Finding Text
Section III – Federal Award Findings and Questioned Costs
2023 – 001
Federal Agency: U.S. Department of Education
Federal Program Name: Student Financial Assistance Cluster
Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program), 84.033 (Federal Work Study Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct Student Loans Program)
Federal Award Identification Number and Year: N/A; 2022-2023
Pass-Through Agency: N/A
Pass-Through Number(s): N/A
Award Period: July 1, 2022 – June 30, 2023
Type of Finding: Significant Deficiency in Internal Control over Compliance
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.
Questioned costs: None
Section III – Federal Award Findings and Questioned Costs (Continued)
2023 – 001 (Continued)
Context: During our testing of the College’s information technology, we noted the following items in the College’s written security program did not meet the following compliance requirements:
• Implementation and periodic review of access controls
• Encryption of customer information on the College’s system and when it is in transit
• Evaluating, assessing or testing the security of applications that transmit sensitive information
• The anticipation and evaluation of changes to the information system or network
• Regular testing or monitoring of established safeguards to ensure effectiveness
• The implementation of policies and procedures which ensure personnel can enact the information security program
• The monitoring of the College’s information system service providers
Cause: The College has continued to make progress in updating the College’s written security program to become compliance with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process.
Effect: The student personal information could be vulnerable.
Repeat finding: No
Recommendation: We recommend that the College designate an individual to oversee the information security function and work to update the College’s written security program to ensure compliance with all the standards.
Views of responsible officials: Lincoln Land Community College (LLCC) acknowledges and takes seriously the audit findings presented, highlighting areas where compliance requirements were not met. These findings are crucial in ensuring the ongoing enhancement of our Information Security Program.
To address these concerns LLCC has proactively taken several measures. In June 2022, the College appointed an IT Security and Assurance Manager, tasked with overseeing the Information Security Program and ensuring compliance with the Gramm-Leach-Bliley Act (GLBA). The Manager has played a pivotal role in developing a comprehensive roadmap to guide the continued evolution of our Information Security Program.
This roadmap specifically outlines the steps required to address the identified deficiencies, as detailed in the schedule of findings document received from the CLA. LLCC affirms its agreement with the details provided in the document and has prioritized these findings as top-level concerns in the roadmap.
Section III – Federal Award Findings and Questioned Costs (Continued)
2023 – 001 (Continued)
Views of responsible officials (Continued)
In the upcoming Fiscal Year 2024 (FY24), LLCC commits to diligently implementing the roadmap, with a focused emphasis on the following key areas:
1. Implementation and Periodic Review of Access Controls: The IT Security and Assurance Manager will lead efforts to establish robust access controls and ensure regular reviews to align with compliance requirements.
2. Encryption of Customer Information: Although informal procedures are in place, a comprehensive strategy for encrypting customer information both within the College’s system and during transit will be implemented to safeguard sensitive data.
3. Security Assessment of Applications: Rigorous evaluations, assessments, and testing procedures for applications transmitting sensitive information will be instituted to bolster the overall security posture.
4. Anticipation and Evaluation of System Changes: Proactive measures will be taken to anticipate and evaluate changes to the information system or network, ensuring a proactive stance against potential vulnerabilities, including the development of a formalized change management process.
5. Regular Testing and Monitoring: LLCC is committed to instituting regular testing, monitoring, and assessing protocols for established safeguards to ensure their ongoing effectiveness.
6. Implementation of Policies and Procedures: Policies and procedures will be refined and enforced to guarantee that personnel can effectively enact the information security program.
7. Monitoring Information System Service Providers: Development of a comprehensive approach to monitoring the College’s information system service providers has been initiated and will be established to ensure compliance with security standards.
Lincoln Land Community College views this as an opportunity for continuous improvement and remains dedicated to upholding the highest standards of information security. The commitment to addressing these findings is integral to our ongoing efforts to safeguard sensitive information and maintain compliance with regulatory requirements.