Finding Text
2024-002
Federal Agency: U.S. Department of Education (ED)
Federal Program Name: Student Financial Aid Cluster
Assistance Listing Numbers: 84.007, 84.033, 84.063, 84.268
Award Period: July 1, 2023 to June 30, 2024
Type of Finding: Compliance and Significant Deficiency in Internal Control over Compliance
Uniform Guidance Requirement: Gramm-Leach Bliley Act (GLBA)
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)).
Condition: During the audit, we noted JEVS Human Services has gaps within their written information security program and policies when compared to the Safeguards Rule.
Questioned Costs: None
Context: The GLBA Safeguard rules requires an organization to document the following within their written information security plan: (1) how the institution regularly tests or otherwise monitors the effectiveness of the safeguards it has implemented, (2) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program, and (3) Addresses how the institution will oversee its information system service providers.
While evidence of these three safeguards' occurrence was provided to us during the audit, they were not documented within the written information security plan as required by GLBA.
Cause: The Agency does have policies and controls that address potential risks; however, the risk assessment was not documented.
Effect: Failure to comply with the GLBA standards puts the Agency at risk of compromising student personal information.
Repeat Finding: No
Recommendation: We recommend management continue to evaluate its written information security plan and establish the required documentation in accordance with GLBA safeguard rules.
Views of Responsible Officers and Corrective Action Plan: Please refer to JEVS Human Services and Affiliates’ Corrective Action Plan