Finding Text
Federal Agency: US Department of Education
Federal Program Name: Student Financial Assistance Cluster
Assistance Listing Number: 84.063, 84.007, & 84.033
Federal Award Identification Number and Year: P063P231353-2024, P063Q231353-2024,
P033A231190-2024, & P007A231190-2024
Award Period: July 1, 2023 to June 30, 2024
Type of Finding:
• Significant Deficiency in Internal Control over Compliance
• Other Matters
Criteria or specific requirement: The Gramm-Leach Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The regulation states that the college must designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program.(16 CFR 314.4(a)). The entity shall have a Written Information Security Program (WISP) that outlines the design and implementation of the risk assessment procedures. (16 CFR 314.4(b)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).
Condition: During our testing of the College’s information technology systems, we noted the Written Information Security Program did not include all of the required elements.
Questioned costs: None.
Context: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, institutions must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student assistance programs.
Cause: The College is in process of updating written policies and procedures to address all of the required elements.
Effect: Student personal information could be vulnerable.
Repeat Finding: No.
Recommendation: We recommend the College work to update the written information security program to ensure compliance with all of the required elements.
Views of responsible officials: Management agrees with this finding.