FAC Explorer

Finding 1176358 (2025-001)

Material Weakness Repeat Finding
Requirement
P
Questioned Costs
-
Year
2025
Accepted
2026-03-04
Audit: 390178
Organization: Jamestown Community College (NY)
Auditor: BONADIO & CO LLP

AI Summary

  • Core Issue: The College has not conducted a formal risk assessment or documented essential IT policies, leading to non-compliance with GLBA requirements.
  • Impacted Requirements: Compliance with the Gramm-Leach-Bliley Act's Safeguards Rule is mandatory for institutions under Title IV programs.
  • Recommended Follow-Up: Implement and document necessary controls for GLBA compliance, including a thorough risk assessment and updated IT policies.

Finding Text

Finding 2025-001 – Student Financial Assistance Cluster Federal Agency – U.S. Department of Education Grant Period – Year ended August 31, 2025 Compliance Requirement – N. Gramm-Leach-Bliley Act–Student Information Security Criteria – Institutions participating in Title IV programs are required to comply with various laws and regulations as part of their signed Program Participation Agreement (PPA), including but not limited to, the Federal Trade Commission’s Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (Title 16, Chapter I, Subchapter C, Part 314). Condition – The College has not performed a formal risk assessment of their technology environment. In addition, the College’s management indicated that the majority of the elements required are in place; however, they are not formally documented. This includes policies related to vendor management, user access, transmission and destruction of student data, change management, and a formal inventory of where student data is stored, collected and transmitted. per the 2025 Compliance Supplement. Cause – The College has experienced significant changes in administration with additional vacancies and turnover in the technology and finance departments. Along with budget constraints the ability to complete a risk assessment and formal documentation of the IT policies and procedures has been delayed. Effect – The College was not in compliance with the Department of Education’s requirements for GLBA. Recommendation – The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, this would include the completion of a documented, thorough, and standardized risk assessment. As part of this process, IT policies should be updated and documented to align with the College’s current IT environment and be formally approved and implemented throughout the College. Management response - Over the past year, the College experienced significant changes in leadership, including vacancies and turnover within the finance and technology departments. As a result, finalizing the remaining GLBA documentation has been delayed. Some of the required work has already been completed operationally, and we are committed to finalizing the written policies and procedures in the coming months.

Corrective Action Plan

The College agrees with the finding. While many GLBA-required safeguards are operationally in place, documentation and a formal enterprise risk assessment have not been fully completed. The College will engage a qualified third party to perform a comprehensive GLBA-aligned risk assessment using a recognized framework such as NIST. Based on the results, the College will document identified risks, existing safeguards, and remediation plans. Additionally, the College will formalize and update its Written Information Security Program, including policies addressing vendor management, user access controls, data transmission and destruction, change management, and data inventory. Policies will be reviewed and approved through the College’s governance process. Responsible Party: Kyle Brown, Executive Director of Technology, Jamestown Community College, kylebrown@sunyjcc.edu, 716.338.1118 Anticipated Completion Date: August 31, 2026

Categories

Student Financial Aid Subrecipient Monitoring Equipment & Real Property Management

Other Findings in this Audit

  • 1176355 2025-001
    Material Weakness Repeat
  • 1176356 2025-001
    Material Weakness Repeat
  • 1176357 2025-001
    Material Weakness Repeat

Programs in Audit

ALN Program Name Expenditures
84.063 FEDERAL PELL GRANT PROGRAM $5.46M
84.268 FEDERAL DIRECT STUDENT LOANS $3.68M
59.037 SMALL BUSINESS DEVELOPMENT CENTERS $286,867
84.007 FEDERAL SUPPLEMENTAL EDUCATIONAL OPPORTUNITY GRANTS $102,505
84.016 UNDERGRADUATE INTERNATIONAL STUDIES AND FOREIGN LANGUAGE PROGRAMS $100,263
17.261 WORKFORCE DATA QUALITY INITIATIVE (WDQI) $93,833
84.033 FEDERAL WORK-STUDY PROGRAM $74,354
84.048 CAREER AND TECHNICAL EDUCATION -- BASIC GRANTS TO STATES $6,268