Finding Text
Finding 2024-001 - 84.268, 84.063, 84.033, 84.007 Student Financial Aid Cluster
Federal Agency - U.S. Department of Education
Grant Period - Year ended August 31, 2024
Criteria:
Institutions participating in Title IV programs are required to comply with various laws and regulations as part of their signed Program Participation Agreement (PPA), including but not limited to, the Federal Trade Commission’s Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (Title 16, Chapter I, Subchapter C, Part 314).
Condition:
The College has not performed a thorough information security risk assessment which should include consideration of internal and external risks and the sufficiency of the safeguards in place to control the risks identified. Many of the policies in place are outdated and have not been updated for potential changes in the College’s operations. Given the pace of change in the technology environment, outdated policies are unlikely to fully capture current circumstances.
Cause:
The College’s information security program does not include procedures for the performance
of regular risk assessments.
Effect:
As the College has not performed a thorough information security risk assessment, it may be unaware of the risks to its sensitive data, specifically datasets protected under GLBA. Many policies are outdated and may not reflect the actual processes in place.
Recommendation:
The College should work to implement a standardized and detailed risk management framework, such as those provided by National Institute of Standards and Technology (NIST). Risk assessment documentation should include detailed information regarding current procedures in place, justifications for scoring, safeguards for each identified risk, and remediation plans. As part of this process, the College should then review the current policies and procedures at least annually to determine if any updates should be made.