Finding Text
Criteria or specific requirement: The Gramm-Leach Bliley Act (GLBA) requires financial institutions to
explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR
314). The regulation states that the college must designate a qualified individual responsible for
overseeing and implementing your information security program and enforcing your information security
program.(16 CFR 314.4(a)). The entity shall have a Written Information Security Program (WISP) that
outlines the design and implementation of the risk assessment procedures. (16 CFR 314.4(b)). At a
minimum, the institution’s written information security program must address the implementation of the
minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the
institution. In addition, the written security program provides for the institution to regularly test or otherwise
monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). The Code of Federal
Regulations, 2 CFR 200.303, required that entities must establish and maintain internal controls which
provide reasonable assurance that federal award expenditures are in compliance with Federal statutes,
regulations, and the terms and conditions of the Federal Award.
Condition: The college was missing all of the requirements from the Gramm-Leach-Bliley Act except for
having a Written Information Security Program and secure disposal of customer information.
Context: The institution has been in compliance with previous iterations of GLBA regulations. The Written
Information Security Program (WISP) which was required as of June 9, 2023 had missing elements but a
Qualified Individual was designated for overseeing and implementing the WISP. Some controls were in
place whereas others were not. They did, however, have a WISP as of the deadline but it was missing
some required information.
Questioned costs: N/A
Cause: These new GLBA requirements were applicable beginning on June 9, 2023, and there were
multiple elements missing from their Written Information Security Program.
Effect: Student personal information could be vulnerable
Repeat finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and ensure
their WISP includes all required elements.Views of responsible officials: Management agrees with the finding and has developed a plan to correct
the finding.