Finding Text
Finding 2022-005: Gramm-Leach-Bliley Act Information on the Federal Program: Federal Direct Student Loan Program (AL Number 84.268) – U.S. Department of Education Criteria or specific requirement: 16 CFR 314 – Institutions that participate in title IV educational assistance programs are subject to the Gramm-Leach-Bliley Act to protect student financial aid information. They are required to (a) designate a qualified individual responsible for overseeing, implementing, and enforcing their information security program, (b) base the information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to customer information, and (c) design and implement safeguards to control the risks identified through risk assessment. Condition: The Seminary did not have a written information security program in place during the year under audit. Questioned Cost: $0 Cause: Management was not aware of the documentation requirement. Effect: While the services provided by the IT service provider as well as the Seminary's internal IT department address security concerns and needs within the Seminary, all areas of Gramm-Leach- Bliley might not be addressed. Recommendation: We recommend that management develop the written comprehensive information security program using the standards set by the Gramm-Leach-Bliley Act including designating a qualified individual responsible for overseeing, implementing, and enforcing the program. Views of responsible officials and planned corrective actions: Management concurs with the above finding. The Seminary has developed, with the assistance of our outsourced vCIO and vChief Security Officer, a comprehensive security plan which meets the standards required by the Gramm- Leach-Bliley Act.