of modifying existing policies to comply with federal requirements. These policies were not approved and adopted until January 2024. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Recommendation: We recommend that the institution continue to monitor information security requirements and modify or implement new policies as necessary. We recommend that the institution monitor changes in requirements to ensure compliance in a timely manner. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-001
Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security Federal Agency – U.S. Department of Education (ED) Federal Program – Student Financial Assistance Cluster Federal Assistance Listing Numbers – 84.007, 84.033, 84.063, 84.268, 84.038 Federal Award Years: Year Ended May 31, 2024 Criteria: The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. • 16 CFR 314.4(g) requires institutions to evaluate and adjust its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. The institution was required to be in compliance with the revised requirements no later than June 9, 2023. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Condition: The institution revised its’ information security policies in response to the revised requirements; however, these policies were not formally approved and adopted until January 2024. The policies implemented as of January 2024 contained all required elements; however, the College’s existing information security policies as of June 9, 2023, did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • Element 1: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • Element 2: The institution had performed a risk assessment in November 2022, however, did not have policies that specifically addressed methodologies for conducting risk assessment. • Element 3: While the institution has some safeguards in place, the institution’s policies did not include written policies and procedures for the following: periodic review of access controls, periodic review of inventory of data including when it’s collected, store or transmitted, encryption of customer information, implementation of multi-factor authentication, disposal of customer information security, and maintaining a log of authorized users’ activity. • Element 4: The institution’s Information Security Policy referenced monitoring network activity and configuring hardware and software to control access, but did not explicitly mention systematic testing or vulnerability assessments as required by the regulation. • Element 5: The institution’s policy lacked written procedures over comprehensive training, awareness programs, and role-specific procedures to ensure that all personnel, including employees and contractors, were equipped to handle their responsibilities in implementing the security program. • Element 6: The institution’s policy lacked written detailed requirements for vendor selection, evaluation, contract assessment, or periodic reviews of third party vendor performance or compliance compared to the risk(s) they present. • Element 7: The institution’s policy did not have a formalized process codified in policy to consistently evaluate and update the information security program based on the results of testing, risk assessments, or significant operational changes. • Element 8: The institution’s policy lacked written procedures over requirements for the Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program. Cause: The institution was in process of modifying existing policies to comply with federal requirements. These policies were not approved and adopted until January 2024. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Recommendation: We recommend that the institution continue to monitor information security requirements and modify or implement new policies as necessary. We recommend that the institution monitor changes in requirements to ensure compliance in a timely manner. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-001
Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security Federal Agency – U.S. Department of Education (ED) Federal Program – Student Financial Assistance Cluster Federal Assistance Listing Numbers – 84.007, 84.033, 84.063, 84.268, 84.038 Federal Award Years: Year Ended May 31, 2024 Criteria: The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. • 16 CFR 314.4(g) requires institutions to evaluate and adjust its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. The institution was required to be in compliance with the revised requirements no later than June 9, 2023. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Condition: The institution revised its’ information security policies in response to the revised requirements; however, these policies were not formally approved and adopted until January 2024. The policies implemented as of January 2024 contained all required elements; however, the College’s existing information security policies as of June 9, 2023, did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • Element 1: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • Element 2: The institution had performed a risk assessment in November 2022, however, did not have policies that specifically addressed methodologies for conducting risk assessment. • Element 3: While the institution has some safeguards in place, the institution’s policies did not include written policies and procedures for the following: periodic review of access controls, periodic review of inventory of data including when it’s collected, store or transmitted, encryption of customer information, implementation of multi-factor authentication, disposal of customer information security, and maintaining a log of authorized users’ activity. • Element 4: The institution’s Information Security Policy referenced monitoring network activity and configuring hardware and software to control access, but did not explicitly mention systematic testing or vulnerability assessments as required by the regulation. • Element 5: The institution’s policy lacked written procedures over comprehensive training, awareness programs, and role-specific procedures to ensure that all personnel, including employees and contractors, were equipped to handle their responsibilities in implementing the security program. • Element 6: The institution’s policy lacked written detailed requirements for vendor selection, evaluation, contract assessment, or periodic reviews of third party vendor performance or compliance compared to the risk(s) they present. • Element 7: The institution’s policy did not have a formalized process codified in policy to consistently evaluate and update the information security program based on the results of testing, risk assessments, or significant operational changes. • Element 8: The institution’s policy lacked written procedures over requirements for the Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program. Cause: The institution was in process of modifying existing policies to comply with federal requirements. These policies were not approved and adopted until January 2024. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Recommendation: We recommend that the institution continue to monitor information security requirements and modify or implement new policies as necessary. We recommend that the institution monitor changes in requirements to ensure compliance in a timely manner. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-001
Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security Federal Agency – U.S. Department of Education (ED) Federal Program – Student Financial Assistance Cluster Federal Assistance Listing Numbers – 84.007, 84.033, 84.063, 84.268, 84.038 Federal Award Years: Year Ended May 31, 2024 Criteria: The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. • 16 CFR 314.4(g) requires institutions to evaluate and adjust its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. The institution was required to be in compliance with the revised requirements no later than June 9, 2023. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Condition: The institution revised its’ information security policies in response to the revised requirements; however, these policies were not formally approved and adopted until January 2024. The policies implemented as of January 2024 contained all required elements; however, the College’s existing information security policies as of June 9, 2023, did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • Element 1: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • Element 2: The institution had performed a risk assessment in November 2022, however, did not have policies that specifically addressed methodologies for conducting risk assessment. • Element 3: While the institution has some safeguards in place, the institution’s policies did not include written policies and procedures for the following: periodic review of access controls, periodic review of inventory of data including when it’s collected, store or transmitted, encryption of customer information, implementation of multi-factor authentication, disposal of customer information security, and maintaining a log of authorized users’ activity. • Element 4: The institution’s Information Security Policy referenced monitoring network activity and configuring hardware and software to control access, but did not explicitly mention systematic testing or vulnerability assessments as required by the regulation. • Element 5: The institution’s policy lacked written procedures over comprehensive training, awareness programs, and role-specific procedures to ensure that all personnel, including employees and contractors, were equipped to handle their responsibilities in implementing the security program. • Element 6: The institution’s policy lacked written detailed requirements for vendor selection, evaluation, contract assessment, or periodic reviews of third party vendor performance or compliance compared to the risk(s) they present. • Element 7: The institution’s policy did not have a formalized process codified in policy to consistently evaluate and update the information security program based on the results of testing, risk assessments, or significant operational changes. • Element 8: The institution’s policy lacked written procedures over requirements for the Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program. Cause: The institution was in process of modifying existing policies to comply with federal requirements. These policies were not approved and adopted until January 2024. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Recommendation: We recommend that the institution continue to monitor information security requirements and modify or implement new policies as necessary. We recommend that the institution monitor changes in requirements to ensure compliance in a timely manner. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-001
Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security Federal Agency – U.S. Department of Education (ED) Federal Program – Student Financial Assistance Cluster Federal Assistance Listing Numbers – 84.007, 84.033, 84.063, 84.268, 84.038 Federal Award Years: Year Ended May 31, 2024 Criteria: The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. • 16 CFR 314.4(g) requires institutions to evaluate and adjust its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. The institution was required to be in compliance with the revised requirements no later than June 9, 2023. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Condition: The institution revised its’ information security policies in response to the revised requirements; however, these policies were not formally approved and adopted until January 2024. The policies implemented as of January 2024 contained all required elements; however, the College’s existing information security policies as of June 9, 2023, did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • Element 1: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • Element 2: The institution had performed a risk assessment in November 2022, however, did not have policies that specifically addressed methodologies for conducting risk assessment. • Element 3: While the institution has some safeguards in place, the institution’s policies did not include written policies and procedures for the following: periodic review of access controls, periodic review of inventory of data including when it’s collected, store or transmitted, encryption of customer information, implementation of multi-factor authentication, disposal of customer information security, and maintaining a log of authorized users’ activity. • Element 4: The institution’s Information Security Policy referenced monitoring network activity and configuring hardware and software to control access, but did not explicitly mention systematic testing or vulnerability assessments as required by the regulation. • Element 5: The institution’s policy lacked written procedures over comprehensive training, awareness programs, and role-specific procedures to ensure that all personnel, including employees and contractors, were equipped to handle their responsibilities in implementing the security program. • Element 6: The institution’s policy lacked written detailed requirements for vendor selection, evaluation, contract assessment, or periodic reviews of third party vendor performance or compliance compared to the risk(s) they present. • Element 7: The institution’s policy did not have a formalized process codified in policy to consistently evaluate and update the information security program based on the results of testing, risk assessments, or significant operational changes. • Element 8: The institution’s policy lacked written procedures over requirements for the Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program. Cause: The institution was in process of modifying existing policies to comply with federal requirements. These policies were not approved and adopted until January 2024. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Recommendation: We recommend that the institution continue to monitor information security requirements and modify or implement new policies as necessary. We recommend that the institution monitor changes in requirements to ensure compliance in a timely manner. Views of responsible officials: Management agrees with this finding. See corrective action plan.
Finding 2024-001
Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security Federal Agency – U.S. Department of Education (ED) Federal Program – Student Financial Assistance Cluster Federal Assistance Listing Numbers – 84.007, 84.033, 84.063, 84.268, 84.038 Federal Award Years: Year Ended May 31, 2024 Criteria: The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts: • 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program. • 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. • 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment. • 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. • 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program. • 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers. • 16 CFR 314.4(g) requires institutions to evaluate and adjust its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. The institution was required to be in compliance with the revised requirements no later than June 9, 2023. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Condition: The institution revised its’ information security policies in response to the revised requirements; however, these policies were not formally approved and adopted until January 2024. The policies implemented as of January 2024 contained all required elements; however, the College’s existing information security policies as of June 9, 2023, did not include the following elements required by regulation as agreed to in the Program Participation Agreement: • Element 1: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program. • Element 2: The institution had performed a risk assessment in November 2022, however, did not have policies that specifically addressed methodologies for conducting risk assessment. • Element 3: While the institution has some safeguards in place, the institution’s policies did not include written policies and procedures for the following: periodic review of access controls, periodic review of inventory of data including when it’s collected, store or transmitted, encryption of customer information, implementation of multi-factor authentication, disposal of customer information security, and maintaining a log of authorized users’ activity. • Element 4: The institution’s Information Security Policy referenced monitoring network activity and configuring hardware and software to control access, but did not explicitly mention systematic testing or vulnerability assessments as required by the regulation. • Element 5: The institution’s policy lacked written procedures over comprehensive training, awareness programs, and role-specific procedures to ensure that all personnel, including employees and contractors, were equipped to handle their responsibilities in implementing the security program. • Element 6: The institution’s policy lacked written detailed requirements for vendor selection, evaluation, contract assessment, or periodic reviews of third party vendor performance or compliance compared to the risk(s) they present. • Element 7: The institution’s policy did not have a formalized process codified in policy to consistently evaluate and update the information security program based on the results of testing, risk assessments, or significant operational changes. • Element 8: The institution’s policy lacked written procedures over requirements for the Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program. Cause: The institution was in process of modifying existing policies to comply with federal requirements. These policies were not approved and adopted until January 2024. Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information. Section III – Federal Award Findings and Questioned Costs (Continued) Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued) Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs. Questioned Costs: There were no questioned costs identified. Recommendation: We recommend that the institution continue to monitor information security requirements and modify or implement new policies as necessary. We recommend that the institution monitor changes in requirements to ensure compliance in a timely manner. Views of responsible officials: Management agrees with this finding. See corrective action plan.