Finding 1099153 (2024-001)

Federal Assistance Listing Number: Various – Student Financial Aid Cluster Criteria: Per 16 CFR 314.4 (c), the College is required to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates. The College is also required to implement multifactor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. Per the FSA Electronic Announcement GENERAL-23-09, institutions were required to implement these safeguards by June 9, 2023. Condition: The College did not fully implement secure customer information disposal or multi-factor authentication by June 9, 2023, which was the effective deadline. Cause: The College is still working to implement the required secure customer information disposal. The College is also currently in the process of implementing multi-factor authentication on the Banner INB system. Effect: The College is not in compliance with the requirements set by the Safeguards Rule under the Gramm-Leach Bliley Act. Prevalence: Implementing secure customer information disposal proved to be more time consuming due to the volume of customer data. Implementing multi-factor authentication was more complicated and time consuming for the student information system Banner INB. Multi-factor authentication or equivalent access controls are in place for all other systems containing student information. All other elements of the Safeguards Rule appear to be in place as required. Recommendation: The College should implement secure customer information disposal and multi-factor authentication for all systems as soon as possible and reference the related safeguards in the written Information Security Program. The College should also enhance its training and procedures to ensure that any future adjustments to Gramm Leach Bliley Act continue to be met in a timely manner. Management’s Response and Planned Corrective Action: The College is in the process of identifying customer data that should be disposed of or retained beyond two years. Management also acknowledged that implementation of multi-factor authentication for the Banner INB system has taken more time due to the complexity of the system in place. The secure customer information disposal and multi-factor authentication on the Banner INB system is expected to be implemented in 2025.