Finding Text
Finding 2022-002 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act?Student Information Security (Compliance Finding) Information on the Federal Program: U.S. Department of Education 84.268 - Federal Direct Loan Program Federal Award Year: July 1, 2021 to June 30, 2022 Criteria: The Seminary is required to comply with the Gramm-Leach-Bliley Act. The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Under the Seminary?s Program Participation Agreement with the ED and the Gramm-Leach-Bliley Act, the Seminary must protect student financial aid information, with particular attention to information provided to the Seminary by ED or otherwise obtained in support of the administration of the federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). Condition: The Seminary did not have a formally documented information security program as required by the Gramm-Leach-Bliley Act and was therefore out of compliance. Cause: The Seminary was not aware of the Special Tests and Provisions ? Gramm-Leach-Bliley Act student information security compliance requirement. Effect or Potential Effect: Student financial aid information may not be adequately protected in accordance with the Gramm-Leach-Bliley Act. Questioned Costs: None Context: Although the Seminary did not have a formally documented information security program as required by the Gramm-Leach-Bliley Act, the Seminary had adequate safeguards in place to protect student financial information. Having a written information security program would not have affected the safeguards the Seminary already had in place to adequately protect student financial information. In addition, the Seminary had designated employees to coordinate the information security program and performed a risk assessment that addresses the requirements of 16 CFR 314.4. Recommendation: We recommend that the Seminary implement policies, procedures, and related controls to comply with the Gramm-Leach-Bliley Act. Views of Responsible Officials and Corrective Action Planned: The Seminary is currently working on developing an Information Security Program in order to meet current and upcoming requirements of the Gramm-Leach-Bliley Act. The Seminary?s plan is to have this developed and implemented before December 9, 2022. Planned Implementation Date of Corrective Action: December 9, 2022 Responsible Official for Corrective Action: Chief of Staff