Finding No.: 2023-018 Federal Agency: U.S. Department of Education AL Program: 84.063 Federal Pell Grant Program Federal Award No.: P063P214572, P063P224572, P063P234572 Area: Special Tests and Provisions - Gramm-Leach-Bliley Act-Student Information Security Questioned Costs: Undeterminable Criteria: 16 CFR 314.1 implements sections 501 and 505(b)(2) of the Gramm-Leach-Bliley Act (GLBA), which sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. 16 CFR 314.3 requires institution to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of this part. 16 CFR 314.4 states that in order to develop, implement, and maintain institution’s information security program, the institution shall: (a) Designate a qualified individual responsible for overseeing and implementing information security program and enforcing information security program. (b) Base its information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. (c) Design and implement safeguards to control the risks it identifies through risk assessment, including by: (1) Implementing and periodically reviewing access controls; (2) Identify and manage the data, personnel, devices, systems, and facilities that enable the institution to achieve business purposes in accordance with their relative importance to business objectives and risk strategy; (3) Protect by encryption all customer information held or transmitted by the institution both in transit over external networks and at rest; (4) Adopt secure development practices for in-house developed applications utilized by the institution for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications the institution utilizes to transmit, access, or store customer information; (5) Implement multi-factor authentication for any individual accessing any information system, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls; (6) (i) Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained; and (ii) Periodically review the institution’s data retention policy to minimize the unnecessary retention of data; (7) Adopt procedures for change management; and (8) Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users. (d) (1) Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems. (2) For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, the institution shall conduct: (i) Annual penetration testing of its information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and (ii) Vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities in its information systems based on the risk assessment, at least every six months; and whenever there are material changes to operations or business arrangements; and whenever there are circumstances the institution knows or have reason to know may have a material impact on its information security program. (e) Implement policies and procedures to ensure that personnel are able to enact the institution’s information security program; (f) Oversee service providers; and (g) Evaluate and adjust the institution’s information security program in light of the results of the testing and monitoring required by paragraph (d) of this section; any material changes to operations or business arrangements; the results of risk assessments performed under paragraph (b)(2) of this section; or any other circumstances that the institution knows or have reason to know may have a material impact on its information security program. Condition: The College does not have a designated a Qualified Individual responsible for implementing and monitoring the institution’s information security program. Additionally, the College does not have written information security program that addresses all the required minimum elements cited in the above Criteria. Cause: There is a lack of awareness or understanding of the GLBA requirements. Effect: The College is in noncompliance with applicable special tests and provisions for Gramm-Leach- Bliley Act–Student Information Security requirements. No questioned cost is presented as we are unable to quantify the extent of noncompliance. Recommendation: The College management should consider training responsible personnel managing federal programs to be well informed of the applicable compliance requirements. Also, the College should designate a Qualified Individual responsible for implementing and monitoring the institution’s information security program. Lastly, the College should establish written information security program that addresses all the required minimum elements cited in the above Criteria. Views of Auditee and Planned Corrective Actions: The College agrees with the finding and provides details in its Corrective Action Plan.