Finding Text
Finding 2025-002: Significant Deficiency - Gramm-Leach-Bliley Act Security Policy Program: Student Financial Assistance Cluster Assistance Listing Number (ALN): Various Federal Agency: U.S. Department of Education Federal Award Identification Number: Various Federal Award Year: June 30, 2025 Criteria: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition/Context: The College did not have updated procedures and processes in place specific to certain required GLBA elements. The GLBA policy review and updates are still in process. Cause: The College noted that several items required are in process or only partially completed. Effect: Failure to comply with the requirements of GLBA standards puts the College out of compliance with requirements and potentially at risk of compromising consumer, nonpublic personal information. Questioned Costs: Not applicable. Recommendation: It is recommended that the College update its written GLBA Security Policy to address all the required elements. At a minimum, the University should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management's Response: The College agrees with the finding and noted that updates to the information technology and GLBA policies is in process and expected to be completed in the fiscal year ending May 31, 2026.