Finding 1081267 (2024-002)

Finding 2024-002 Gramm-Leach-Bliley Act-Student Information Security Federal Agency: U.S. Department of Education Program Name: Student Financial Assistance Cluster Federal Direct Student Loans Assistance Listing #: 84.268 Questioned Costs: None Condition The Seminary’s information security program did not address the implementation of all minimum safeguards as required by the Gramm-Leach-Bliley Act. While the Seminary had designated a Qualified Individual to coordinate its information security program and had a written information security program in place, that program did not meet all criteria requirements for disposing of customer information securely. Criteria The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires institutions to protect sensitive data. This includes information obtained through processes administering federal student financial assistance programs. Postsecondary educational institutions must protect student financial aid information, as stated in the institution’s Program Participation Agreement (PPA) and the GLBA. Institutions should take due care to information and data provided by the Department of Education or obtained through the processes of administering Title IV Federal student assistance programs (Dear Colleague Letter, July 1, 2016 (GEN-16-12). Title 16, Code of Federal Regulations (CFR), Section 314.4 requires institutions to develop, implement, and maintain an information security plan that includes the CFR’s stated minimum elements. The minimum requirements include: disposal of customer information securely. Cause The Seminary has been properly disposing of customer information securely and anticipating and evaluating changes to the information system or network but failed to state the timeline in its information security plan. Effect Not implementing all required safeguards in its information security program increases the Seminary’s risk of data breach or loss. Recommendation The Seminary should update and strengthen their Information Security Plan to adequately address the minimum safeguards. Views of Responsible Officials The Seminary will update its information security plan to include the timeline for disposing of customer information securely and anticipating and evaluating changes to the information security or network.