FAC Explorer

Finding 393160 (2023-001)

Significant Deficiency
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2024-04-15
Audit: 303477
Organization: Broome Community College (NY)
Auditor: Bonadio & CO LLP

AI Summary

  • Core Issue: The College's annual risk assessment under the GLBA was conducted, but results were not communicated to management, and key risks were not identified.
  • Impacted Requirements: Lack of enforcement for employee training, absence of a vendor management program, and missing Disaster Recovery and Business Continuity Plans compromise compliance with GLBA standards.
  • Recommended Follow-Up: The College should implement necessary controls for GLBA compliance, including a thorough risk assessment process and regular updates to management and the Board of Trustees.

Finding Text

Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The annual risk assessment was performed during the audit year; however, results were not communicated to management and there is no mention of any risks to technology, information security, data protections, assets, cybersecurity, or regulatory compliance.  Annual security awareness training for employees is in place; however, completion of the training is not enforced.  A vendor management program is not in place.  Mobile device management is not in place.  While protections are in place for data backups, a Disaster Recovery Plan and Business Continuity Plan are not in place.  GBLA rules also require that a basic set of policies and procedures, as well as a program for annual risk assessment and reporting, is in place. The polices supplied by the College were missing the expected areas. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees that it should become compliant with GLBA Safeguarding rules as soon as reasonably possible. A project to create, approve, implement, and monitor a comprehensive risk assessment process is in process and the College will commit the resources necessary to bring us into compliance in a timely fashion. Progress update meetings will be scheduled accordingly and reported to the Audit and Finance Committee of the College's Board of Trustees.

Categories

Subrecipient Monitoring Reporting

Other Findings in this Audit

  • 393158 2023-001
    Significant Deficiency
  • 393159 2023-001
    Significant Deficiency
  • 393161 2023-001
    Significant Deficiency
  • 969600 2023-001
    Significant Deficiency
  • 969601 2023-001
    Significant Deficiency
  • 969602 2023-001
    Significant Deficiency
  • 969603 2023-001
    Significant Deficiency

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $10.84M
84.063 Federal Pell Grant Program $7.99M
84.425T Covid-19 Education Stabilization Fund $628,131
84.048 Career and Technical Education -- Basic Grants to States $266,248
84.007 Federal Supplemental Educational Opportunity Grants $197,732
84.425F Covid-19 Education Stabilization Fund $162,109
97.036 Disaster Grants - Public Assistance (presidentially Declared Disasters) $110,637
84.425E Covid-19 Education Stabilization Fund $104,112
84.033 Federal Work-Study Program $97,692
17.270 Reintegration of Ex-Offenders $56,046
47.076 Education and Human Resources $55,864
93.575 Child Care and Development Block Grant $52,500
11.307 Economic Adjustment Assistance $31,719
17.261 Wia Pilots, Demonstrations, and Research Projects $16,058
10.559 Summer Food Service Program for Children $6,637
93.558 Temporary Assistance for Needy Families $6,416
93.667 Social Services Block Grant $4,538
93.778 Medical Assistance Program $3,437
93.658 Foster Care_title IV-E $2,175
10.310 Agriculture and Food Research Initiative (afri) $886
10.561 State Administrative Matching Grants for the Supplemental Nutrition Assistance Program $610
93.563 Child Support Enforcement $221
17.268 H-1b Job Training Grants $110