Finding 1171345 (2025-002)

2025-002: SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT Program: Federal Supplemental Educational Opportunity Grants, Federal Pell Grant Program, Federal Direct Student Loans Cluster Title: Student Financial Assistance Cluster Federal Assistance Listing Numbers: 84.007, 84.063, and 84.268 Federal Agency: U.S. Department of Education Type of Finding: Noncompliance (Other Matter), significant deficiency in internal control Compliance Requirement: N. Special Tests and Provisions Questioned Costs: N/A Repeat Finding: No Condition/Context: During our review of the District’s information security policies and procedures, it was noted that the District did not have formally written information security policies and procedures. The District did not have a process to evaluate and maintain a data inventory, ensuring sensitive data is at a higher risk profile and prioritized for security protocols. The District did not limit administrative privileges to dedicated administrator accounts; instead systemadministrators utilized their administrative accounts for all their job function, rather than just the functions requiring higher levels of access. Criteria: Title IV-eligible institutions are subject to the Gramm-Leach-Bliley Act (the ‘‘Act’’). The Act requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ‘‘financial institutions’’ and subject to the Act because they appear to be significantly engaged in wiring funds to consumers. Institutions agree to comply with the Act in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs. Institutions are required to develop, implement and maintain a written comprehensive information security program. Cause: The District did not have adequate policies and procedures in place to ensure a formal information security policy was established which included activities to classify data and restrict access to administrator accounts and ensure sensitive data was safeguarded. Effect: Noncompliance with federal special tests and provisions and internal control weakness. Recommendation: We recommend the District establish policies and procedures over its information security protocols to ensure sensitive information is secured and data classification procedures are implemented. In addition, administrator accounts should have restricted access for security considerations. View of Responsible Officials: The District concurs with this recommendation and will review its policies and procedures over its information security process.