Finding 1181773 (2025-004)

Federal Program: Student Financial Aid Cluster Type of Finding: Significant Deficiency in Internal Control Over Compliance and Other Matters Federal Agency: Department of Education ALN Number: 84.063, 84.268, 84.033, 84.007 Criteria: The FTC Safeguards Rule, 16 CFR 314.4, requires covered financial institutions to develop, implement, and maintain a comprehensive information security program that includes, at a minimum:  Designation of a qualified individual to oversee the program  A written risk assessment addressing internal and external threats  Implementation of safeguards designed to control identified risks, with regular testing or monitoring  Formal oversight of service providers, including contractual safeguard requirements  Ongoing evaluation and adjustment of the information security program Condition: The College has not fully developed, implemented, and documented the information security program required under the Federal Trade Commission’s Safeguards Rule, 16 CFR 314.4. While the College has implemented certain administrative and technical security measures, several required components remain informal, incomplete, or in draft status. Specifically:  The College has not completed a written risk assessment that identifies reasonably foreseeable internal and external risks, defines evaluation and categorization criteria, assesses the confidentiality, integrity, and availability of customer information, and documents risk mitigation or acceptance decisions, as required by § 314.4(b).  The College has not formally adopted a written information security program that is based on the results of a documented risk assessment and includes a defined program for regular testing and monitoring of key controls, systems, and procedures, as required by § 314.4(c).  Incident response and testing activities are described as informal or in draft form, and a finalized incident response policy has not yet been approved and implemented.  Vendor oversight procedures are not fully documented to demonstrate that all service providers are contractually required to maintain safeguards consistent with the Safeguards Rule, as required by § 314.4(d). As a result, required elements of the Safeguards Rule are planned or in progress, but not fully implemented. Cause: Management has focused primarily on deploying technical security controls and initiating program development activities; however, formal governance documentation, risk assessment methodology, and program approval processes have not progressed at the same pace. As a result, the information security program has not been fully documented or formally implemented in accordance with regulatory requirements. Context and Effect: Failure to fully comply with 16 CFR 314.4 increases the risk that student information may not be adequately protected against unauthorized access, disclosure, or misuse. In addition, noncompliance with the FTC Safeguards Rule exposes the College to potential regulatory scrutiny, enforcement actions, and penalties, as well as reputational harm in the event of a cybersecurity incident. Questioned costs: None. Recommendation: The College should: 1. Complete and formally approve a written risk assessment that meets all requirements of 16 CFR 314.4(b). 2. Finalize, adopt, and implement a written information security program aligned with the documented risk assessment. 3. Establish and document a formal testing and monitoring program with defined scope and frequency. 4. Finalize and implement the incident response policy and ensure it is integrated into the broader information security program. 5. Review service provider contracts and document that all applicable vendors are required by contract to maintain appropriate safeguards. Grantee Comment: Refer to Corrective Action Plan.