FAC Explorer

Finding 382597 (2023-001)

-
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2024-03-20
Audit: 296159
Organization: Martin Luther College (MN)
Auditor: Baker Tilly US LLP

AI Summary

  • Core Issue: The College lacks a written information security program that meets all GLBA requirements.
  • Impacted Requirements: Compliance with GLBA standards is essential for safeguarding consumer nonpublic personal information.
  • Recommended Follow-Up: Conduct and document an annual risk assessment, ensuring all required GLBA elements are addressed in the security program.

Finding Text

Criteria The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). In 2021, the Federal Trade Commission issued final regulations that altered the current required elements of an information security program and added several new elements. Under the regulations, institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address all elements that apply. The elements for the information security programs set forth in this section 16 CFR 314.4 are high-level principles that set forth basic issues the programs must address, and do not prescribe how they will be addressed. Condition The College does not have a written information security program that addresses all elements that apply. Cause The College did not have procedures and processes in place specific to GLBA and therefore, did not have written documentation of all required elements. Effect Failure to comply with the requirements of GLBA standards puts the College at risk of compromising consumer, nonpublic personal information. Questioned Costs Not applicable. Context Not applicable. Recommendation The College should perform and document an annual risk assessment to determine the College’s specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should address each of the required minimum elements noted in the GLBA regulations (16 CFR 314.4). Management’s Response The cause of the reported issue stems from the lack of written documentation of policies and procedures specific to GLBA requirements. The issue is being addressed by the Director of Information Technology and a campus-wide committee overseeing information security. The documented information security program has been drafted and will address the GLBA cybersecurity requirements.

Corrective Action Plan

The lack of written documentation of policies and procedures specific to GLBA requirements is being addressed by the Director of Information Technology and a campus-wide committee overseeing information security. The documented information security program has been drafted and will address the required elements of GLBA . Final policies will be reviewed and approved by the Administrative Council, or president’s cabinet. The College is also planning to increase assurance procedures related to the GLBA requirements, with a mid-year review of the information security program as well as enhanced procedures during the interim audit.

Categories

Subrecipient Monitoring

Other Findings in this Audit

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $1.76M
84.063 Federal Pell Grant Program $743,146
84.038 Federal Perkins Loan Program $289,518
84.033 Federal Work-Study Program $35,542
84.007 Federal Supplemental Educational Opportunity Grants $28,704