Finding Text
Criteria or specific requirement – Special Tests and Provisions – Gramm-Leach-Bliley
Act (16 CFR 314) requires financial institutions to explain their information-sharing
practices to their customers and to safeguard sensitive data. The Federal Trade
Commission considers Title IV-eligible institutions that participate in Title IV
Educational Assistance Programs as “financial institutions” and subject to the
Gramm-Leach-Bliley Act (GLBA) because they appear to be significantly engaged
in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply
with GLBA in their Program Participation Agreement with ED. Institutions must
protect student financial aid information, with particular attention to information
provided to institutions by ED or otherwise obtained in support of the
administration of the Federal student financial aid programs (16 CFR 314.3; HEA
483(a)(3)(E) and HEA 485B(d)(2)).
Condition – The College must have a written information security program that
addresses the required minimum seven elements.
Questioned costs - $0
Context – The College is in the process of performing a risk assessment that will be
used to generate the written information security program. The College has
designated their Chief Information Officer as the qualified individual responsible for
implementing and monitoring their information security program. They have
started addressing the additional six required elements, including reviewing access
controls, implementing multi-factor authentication for students, disposing of student
information securely, and performing annual penetration testing but they are still in
the process of reviewing the log for unauthorized access, implementing multi-factor
authentication for staff and faculty with access to student information,
implementing policies and procedures to ensure that personnel are able to enact
the information security program and encrypting all information on the institution’s
system and when it’s in transit.
Effect – The College did not implement the revised GLBA regulations by the required
date.
Cause – The College’s controls did not ensure the revised GLBA regulations were
implemented by the required date.
Identification of repeat finding, if applicable – N/A
Recommendation –The College should complete the risk assessment and implement
a written information security program and ensure the additional six required GLBA
elements are included in the program.
Views of responsible officials and planned corrective actions – The College will
continue to make progress of meeting the federal standards related to the GLBA
security program. The college expects to at minimum 80% in compliance by the
end of FY24 and in full compliance by the end of FY25. The college will prioritize
key elements such as reviewing access controls, implementing multi-factor
authentication for the campus, disposing of student information securely,
performing annual penetration testing, and encrypting all the institution's
information.