Finding Text
Criteria: 16 CFR 314.4 requires an institution to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate for the institution’s size and complexity, the nature and scope of activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in §314.4 and shall be reasonably designed to achieve the objectives of this part.
Condition/context: The College has not developed or implemented a written comprehensive information security program that addresses all elements as required by 16 CFR 314.4.
Cause: The College did not fully develop, implement, or maintain policies in accordance with Federal deadlines.
Effect: The College is not compliant with the Gramm-Leach-Bliley Act.
Questioned costs: None.
Identification as a repeat finding: No.
Recommendation: The College should develop, implement, and maintain an information security program that addresses the requirements of the Gramm-Leach-Bliley Act, and the College should develop controls to monitor changes in Federal guidelines in order to update policies timely.
Views of responsible officials: Management concurs with the finding. See Exhibit I for the corrective action plan.