Finding Text
Criteria Institutions participating in the Student Financial Assistance (SFA) program are required to comply with GLBA. GLBA requires institutions to implement certain written policies. Condition The College does not have all required written policies under GLBA including staff training, vendor management, vulnerability testing, and all elements of the written information security program. Cause and Effect The College has not established formal policies to ensure compliance with GLBA requirements. Resource constraints and competing priorities were contributing factors. As a result, the College is not fully compliant with GLBA requirements. Recommendation We recommend that the College update the comprehensive written information security program to fully address all minimum requirements outlined by GLBA. Additionally, the College should establish a formal written policy to provide staff with regular training on data security and privacy. A vendor management policy should also be developed and implemented to ensure third-party service providers adequately protect customer information. Finally, the College should ensure that its vulnerability assessment process meets all GLBA criteria and that all related plans and policies are reviewed and updated annually. Management Response Elmira College recognizes the deficiency in written policies related to GLBA requirements. The College is dedicated to having formal policies ready for outstanding items by June 30, 2026. In order to address this deficiency while keeping up with normal operations of the Information Technology department, as restructuring has occurred and a new position has been created in order to free up time for the Director of IT Infrastructure and Operations and his team to finish creating the necessary policies in a timely manner.