FAC Explorer

Audit 366191

FY End
2024-08-31
Total Expended
$13.17M
Findings
8
Programs
11
Organization: Rockland Community College (NY)
Year: 2024 Accepted: 2025-09-12
Auditor: Bonadio & CO LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
576316 2024-001 Material Weakness - N
576317 2024-001 Material Weakness - N
576318 2024-001 Material Weakness - N
576319 2024-001 Material Weakness - N
1152758 2024-001 Material Weakness - N
1152759 2024-001 Material Weakness - N
1152760 2024-001 Material Weakness - N
1152761 2024-001 Material Weakness - N

Programs

ALN Program Spent Major Findings
84.063 Federal Pell Grant Program $7.54M Yes 1
84.268 Federal Direct Student Loans $2.36M Yes 1
84.031 Higher Education Institutional Aid $368,660 Yes 0
84.042 Trio Student Support Services $283,831 - 0
59.037 Small Business Development Centers $217,472 - 0
84.007 Federal Supplemental Educational Opportunity Grants $193,917 Yes 1
64.027 Post-9/11 Veterans Educational Assistance $154,452 - 0
84.033 Federal Work-Study Program $77,008 Yes 1
84.335 Child Care Access Means Parents in School $73,225 - 0
17.245 Trade Adjustment Assistance $7,311 - 0
84.048 Career and Technical Education -- Basic Grants to States $7,077 - 0

Contacts

Name Title Type
JZSTJWXX8QN1 Jonathan Batista Auditee
8455744730 Joseph Heroux Auditor
No contacts on file

Notes to SEFA

Title: 1. BASIS OF PRESENTATION Accounting Policies: The Schedule is presented using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. The accompanying schedule of expenditures of federal awards (Schedule) includes the federal grant activity of the Rockland Community College (College), under programs of the federal government for the year ended August 31, 2024. The information in this Schedule is presented in accordance with the requirements of Title U.S. Code of Federal Regulations part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the Schedule presents only a selected portion of the operations of the College, and it is not intended to and does not present the financial position, changes in net position, or cash flows for the College as a whole.
Title: 2. BASIS OF ACCOUNTING Accounting Policies: The Schedule is presented using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. The Schedule is presented using generally accepted accounting principles, as described in the College’s basic financial statements.
Title: 3. INDIRECT COSTS Accounting Policies: The Schedule is presented using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance.
Title: 4. MATCHING COSTS Accounting Policies: The Schedule is presented using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. Matching costs, i.e., the College’s share of certain program costs, are not included in the reported expenditures.
Title: 5. SUBRECIPIENTS Accounting Policies: The Schedule is presented using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. No amounts were provided to subrecipients.
Title: 6. STUDENT LOAN PROGRAMS Accounting Policies: The Schedule is presented using generally accepted accounting principles, as described in the College’s basic financial statements. De Minimis Rate Used: N Rate Explanation: Indirect costs are included in the reported expenditures to the extent they are included in the financial reports used as the source for the expenditures presented. The College did not elect to use the 10 percent de minimis indirect cost rate as allowed under the Uniform Guidance. Federal Direct Student Loan Program (Assistance Listing #84.268) During the year ended August 31, 2024, the College processed $2,356,853 of new loans under the Federal Direct Student Loan Program (which includes subsidized and unsubsidized Direct Loans and Direct Parents’ Loans for Undergraduate Students). With respect to the Federal Direct Student Loan Program, the College is only responsible for the performance of certain administrative duties; therefore, the College’s financial statements do not include any amounts relative to these loans. The cumulative amount of total loans guaranteed and outstanding at August 31, 2024 is undeterminable.

Finding Details

Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and managemen reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in the planning stages. The College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled quarterly with representatives from The Bonadio Group. Progress will also be reported monthly to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and managemen reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in the planning stages. The College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled quarterly with representatives from The Bonadio Group. Progress will also be reported monthly to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and managemen reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in the planning stages. The College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled quarterly with representatives from The Bonadio Group. Progress will also be reported monthly to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and managemen reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in the planning stages. The College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled quarterly with representatives from The Bonadio Group. Progress will also be reported monthly to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and managemen reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in the planning stages. The College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled quarterly with representatives from The Bonadio Group. Progress will also be reported monthly to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and managemen reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in the planning stages. The College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled quarterly with representatives from The Bonadio Group. Progress will also be reported monthly to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and managemen reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in the planning stages. The College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled quarterly with representatives from The Bonadio Group. Progress will also be reported monthly to the Audit and Finance Committee of the College's Board of Trustees.
Finding 2024-001
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and managemen reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in the planning stages. The College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled quarterly with representatives from The Bonadio Group. Progress will also be reported monthly to the Audit and Finance Committee of the College's Board of Trustees.