Finding Text
Finding 2025-003: Significant Deficiency – GLBA Security Policy Repeat Finding 2024-003 Federal Program – Student Financial Assistance Cluster Federal Agency – U.S. Department of Education Pass-Through Entity – Not Applicable Assistance Listing Number – Various Federal Award Year – June 30, 2025 Criteria: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their informationsharing practices to their customers and to safeguard sensitive data (16 CFR 314). institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with few that 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution's written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16CFR 314.4(d)). Condition/Context: Under the Corporation's Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the U.S Department of Education or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned Costs: Not applicable. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: The Corporation's students' personal information could be vulnerable. Recommendation: We recommend the Corporation review each element of GLBA to ensure compliance with all necessary requirements. Management's Response: To ensure continued compliance with GLBA requirements, the Corporation engaged FRSecure to perform a comprehensive risk assessment and develop a security roadmap. As part of their work, FRSecure conducted system scans to identify potential vulnerabilities and interviewed key personnel across IT, HR, Finance and other departments to evaluate the current state of the Corporation’s information security system. GLBA compliance was included in the scope of their review. FRSecure issued a “Roadmap Plan,” which the department is reviewing and will implement as feasible.