Federal programs: Federal Pell Grant Program; Federal Direct Loan Program CFDA Number: 84.063 / 84.268 Federal award identification number: P063P214207 / P268K224207 Grant period: August 1, 2021, to July 31, 2022 Federal agency: U.S. Department of Education Pass-through entity: N/A Category: Compliance / Internal Control Finding Type: Significant Deficiency Compliance requirement: Special tests and provisions ? Gramm-Leach Bliley Act- Student Information Security Condition and context During the examination of the Institution?s compliance with requirements of the Gramm-Leach-Bliley Act (Public Law 106-102) we noted that the Institution is in the process of implementation of the required safeguards related to the results of the risk assessment performed. After performing our procedures, we noted the following deficiencies: a. The Institution designated an external consultant as the coordinator of the Information Security Program. The Information Security Program Coordinator?s functions were not specified in a formal written contract; therefore, the consultant does not have a detail of the functions and responsibilities of his designation. b. The documentation of the safeguards performed by the Institution indicates that they are still in the process of implementation of the safeguards, policies and procedures required as result of the risk assessment. We reviewed the Institution?s written information security program to ascertain that it complies with the nine elements included in the FTC (Federal Trade Commission) regulations. We noted that the Institution?s still needs to comply with the following elements: i. Element #3: Provides for the design and implementation of safeguards to control the risks the institution or servicer identifies through its risk assessment (16 C.F.R. 314.4(c)). At a minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 C.F.R. 314.4(c)(1) through (8). This element is still in process. ii. Element #4: Provides for the institution or servicer to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 C.F.R. 314.4(d)). This element is still in process. iii. Element #5: Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 C.F.R. 314.4(e)). This element is still in process. We selected a sample of policies and procedures that were completed during the year and noted that four of the policies did not include a signature as evidence of approval and did not have an effective date. Also, the twelve written policies and procedures were evaluated and approved by the Board of Directors. iv. Element #6: Addresses how the institution or servicer will oversee its information system service providers (16 C.F.R. 314.4(f)). This element is still in process. v. Element #7: Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact on the information security program (16 C.F.R. 314.4(g)). The coordinator provided documents showing the results of all the tests carried out. Some of the actions necessary to correct the deficiencies found are still in progress. Criteria The Dear Colleague Letter GEN-15-18, published on July 29, 2015, by the USDE and titled ?Protecting Student Information? reminds institutions of higher education and their third-party servicers of their continuing obligations to protect data used in all aspects of the administration of the Title IV Federal student financial aid programs. The Student Aid Internet Gateway (SAIG) Enrollment Agreement entered into by each Title IV participating institution includes a provision that the institution ?must ensure that all Federal Student Aid applicant information is protected from access by or disclosure to unauthorized personnel.? Institutions are reminded that under various Federal and state laws and other authorities, including the HEA; the Family Educational Rights and Privacy Act (FERPA); the Privacy Act of 1974, as amended; the Gramm-Leach-Bliley Act; state data breach and privacy laws; and potentially other laws, they may be responsible for losses, fines, and penalties (including criminal penalties) caused by data breaches. 16 CFR 314.3 (a) and (b) establish that institutions shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. Such safeguards shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives of this part. The objectives are to: (1) Insure the security and confidentiality of customer information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. 16 CFR 314.4 (a) requires to designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program (for purposes of this part, ?Qualified Individual?). The Qualified Individual may be employed by you, an affiliate, or a service provider. To the extent the requirement in this paragraph (a) is met using a service provider or an affiliate, you shall: (1) retain responsibility for compliance with this part; (2) designate a senior member of your personnel responsible for direction and oversight of the Qualified Individual; and (3) require the service provider or affiliate to maintain an information security program that protects you in accordance with the requirements of this part. 16 CFR 314.4 (b) (2) establishes that you shall periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and reassess the sufficiency of any safeguards in place to control these risks. 16 CFR 314.4 (d) (1) and (2) require to regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems. For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, you shall conduct: (i) annual penetration testing of your information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and (ii) vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities in your information systems based on the risk assessment, at least every six months; and whenever there are material changes to your operations or business arrangements; and whenever there are circumstances you know or have reason to know may have a material impact on your information security program. 16 CFR 314.4 (f) requires to oversee service providers, by: (1) taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) requiring your service providers by contract to implement and maintain such safeguards; and (3) periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards. 16 CFR 314.4 (g) requires to evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (d) of this section; any material changes to your operations or business arrangements; the results of risk assessments performed under paragraph (b)(2) of this section; or any other circumstances that you know or have reason to know may have a material impact on your information security program. 16 CFR 314.4 (i) requires your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a senior officer responsible for your information security program. The report shall include the following information: (1) the overall status of the information security program and your compliance with this part; and (2) material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the information security program. 2 CFR 200.303 (a), (c) and (d) establish that the non-Federal entity must: i. establish and maintain effective internal control over the Federal awards that provides reasonable assurance that the non-Federal entity is managing the Federal awards in compliance with Federal statutes, regulations, and the terms and conditions of the Federal awards. These internal controls should be in compliance with guidance in ?Standards for Internal Control in the Federal Government? issued by the Comptroller General of the United States or the ?Internal Control Integrated Framework,? issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). ii. evaluate and monitor the non-Federal entity's compliance with statutes, regulations and the terms and conditions of Federal awards; and iii. take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings. Cause The Institution established a plan with due dates to complete all the tasks needed to comply with this requirement during the fourth quarter of the academic year end of July 31, 2022. The estimated date to complete the plan is by the summer of 2023. Effect When an audit report includes a GLBA audit finding, the Department will refer the audit to the FTC (Federal Trade Commission). The FTC will determine what action may be needed because of the GLBA audit finding. Federal Student Aid?s Postsecondary Institution Cybersecurity Team (Cybersecurity Team) will be informed of findings related to GLBA and may request additional documentation from the institution in order to assess the level of risk to student data presented by the institution or servicer?s information security system. If the Cybersecurity Team determines that the institution or servicer poses substantial risk to the security of student information, the Cybersecurity Team may temporarily or permanently disable the institution or servicer?s access to the Department?s information systems. Additionally, if the Cybersecurity Team determines that as a result of very serious internal control weaknesses of the general controls over technology that the Institution or servicer?s administrative capability is impaired or it has a history of non-compliance, it may refer the institution to the Department?s Administrative Actions and Appeals Service Group for consideration of a fine or other appropriate administrative action by the Department. Questioned costs None. Identification as a Repeat Finding A finding related to this compliance requirement was included in the prior year audit as Finding No. 2021-005. Recommendations We recommend the Institution?s management and Board of Directors to subscribe a contract with the Information Security Program Coordinator and lay down the specific responsibilities that are expected from him related to the GLBA requirements. Also, the Institution?s governance should request periodic reports of the progress of the Institution action plan to comply with this requirement. In addition, they should require from a Qualified Individual a report in writing, regularly and at least annually. The Institution?s management should monitor the progress of the action and document properly any delay in the estimated time to complete the pending tasks. Views of Responsible Officials Refer to the Institutional comments included in the Corrective Action Plan.