FAC Explorer

Finding 10850 (2023-001)

Material Weakness
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2024-01-30
Audit: 14543
Organization: Rogue Community College (OR)
Auditor: Eide Bailly LLP

AI Summary

  • Core Issue: The College lacks a complete information security program as required by the Gramm-Leach-Bliley Act (GLBA).
  • Impacted Requirements: The program must include nine specific elements for institutions with over 5,000 customers, which are currently missing.
  • Recommended Follow-up: The College should update its security program to include all required elements and ensure it is documented and reviewed regularly.

Finding Text

U.S. Department of Education Student Financial Assistance Cluster Federal Financial Assistance Listing Number(s): 84.063, 84.007, 84.268, 84.033, 84.038, 84.379 Compliance Requirement: Special Tests & Provisions – Gramm‐Leach‐Bliley Act (GLBA) – Student Information Security Type of Finding: Material Weakness in Internal Control Criteria: Under 16 CFR Part 314, Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require that the written information security program to include nine elements for institutions with 5,000 or more customers. Condition: During our testing over GLBA compliance, we noted that the College was missing aspects of the required nine elements. Cause: The College has not updated their written information security program to be in conformance with GLBA. Effect: The College did not have a system in place to ensure the required elements under GLBA were included in the comprehensive information security program and that the program was reviewed periodically. Questioned Costs: None reported. Context/Sampling: Sampling was not used. Repeat Finding from Prior Year(s): No Recommendation: The College should have a system in place to ensure that their comprehensive security program includes the required aspects under GLBA and that they are in documented in writing. Views of Responsible Officials: Management agrees with the finding.

Corrective Action Plan

Finding: 2023-001 Federal Agency Name: U.S. Department of Education Program Name: Student Financial Assistance Cluster FAL #: 84.063, 84.007, 84.238, 84.033 Initial Fiscal Year Finding Occurred: 2023 Finding Summary: During the testing over student information security, it was determined the College did not have all nine elements of the new GLBA requirements in place with written policies and documented follow through protocols. Responsible Individuals: Jeremy Taylor, Chief Information Officer and Josh Ogle, former Chief Information Officer. Corrective Action Plan: : Subsequent to the June 30, 2023 finding the College has already implemented or updated process to ensure student information security safeguards are in place. This includes a Security Information and Event Management (SIEM) solution fully equipped to log all user access within our network and capture detailed information about user activities on the network and their individual PCs. Additionally, it comprehensively monitors and collects data on all network switch and firewall activity. This data is stored and analyzed on-premises and reported to Sophos for enhanced monitoring through their Managed Detection and Response (MDR) service. Rogue Community College has extended its security measures by integrating our Microsoft 365 tenant and Okta with Sophos, enabling 24/7 user activity monitoring across these platforms. These integrations and vigilant monitoring practices demonstrate our unwavering commitment to robust security and adherence to regulatory compliance standards, ensuring meticulous surveillance of authorized user actions and safeguarding against unauthorized access. We have contracted with Eide Bailly’s Technology Consulting group. The Statement of Work focuses on creating an Incident Response Plan which is leading to updated policies and procedure documentation. We are working on a GLBA specific policy as well. Anticipated Completion Date: As of December 2023, we believe we have the minimum safeguards in place. By early 2024, a written GLBA specific policy including how we document follow through on monitoring efforts will be in place.

Categories

Special Tests & Provisions Material Weakness Internal Control / Segregation of Duties

Other Findings in this Audit

  • 10851 2023-001
    Material Weakness
  • 10852 2023-001
    Material Weakness
  • 10853 2023-001
    Material Weakness
  • 587292 2023-001
    Material Weakness
  • 587293 2023-001
    Material Weakness
  • 587294 2023-001
    Material Weakness
  • 587295 2023-001
    Material Weakness

Programs in Audit

ALN Program Name Expenditures
84.063 Federal Pell Grant Program $6.95M
84.268 Federal Direct Student Loans $2.63M
84.042 Trio_student Support Services $649,640
84.044 Trio_talent Search $532,660
84.066 Trio_educational Opportunity Centers $241,799
84.007 Federal Supplemental Educational Opportunity Grants $163,110
84.033 Federal Work-Study Program $131,253
84.425 Education Stabilization Fund $114,067
17.261 Wia Pilots, Demonstrations, and Research Projects $72,643
59.037 Small Bsuiness Development Centers $25,252
45.310 Grants to States $20,329
84.048 Career and Technical Education -- Basic Grants to States $6,477
84.002 Adult Education - Basic Grants to States $5,381
14.218 Community Development Block Grants/entitlement Grants $4,345