Finding Text
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: The following required elements of the Written Information Security Program were not included:
b.3.2 Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted.
b.3.3 Encrypt customer information on the institution’s system and when it’s in transit.
b.3.4 Assess apps developed by the institution
b.3.6 Dispose of customer information securely
b.7 Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Questioned costs: None
Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were elements missing from their WISP.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements.
Views of responsible officials: There is no disagreement with the audit finding.