Finding Text
Finding 2022-001 - Gramm-Leach Bliley Act (GLBA) CFDA No.: 84.007 Federal Supplemental Education Opportunity Grant, 84.033 Federal Work Study Program, 84.038 Federal Perkins Loans, 84.063 Federal Pell Grant Program, 84.268 Federal Direct Loan Program, 84.379 Teacher Education Assistance for College and Higher Education Grants Award Year: July 1, 2021 - June 30, 2022 Federal Agency: U.S. Department of Education Pass Through Entity: Not applicable Criteria: In accordance with Title IV regulations (CFR 314.1 (b)), an Institution must protect student financial aid information by designating an individual to coordinate the information security program, perform a risk assessment that addresses (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Condition: The University has not performed a risk assessments to address (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks as required by the Gramm-Leach Bliley Act (GLBA). In addition, the College has not documented safeguards for identified risks. Cause: The College did not have an updated security assessment completed during the year to address procedures and processes in place specific to GLBA and therefore, did not document the required risk assessment or risk mitigation. Effect: With no updated policies and procedures surrounding student information security, the College may be susceptible to threats of consumer nonpublic personal information. Failure to comply with GLBA standards may bring penalties ranging from monetary fines to restriction or loss of eligibility for Title IV funding. Questioned Costs: None. Recommendation: The College should perform and document an annual risk assessment to determine the College's specific risks relevant to protecting consumer nonpublic personal information. At a minimum, the College should have at least one risk statement aligned or referenced to each of the three required areas noted in the GLBA law at 16 CFR 314.4 (b). Finally, the College should identify and document at least one safeguard (i.e., control) for each of the risks identified and document in the risk assessment. Each control should be aligned or referenced to the risk(s) to which the safeguard applies. Management Response: The College will complete a GLBA risk assessment that addresses (1) employee training and management; (2) information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. The College will complete the assessment in accordance with the December 9, 2021 Federal Trade Commission (FTC) issued final regulations to amend the Standards for Safeguarding Customer Information, including ensuring the College?s written information security program includes the nine elements included in the FTC?s regulations. The College?s risk assessment will be completed by June 2023.