Federal Program Title Student Financial Aid Cluster (SFA), GLBA info. security plan
ALN Number: 84.007, 84.033, 84.063, 84.268
Condition: The college was missing all of the requirements from the Gram-Leach-Bliley Act except for having a Written Information Security Program and secure disposal of customer information.
Context: The entity shall have a Written Information Security Program (WISP) that outlines the design and implementation of the risk assessment procedures. (16 CFR 314.4(b)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. These new GLBA requirements were applicable beginning on June 9, 2023, and there were multiple elements missing from their Written Information Security Program.
Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements.
Explanation if disagreement with audit finding: There is no disagreement with the audit finding.
Action planned/taken in response to finding: The Office of Internal Audit is beginning work on another System-wide Information Technology (IT) Penetration Testing and Vulnerability Assessment at all institutions within the OSU/A&M System. They will be coordinating with local IT staff from each institution, as well as the OSU Chief Information Officer, Raj Murthy and the A&M System Chief Information Officer, Heath Hodges, to schedule the work.
Name(s) of the contact person(s) responsible for corrective action: Heath Hodges and Kevin Isom,
Planned completion date for corrective action plan: March 31, 2024