Finding Text
2024-006
8540.13
Department Of Education
Student Financial Aid
84.063, 84.268
"P063P218567-2024
P268K228567-2024"
N/A
N/A
7/1/23 - 6/30/24
Significant Deficiency
Did not result in material questioned costs therefore will document as a SD.
Finding is neither systemic nor will it lead to 5% questioned cost.
N/A
"The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The regulation states that the college must designate a qualified individual responsible for overseeing and implementting your information security program and enforcing your information security program. (16 CFR 314.4(a)). The entity shall have a Written Information Security Program (WISP) that outlines the design and implementation of the risk assessment procedures. (16 CFR 314.4(b)). At a minimum, the institution's written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).
Per 2 CFR 200.303, nonfederal entities receiving federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements."
"The College has a Written Information Security Program; however, the College did not meet the minimum requirements stated in the Gramm-Leach-Bliley Act. Additionally, we were unable to observe evidence that the WISP was formally reviewed and approved.
"
N/A
"The WISP was missing the element discussing the secure disposal of customer information. Additionally, there was not am observable formal review or authorization.
"
The college did not have the appropriate resources and staffing in place to verify they were in compliance with all requirements.
There is a risk the College’s information and systems could be vulnerable to attacks or intrusions, and these attacks may not be detected in a timely manner.
Yes
We recommend the College design controls to ensure an adequate review process is in place to ensure compliance with reporting requirements.
Management agrees with this finding.
See 0100.25