Finding Text
Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security
Federal Agency – U.S. Department of Education (ED)
Federal Program – Student Financial Assistance Cluster
Federal Assistance Listing Numbers – 84.007, 84.033, 84.063, 84.268, 84.038
Federal Award Years: Year Ended May 31, 2024
Criteria: The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts:
• 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program.
• 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.
• 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment.
• 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented.
• 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program.
• 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers.
• 16 CFR 314.4(g) requires institutions to evaluate and adjust its information security program in light of the results of the required testing and monitoring; any material changes to its
operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program.
The institution was required to be in compliance with the revised requirements no later than June 9, 2023.
Section III – Federal Award Findings and Questioned Costs (Continued)
Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued)
Condition: The institution revised its’ information security policies in response to the revised requirements; however, these policies were not formally approved and adopted until January 2024. The policies implemented as of January 2024 contained all required elements; however, the College’s existing information security policies as of June 9, 2023, did not include the following elements required by regulation as agreed to in the Program Participation Agreement:
• Element 1: The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program.
• Element 2: The institution had performed a risk assessment in November 2022, however, did not have policies that specifically addressed methodologies for conducting risk assessment.
• Element 3: While the institution has some safeguards in place, the institution’s policies did not include written policies and procedures for the following: periodic review of access controls, periodic review of inventory of data including when it’s collected, store or transmitted, encryption of customer information, implementation of multi-factor authentication, disposal of customer information security, and maintaining a log of authorized users’ activity.
• Element 4: The institution’s Information Security Policy referenced monitoring network activity and configuring hardware and software to control access, but did not explicitly mention systematic testing or vulnerability assessments as required by the regulation.
• Element 5: The institution’s policy lacked written procedures over comprehensive training, awareness programs, and role-specific procedures to ensure that all personnel, including employees and contractors, were equipped to handle their responsibilities in implementing the security program.
• Element 6: The institution’s policy lacked written detailed requirements for vendor selection, evaluation, contract assessment, or periodic reviews of third party vendor performance or compliance compared to the risk(s) they present.
• Element 7: The institution’s policy did not have a formalized process codified in policy to consistently evaluate and update the information security program based on the results of testing, risk assessments, or significant operational changes.
• Element 8: The institution’s policy lacked written procedures over requirements for the Qualified Individual to report regularly and at least annually to those with control over the institution on the institution’s information security program.
Cause: The institution was in process of modifying existing policies to comply with federal requirements. These policies were not approved and adopted until January 2024.
Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information.
Section III – Federal Award Findings and Questioned Costs (Continued)
Finding 2024-001 – Gramm-Leach Bliley Act-Student Information Security (Continued)
Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs.
Questioned Costs: There were no questioned costs identified.
Recommendation: We recommend that the institution continue to monitor information security requirements and modify or implement new policies as necessary. We recommend that the institution monitor changes in requirements to ensure compliance in a timely manner.
Views of responsible officials: Management agrees with this finding. See corrective action plan.