Finding Text
Finding Reference: 2024-001
U.S. Department of Education
Student Financial Assistance Cluster:
Federal Pell Grant Program (Assistance Listing #84.063)
Federal Direct Student Loans (Assistance Listing #84.268)
Compliance Requirement: Special Tests and Provisions
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the BOCES, on an
annual basis, to identify reasonably foreseeable internal and external risks to the security,
confidentiality, and integrity of customer (student) information that could result in the unauthorized
disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the
sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk
assessment should include consideration of risk in each relevant area of operations, including:
Employee training and management.
Information systems, including network and software design, as well as information
processing, storage, transmission, and disposal.
Detecting, preventing, and responding to attacks, intrusions, or other system failures.
Condition: During our testing, we noted the following:
A periodic inventory of data, noting where it is collected, stored, and transmitted was not
performed.
Vulnerability scanning and penetration testing is not completed annually.
A written information security program is not fully in place. Policies surrounding risk
management have not been implemented.
Unsupported operating systems in use.
Cause: The expected documentation supporting the required controls to adequately confirm
compliance with GLBA safeguards was not complete.
Effect: Without demonstrable, documented controls supporting compliance with the GLBA
standards for safeguarding the protected data, compliance with the law and the requirements in the
federal PPA may not be assured.
Context: Inquiry and observation of the information received from the BOCES related to compliance
with GLBA.
Auditor’s Recommendation: The BOCES should review the GLBA safeguarding rules and as soon
as practical implement and document the controls necessary for compliance with the rule, focusing
on the completion of a documented, thorough, and standardized risk assessment and management
reporting framework. The BOCES should perform comprehensive risk assessments on a regular
basis, which is suggested to be at least annually, and at any significant change in infrastructure or
business process.
View of Responsible Officials: The BOCES is actively engaged in a formal Request for Proposals
(RFP) process to procure a qualified vendor for the design and implementation of a comprehensive
Information Security Program aligned with GLBA requirements. The selected vendor will conduct a
full assessment of existing controls, help develop required policies and procedures, and assist in
ensuring full compliance with GLBA mandates, including employee training, information systems
safeguards, and incident response protocols. This process will be completed by December 2025.
As part of the upcoming vendor engagement, a complete data inventory and structured risk
assessment will be conducted. This will identify where sensitive data is collected, stored,
transmitted, and processed, and will form the basis for implementing technical and administrative
safeguards. This process will be completed by March 2026. In the past several years the BOCES
has reviewed several student systems and was unable to identify a system that met all of their
needs due to the differences between requirements applicable to school districts and those
appropriate to the unique needs of a BOCES. The organization is on track to discontinue the use of
all unsupported operating systems by June 30, 2026.