Finding Text
FINDING 2022-004 ? Special Tests and Provisions ? Gramm-Leach-Bliley Act ? Student Information Security; Significant Deficiency in Internal Control over Compliance Student Financial Assistance Cluster U.S. Department of Education Assistance Listing Numbers: 84.063, 84.007, 84.033 Federal Program Name: Student Financial Assistance Cluster Award Year: 2021-22 Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)) Condition and context: A written risk assessment wasn?t performed that addressed the three required areas noted in 6 CFR 314.4 (b), which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing, and responding to attacks, intrusions, or other systems failures until September 2022. Questioned costs: None Effect: The College does have limited controls in place surrounding student information security, which limits the effect of non-compliance. Cause: The finding and significant deficiency is due to a prior lack of understanding over the compliance requirement during the first half of the year and delays in implementation due to COVID-19. Repeat finding: Yes, 2021-004 Recommendation: We recommended the College?s designated individual should finalize and complete documentation surrounding the risk assessment that addresses the three required areas noted in 16 CFR 314.4 (b), which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. This should be in place for the entire fiscal year. Views of responsible officials and planned corrective actions: The College has designated the Chief Information Officer (CIO) and on the following Items were completed in September 2022: a. ASCC Data / Information Security Program b. Risk Assessment that addresses (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures. The risk assessment identified action items to resolve findings and controls that are put in place in the meantime. Action Items and controls are reviewed and updated monthly. In November 2022, The Federal Student Aid (FSA) Cyber Compliance Team confirmed that ASCC has satisfied the minimum information security requirements under Gramm-Leach-Bliley Act (GLBA) and closed its. The next annual complete Risk Assessment will be completed in August 2023, and ASCC will continue to complete a Risk Assessment annually to stay in compliance with GLBA. Anticipated completion of the corrective action is expected by October 2023.