Finding Text
Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their
information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021,
the Federal Trade Commission issued final regulations that altered the current required elements of an
information security program and added several new elements. Under the regulations, institutions are
required to develop, implement, and maintain a comprehensive information security program that is written
in one or more readily accessible parts. The written information security program for institutions must
address all elements that apply. The elements for the information security programs set forth in this
section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and
do not prescribe how they will be addressed.
Condition: The College does not have a written information security program that addresses all required elements that apply.
Cause: The College did not have procedures and processes in place specific to GLBA during fiscal year 2024 and therefore, did not have written documentation of all required elements.
Effect: Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information.
Questioned Costs: Not applicable.
Context: Not applicable.
Recommendation: We noted the College’s policies in effect during fiscal year 2024 contained four of the 16 required elements. The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4).
Management's Response: The reported issue arises from the absence of written documentation outlining policies and procedures related to GLBA requirements. This matter is being addressed by the Chief Information Officer responsible for overseeing a new information technology services (ITS) policy document. A draft of the ITS policy document has been created and awaiting approval which will specifically address the cybersecurity requirements of GLBA.