FAC Explorer

Finding 1097292 (2024-001)

-
Requirement
N
Questioned Costs
-
Year
2024
Accepted
2025-01-31
Audit: 340680
Organization: Concordia College (MN)
Auditor: Baker Tilly US LLP

AI Summary

  • Core Issue: The College lacks a comprehensive written information security program that meets all GLBA requirements.
  • Impacted Requirements: Noncompliance with GLBA standards risks compromising sensitive consumer information.
  • Recommended Follow-Up: Conduct and document an annual risk assessment, ensuring all GLBA-required elements are addressed in the updated program.

Finding Text

Federal Program - Student Financial Assistance Cluster Federal Agency - U.S. Department of Education Pass-Through Entity - Not Applicable CFDA Number - 84.033, 84.268, 84.063, 84.379, 84.007 Federal Award Number - Various Federal Award Year - June 30, 2024 Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition: The College does not have a written information security program that addresses all elements that apply. Cause: The College’s procedures and processes in place specific to GLBA did not have written documentation of all required elements. Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Context: Not applicable. Recommendation: The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The College does have a written information security program but does not currently have it in the format recommended by the auditors. The College will update the documentation of all required elements, specific to GLBA, following the auditors' template.

Categories

Subrecipient Monitoring

Other Findings in this Audit

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $7.96M
84.038 Federal Perkins Loan Program $3.25M
84.063 Federal Pell Grant Program $1.71M
12.579 Language Training Center $1.30M
84.007 Federal Supplemental Educational Opportunity Grants $582,402
84.033 Federal Work-Study Program $223,676
47.076 Stem Education (formerly Education and Human Resources) $192,005
12.900 Language Grant Program $168,691
47.050 Geosciences $78,195
43.008 Office of Stem Engagement (ostem) $34,258
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $10,373
10.556 Special Milk Program for Children $10,328