CORRECTIVE ACTION PLAN
Federal Award Findings and Questioned Costs
Finding 2023-001
Student Financial Aid Cluster:
Assistance Listing #84.007 Federal Supplemental Educational Opportunity Grants
Assistance Listing #84.033 Federal Work-Study Program
Assistance Listing #84.063 Federal Pell Grant Program
Assistance Listing #84.268 Federal Direct Student Loans
Assistance Listing #93.364 Nursing Student Loans
Federal agency – U.S. Department of Education
Grant Period – Year ended August 31, 2023
Compliance Requirement: Special Tests and Provisions
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an
annual basis, to identify reasonably foreseeable internal and external risks to the security,
confidentiality, and integrity of customer (student) information that could result in the unauthorized
disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the
sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment
should include consideration of risk in each relevant area of operations, including:
Employee training and management.
Information systems, including network and software design, as well as information
processing, storage, transmission, and disposal.
Detecting, preventing, and responding to attacks, intrusions, or other system failures.
Condition: During our testing, we noted the following:
While the IT Systems Team is the assigned resource for information security matters, the College
communicated that it does not have a single qualified individual designated with the responsibility for
implementing and enforcing the College’s information security program.
An annual IT risk assessment was not performed.
A vendor management program is not in place.
Mobile device management is not in place.
Backup media is not encrypted.
A full set of policies and procedures is not in place.
Cause: The expected documentation supporting the required controls to adequately confirm
compliance with GLBA safeguards was not complete.
Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards
for safeguarding the protected data, compliance with the law and the requirements in the federal PPA
may not be assured.
Context: Inquiry and observation of the information received from the College related to compliance
with GLBA.
Recommendation: The College should review the GLBA safeguarding rules and as soon as practical
implement and document the controls necessary for compliance with the rule, focusing on the
completion of a documented, thorough, and standardized risk assessment and management reporting
framework. The College should perform comprehensive risk assessments on a regular basis, which is
suggested to be at least annually, and at any significant change in infrastructure or business process.
Contact Person Responsible for Corrective Action Plan: Donna Rocap, Associate Vice President
of Administration
Corrective Action Plan: The College agrees with the findings and is in process of developing a
corrective action plan to address. In addition, the College has made it a top priority to hire both a Chief
Information Officer and a Chief Information Security Officer but has experienced difficulty getting a
qualified pool of candidates.
Timing of Planned Corrective Action: The College expects to resolve this finding during its August
31, 2024 fiscal year.