Finding 514287 (2024-001)

FINDING 2024-001 – Controls and Noncompliance Related to Student Information Security Federal Department: Department of Education AL Number(s): 84,003, 84.063, 84.007, 84.268, 93.364 Program Name(s): Student Financial Aid Cluster Questioned Costs: None Criteria Special Tests and Provisions - Gramm-Leach-Bliley Act -Student Information Security - The Gramm-Leach- Bliley Act (“GLBA”) (Public Law 106-102) requires financial institutions to explain their information sharingpractices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to GLBA (16 CFR 313.3(k)(2)(iv)). Under an institution’s Program Participation Agreement with the Department of Education and the GLBA, institutions must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal financial aid programs. Institutions are required to designate a qualified individual responsible for implementing and monitoring the institution's information and security program. Additionally, the District is required to maintain written security program that addresses the minimum elements required by GLBA. Condition Yosemite Community College District (the “District”) did not have a written security program in place that addresses the minimum required elements under GLBA. Questioned Costs None noted. Context During inquiries with management, management established that there is not currently a written security program in place that addresses the minimum required elements under GLBA. However, management indicated that there were no known data breaches or instances of the District’s information systems being compromised during the audit period. Effect Risks pertaining to Student Information Security may not be identified and/or addressed. Cause Insufficient time to implement a security program that addresses the minimum elements required by GLBA due to a vacancy in the Information Systems department that was filled during 2024. The vacant role caused a lack of available resources for purposes of implementing GLBA compliant policies and procedures. Identification as a Repeat Finding, if Applicable Partial repeat finding of 2023-001. Recommendation We recommend that the District to develop and maintain written security program that addresses the minimum elements required by GLBA. Views of Responsible Officials and Planned Corrective Actions See Corrective Action Plan