Finding Text
Federal Agency: U.S. Department of Education
Federal Program Name: Student Financial Assistance Cluster
Assistance Listing Number: 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work-Study Program
84.038 – Federal Perkins Loan Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
Award Period: July 1, 2023 to June 30, 2024
Type of Finding:
• Significant Deficiency in Internal Control over Compliance
• Other Matters
Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).
Condition: Under a college’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs.
Questioned Costs: None
Context: During our audit procedures, it was noted that the Corporation did not have documented in its Written Information Security Program a description of the use of a data inventory that includes how is the Corporation identifies and manages data, personnel, devices, systems and facilities. In addition, there was no evidence that a multi-factor authentication process was used for individuals accessing sensitive information across systems.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance.
Effect: The Corporation’s students’ personal information could be vulnerable.
Repeat Finding: Yes
Auditor’s Recommendation: We recommend that the Corporation review each element of GLBA to ensure compliance with all necessary requirements.
Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.