Finding Text
2024-005: Gramm-Leach-Bliley Act
Federal Agency: U.S. Department of Education
Federal Program Name: Federal Supplemental Educational Opportunity Grants; Federal Pell Grant Program; Federal Direct Student Loans; Teacher Education Assistance for College and Higher Education Grants
Assistance Listing Number: 84.007, 84.063, 84.268, 84.379
Federal Award Identification Number and Year: P007A243557, P063P242088, P063Q232088, P268K252088 - 2024; P379T232088 - 2023
Award Period: July 01, 2023 - June 30, 2024
Type of Finding:
• Significant Deficiency in Internal Control over Compliance
• Other Matters
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi)).
Condition: Under an institution’s Program Participation Agreement with the U.S. Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.
Questioned costs: None
Context: During our audit procedures, it was noted that the College had not developed and implemented an approved written information security program.
Cause: The College did not develop and implement a written information security program as required by the Gramm-Leach-Bliley Act.
Effect: The students’ personal information could be vulnerable.
Repeat Finding: Yes, 2023-008.
Recommendation: The College should develop and implement an approved written information security program and verify there is a risk management section that describes how the College is identifying, assessing and communicating risks. In addition, there should be a description on the evaluation of safeguard sufficiency in mitigating risks. The information security program should also include the following:
• IT Security Policy
• Acceptable Use Policy
• Incident Response Policy
• Data Classification Policies
• Vendor Management Policy
• Patch Management Policy
• Data Disposal Policy
• Risk Assessment Policy
• Logical Access and User Access Review Policies
• Evidence of Review by CIO/CISO and responsibility of program
Views of responsible officials: There is no disagreement with the audit finding.