FAC Explorer

Finding 399276 (2023-001)

Significant Deficiency
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2024-05-31
Audit: 307797
Organization: Tompkins Cortland Community College (NY)
Auditor: Bonadio & CO LLP

AI Summary

  • Core Issue: The College has not updated its risk assessment or written information security program since 2018, leading to non-compliance with GLBA requirements.
  • Impacted Requirements: The College's WISP lacks the seven required elements outlined in the 2023 Compliance Supplement.
  • Recommended Follow-Up: Conduct a formal risk assessment and update the WISP to include necessary elements, ensuring IT policies reflect the current environment and are formally approved.

Finding Text

Criteria – Institutions participating in Title IV programs are required to comply with various laws and regulations as part of their signed Program Participation Agreement (PPA), including but not limited to, the Federal Trade Commission’s Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (Title 16, Chapter I, Subchapter C, Part 314). Condition – The College has not performed a formal risk assessment of their technology environment since 2018. In addition, the College’s written information security program (WISP) has not been updated and does not address the seven required minimum elements per the 2023 Compliance Supplement. Cause – The College had not performed any additional review or updates since 2018 to its WISP and/or risk assessment to include the required elements or document any updates to the College’s Information Technology (IT) environment. Effect – The College was not in compliance with the Department of Education’s requirements for GLBA. Recommendation – The College needs to conduct a formal risk assessment and update its WISP to ensure the seven required elements are addressed. As part of this process, IT policies should be updated to align with the College’s current IT environment and be formally approved and implemented throughout the College. View of Responsible Officials – The Vice President of Information Technology will designate a manager responsible for overseeing, implementing, and maintaining the College’s information security program and enforcing the information security program.

Corrective Action Plan

• VP of IT designates a Manager responsible for overseeing, implementing, and maintaining the institution’s or servicer’s information security program and enforcing the information security program (16 C.F.R. 314.4(a)). • Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution or servicer) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 C.F.R. 314.4(b)). • Provides for the design and implementation of safeguards to control the risks the institution or servicer identifies through its risk assessment (16 C.F.R. 314.4(c)). At a minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 C.F.R. 314.4(c)(1) through (8). • Provides for the institution to continuously monitor vulnerabilities, or conduct annual penetration tests and systemic scans and reviews of known vulnerabilities at least every six months. (16 C.F.R. 314.4(d)). • Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 C.F.R. 314.4(e)). • Addresses how the institution or servicer will oversee its information system service providers (16 C.F.R. 314.4(f)). • Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program (16 C.F.R. 314.4(g)). • Address the establishment of a written incident response plan (16 C.F.R. 314.4(h)). • Address the requirement for its Qualified Individual to report regularly and at least annually to The President and Board of Trustees on the institution’s information security program (16 C.F.R. 314.4(i)).

Categories

Student Financial Aid Subrecipient Monitoring

Other Findings in this Audit

  • 399277 2023-001
    Significant Deficiency
  • 399278 2023-001
    Significant Deficiency
  • 399279 2023-001
    Significant Deficiency
  • 399280 2023-002
    Significant Deficiency
  • 399281 2023-002
    Significant Deficiency
  • 975718 2023-001
    Significant Deficiency
  • 975719 2023-001
    Significant Deficiency
  • 975720 2023-001
    Significant Deficiency
  • 975721 2023-001
    Significant Deficiency
  • 975722 2023-002
    Significant Deficiency
  • 975723 2023-002
    Significant Deficiency

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $4.93M
84.063 Federal Pell Grant Program $3.71M
84.033 Federal Work-Study Program $134,436
84.007 Federal Supplemental Educational Opportunity Grants $94,945
23.011 Appalachian Research, Technical Assistance, and Demonstration Projects $76,080
84.048 Career and Technical Education -- Basic Grants to States $25,570
19.777 100,000 Strong in the Americas Innovation Fund $23,433
47.076 Education and Human Resources $16,245
17.261 Wia Pilots, Demonstrations, and Research Projects $2,393
84.425 Education Stabilization Fund $240