Finding Text
2022-004 Student Financial Aid Cluster U.S. Department of Education Federal Direct Student loans 84.268, Federal Work-Study Program 84.033, Federal Perkins Loan Program 84.038, Federal Pell Grant Program 84.063, Federal Supplemental Educational Opportunities Grants 84.007, Nursing Student Loans 93.364 Award Year - Academic year 2021-2022 Criteria or Specific Requirement - The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Under 16 CFR 314, institutions are required to designate an employee or employees to coordinate the information security program, perform a risk assessment that addresses the three risk areas noted in 16 CFR 314.4 (b) and document safeguards for identified risks. Condition - The College did not perform a risk assessment that addresses the areas noted in 16 CFR 314.4 (b) and document safeguards for identified risks in fiscal year 2022. Questioned Costs - None noted. Context - Through inquiry with management, it was determined that the risk assessment was not performed in fiscal year 2022. Cause - There was employee turnover in the Student Financial Aid department and in the Finance department and the risk assessment was not performed as the department was not fully staffed. Effect - Risk assessment and documentation of safeguards for identified risks was not performed. Identification as a repeat finding, if applicable - Not applicable. Recommendation - We recommend that management take necessary steps to ensure compliance with Gramm-Leach-Bliley Act requirements. View of Responsible Official and Planned Corrective Actions ? Management agrees with the stated finding and has implemented a corrective action plan.