Finding Text
Gramm-Leach-Bliley Act (GLBA) Compliance Material Weakness DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, and 84.379 (Student Financial Assistance Cluster) Federal Award Identification #: 2023-2024 Financial Aid Year Condition: The College did not sufficiently comply with the updated requirements of GLBA. Criteria: 16 CFR 314.4 Questioned Costs: $0 Context: The College has not sufficiently documented its security risk assessment and safeguards, including general threats, multi-factor authentication on systems containing personally identifiable information (PII), or continuous monitoring, such as penetration testing and vulnerability scanning. Additionally, the College has not fully implemented sufficient vendor management policies and reviews, implemented an incident response plan, or provided a written, annual report to the board. Cause: The College has not allocated sufficient resources to address and document compliance with the requirements of GLBA. Effect: The College has not adequately addressed the requirements of GLBA, which may lead to unintended exposure of student information to security risks. Identification as repeat finding, if applicable: 2023-012. Recommendation: We recommend the College allocate sufficient resources to address all requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.