Finding Text
Finding 2023-001 – Student Financial Assistance Cluster
Federal Agency – U.S. Department of Education
Grant Period – Year ended June 30, 2023
Compliance Requirement – N. Gramm-Leach-Bliley Act–Student Information Security
Criteria – Institutions participating in Title IV programs are required to comply with various laws and regulations as part of their signed Program Participation Agreement (PPA), including but not limited to, the Federal Trade Commission’s Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (Title 16, Chapter I, Subchapter C, Part 314).
Condition – The College has not performed a formal risk assessment of their technology environment since 2018. In addition, the College’s written information security program (WISP) has not been updated and does not address the seven required minimum elements per the 2023 Compliance Supplement.
Cause – The College had not performed any additional review or updates since 2018 to its WISP and/or risk assessment to include the required elements or document any updates to the College’s Information Technology (IT) environment.
Effect – The College was not in compliance with the Department of Education’s requirements for GLBA.
Recommendation – The College needs to conduct a formal risk assessment and update its WISP to ensure the seven required elements are addressed. As part of this process, IT policies should be updated to align with the College’s current IT environment and be formally approved and implemented throughout the College.