Finding Text
2025-012 — Gramm-Leach-Bliley Act - Student Information Security (Special Test #11) – Material Weakness in Internal Control Over Compliance and Noncompliance (Repeat of Finding 2024-011) Federal program information: Funding agencies: U.S. Department of Education Titles: SFA Cluster ALN Number: 84.063 and 84.007 Award years: 2025 Criteria: According to 16 CFR 314. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers Title IV-eligible institutions that participate in the Title IV Education Assistance programs as “financial institutions” and subject to the GLBA. Institutions must protect student financial aid information, with particular attention to information. Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and includes specific elements. The College did not have a comprehensive information security program in place, written or otherwise, that met the specific elements. Cause: The College’s IT control environment is lacking certain key controls. There are currently no formalized IT policies and procedures, sufficient data backup processes, or a formalized disaster recovery plan. IT controls are not in place to ensure nonauthorized individuals are restricted from adding new vendors, recording journal entries, and making/or changes to employee pay records. Effect: The College is not in compliance with the requirements of the program and student data may be compromised without policies in place to ensure otherwise. Questioned Costs: None. Context: The College is not in compliance with the GLBA requirements. Recommendation: The College should comply with grant requirements and develop, implement, and maintain a comprehensive security program that includes the specific elements required. Management’s Response: The College concurs with this finding. Management is in process of developing, implementing, and maintaining a comprehensive information security program and a formalized disaster recovery plan as required by the GLBA. IT controls will be implemented to ensure nonauthorized individuals are restricted from adding new vendors, recording journal entries, and making/or changes to employee pay records.