Finding Text
Federal Agency: U.S. Department of Education; Office of Federal Student Aid Pass through Entity: Not applicable Program Name: Federal Direct Student Loan Program Federal Pell GrantAL# and Program Expenditure: 84.268 ($857,747) 84.063 ($384,191)Award Number: P268K247533 P063P237533 Federal Award Year: July 1, 2023 to June 30, 2024 Questioned Costs:$-0- Condition Found: The College’s information security plan does not include the requirements mandated by the Gramm-Leach-Bliley Act. Criteria: The Gramm-Leach-Bliley Act was updated effective June 9, 2023. According to Electronic Announcement ID: General-23-09, for institutions that maintain student information on less than 5,000 consumers, the information security plan must include the following seven elements. Element 1: Designate a qualified individual responsible for overseeing, implementing, and enforcing the institution’s information and security program. Element 2: Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. Element 3: Provides for the design and implementation of safeguards to control the risks the institution identifies through risk assessment. At the minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c) (1) through (8). Element 4: Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. Element 5: Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. Element 6: Addresses how the institution will oversee its information service providers. Element 7: Provides for the evaluation an adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact on the information security programs. Cause: The College’s current information security review does not include the seven elements listed in the criteria. Possible Asserted Effect: The College’s information security report does not meet the requirements listed in the Gramm-Leach-Bliley Act. Repeat Finding: There was not a similar finding in the previous year. Statistical Sampling: The sample was not intended to be, and was not, a statistically valid sample. Recommendation: The College should update its information security policy to include the elements required by the Gramm-Leach-Bliley Act. The policy should be in writing. Management Response: The College will review its information security policy during FY 2025 and will make the required changes.