Finding Text
Federal Program Student Financial Aid Cluster Federal Supplemental Educational Opportunity Grant (ALN 84.007) Federal Pell Grant Program (ALN 84.063) Federal Direct Student Loans (ALN 84.268) Compliance Requirement Special Tests and Provisions – Information Security Criteria The GLBA Safeguards Rule requires covered institutions to develop, implement, and maintain a written information security program containing administrative, technical, and physical safeguards to protect customer information. [ftc.gov], [ecfr.gov] Condition VEEB is subject to the requirements of the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. During the audit, it was noted that VEEB does not have a written information security program as required by 16 CFR Part 314. While certain informal information security practices may be in place, the absence of a formally documented program does not meet GLBA requirements. Cause Management has not formalized information security policies and procedures into a written information security program. Effect Without a written information security program, VEEB is not in full compliance with GLBA requirements applicable to its participation in federal student financial assistance programs. This increases the risk that sensitive student information may not be adequately safeguarded. Questioned Costs None. Recommendation We recommend that management develop, implement, and maintain a written information security program that complies with the GLBA Safeguards Rule, including documented administrative, technical, and physical safeguards appropriate to the size and complexity of the organization.