Finding Text
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). In addition, per Uniform Guidance 2 CFR 200.303, non-federal entities receiving federal awards are required to establish and maintain internal controls designed to reasonably ensure compliance with federal laws, regulations, and program compliance requirements.
Condition: The College does not have an updated written information security program (WISP) to reflect the current practices that address the required components outlined in the GLBA Safeguards Rule.
Questioned Costs: None
Context: During our testing, we noted the College has procedures in place for the required elements identified, however, the College does not have an updated WISP that meets the compliance requirements outlined in the GLBA Safeguards Rule.
Cause: The College is drafting the necessary IT policies, and they were not in place at the time of testing.
Effect: The College is out of compliance with GLBA requirements because they do not have a written information security plan, formal change management policy, and formal vendor management policy in place.
Repeat Finding: Yes. Prior year finding 2023-005.
Recommendation: We recommend the College implement IT policies and create an updated WISP to ensure the College is compliant with the GLBA Safeguards Rule.
Views of responsible officials: There is no disagreement with the audit finding.