Finding Text
Federal agency: U.S. Department of Education
Federal program title: Student Financial Aid Cluster
CFDA Number: 84.063, 84.268, 84.007, 84.033
Federal Award Identification Number: P063P221568, P268K231568, P007A221791, P033A211791
Award Period: July 1, 2022 – June 30, 2023
Type of Finding: Material Weakness in Internal Control over Compliance, Other Matters
Criteria or specific requirement:
Internal Control – Per 2 CFR section 200.303(a), a non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4.
Condition: Certain elements of the College’s information security program were not meeting GLBA requirements.
Questioned costs: None
Context: The College’s written information security program did not cover the following requirements:
Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (Risk Management section)
Assess apps developed by the institution (SDLC Policy or a policy that includes the testing done to applications provided by vendors)
Implement multi-factor authentication for anyone accessing customer information on the institution’s system (The use of MFA)
Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (performing annual penetration testing and IT Risk Assessment)
There is no Change Management Policy
There is no Vendor Management Policy
The Information Security Policy is in draft from. (Many of the requirements were located in this policy but the policy is in draft form)
Cause: The college acknowledges certain deficiencies in compliance in large part due to a gap in having subject matter expertise consistently staffed in these areas. As part of the strategic plan the President has set forth a college wide goal of bringing on FTE staff with the needed subject matter expertise to properly address these compliance deficiencies.
Effect: Information security management may not be optimized and responses delayed without the written plan.
Repeat Finding: No
Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4.
Views of responsible officials: There is no disagreement with the audit finding.