Finding Text
2022-002 Assistance Listing Number(s), Federal Agency and Program Name: 84.063, 84.007, 84.033, and 84.268; United States Department of Education (DOE), Student financial assistance cluster. Finding Type: Noncompliance and significant deficiency in control over compliance relating to special tests Criteria: The Institute is responsible for designing, implementing, and maintaining internal control over compliance for special tests and provisions and for safeguarding sensitive data under the Gramm-Leach-Bliley Act, including performing an annual risk assessment that addresses three required areas noted in 16 Code of Federal Regulations (CFR) 314.4 (b). Statement of Condition: A formal risk assessment was not completed and documented in fiscal 2022 which would have addressed required areas noted in 16 CFR 314.4 (b). Questioned Costs: Questioned costs could not be determined. Context: The internal controls over compliance at the Institute did not identify that a risk assessment in compliance with the Gramm-Leach-Bliley Act was not completed and that the Institute did not comply with the compliance requirement. However, the Institute has safeguards for each area identified within 16 CFR 314.4 (b). Cause: The Institute did not have internal controls in place to identify the need for the risk assessment required by the Gramm-Leach-Bliley Act. Effect: The Institute has no verifiable evidence of the risk assessment performed and the related safeguards for each risk identified. Recommendation: We recommend management review 16 CFR 314.4 (b) to perform a risk assessment that addresses the three required areas, which are (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This risk assessment should be documented and we recommend that the Institute document the approval and acceptance of the risk assessment. In addition, we recommend management review internal control processes for special tests and provisions on an annual basis. Management?s Response: Management agrees with the finding. The Institute will review 16 CFR 314.4 (b) and develop a written Information Security Plan (ISP) that outlines the procedures and practices to protect non-public personal information (NPI) and manage information security risks. The Institute will provide routinely scheduled training to all current and new employees on the importance of protecting NPI and the procedures they must follow to ensure that employees are up-to-date with the latest information security best practices. The Institute will continue to conduct regular risk assessments to identify potential security vulnerabilities, both internal and external, to evaluate the effectiveness of the ISP. The Institute will develop a plan to investigate and respond to security incidents that may compromise NPI. If an incident occurs the Institute will follow the ISP to remedy the incident, and revise the ISP as needed.