Finding Text
Criteria: Institutions shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in the objectives of section 501(b) of the Act (16 CFR 314.3(a)).
Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).
Condition: The College did not implement a risk assessment as part of the new Gramm-Leach-Bliley Act’s (GLBA) standards for safeguarding customer information to their student information security policy. We consider this finding to be an instance of noncompliance in relation to Special Tests and Provisions. Statistical sampling was not used in making sample selections.
Questioned Costs: N/A
Effect: The result is the College did not meet the requirements for protecting and securing data obtained from the Department of Education’s systems for the purposes of administering the Title IV programs.
Recommendation: We recommend the College complete a formal risk assessment to adhere the regulations and await guidance from the Department of Education.
Views of Responsible Officials: Management agrees with this Single Audit Finding and response is included in the Corrective Action Plan.