Finding 384319 (2023-001)

Finding 2023-001—Gramm-Leach Bliley Act—Student Information Security Repeat Finding: No Federal Program Title—U.S. Department of Education Student Financial Assistance Cluster Federal Direct Student Loans: 84.268 Federal TEACH Grants: 84.379 Federal Work-Study Program: 84.033 Federal Award Year 2022-2023 Condition While the Institute does have various policies addressing information security, the Institute did not have written policies to address the required safeguards for the eight required elements under the Gramm-Leach Bliley Act (GLBA) by June 9, 2023, the required date of compliance. Of the eight required elements under the GLBA, the Institute did have six written and formally documented safeguards, one is not applicable (assess apps developed by institution) and one had safeguards designed (dispose of customer information securely) but not a written policy in place. Criteria In accordance with 16 CFR 314.4(c), an institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). This includes the following: (1) implement and periodically review access controls, (2) conduct a periodic inventory of data, noting where it’s collected, stored or transmitted, (3) encrypt customer information on the institution’s system and when it’s in transit, (4) assess apps developed by the institution, (5) implement multi-factor authentication for anyone accessing customer information on the institution’s system, (6) dispose of customer information securely, (7) anticipate and evaluate changes to the information system or network, and (8) maintain a log of authorized users’ activity and keep an eye out for unauthorized users. 2 CFR Section 200.303 requires entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure that reviews are being completed over information security policies and that they are in compliance with GLBA requirements. Questioned Costs There were no questioned costs. Cause While security policies and practices addressed the safeguards identified in 16 CFR 314.4(c)(1) through (8), all were not formally documented due to an oversight. Of the eight required elements under the GLBA the Institute did have six written and formally documented safeguards, one is not applicable and one had safeguards designed (dispose of customer information securely) but did not have a written policy in place. A comprehensive formal Information Security Policy that addresses all required safeguards under the GLBA has been drafted and is in its final institutional review. Context The required elements were not combined into a single policy. Effect Failure to meet the minimum requirements of the GLBA act is noncompliance and increases the risk of unauthorized disclosure, misuse, alteration, destruction, or other comprise of student information. Recommendation We recommend the Institute implement controls to ensure that GLBA requirements are reviewed and addressed in a formally documented policy. Views of Responsible Officials We agree with this finding. See corrective action plan.