Finding Text
Criteria or Specific Requirement:
The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include eight elements for institutions with 5,000 or more customers (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Additionally, institutions must conduct penetration testing and vulnerability assessments to ensure the effectiveness of their safeguards.
Condition:
Certain elements of the College’s information security program were not meeting GLBA requirements.
Questioned costs: None
Context: The College’s written information security program did not cover the following requirements:
1. The requirement to have the written information security program be approved by an appropriate individual.
2. The requirement to provide for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8).
a. The element missing is the requirement to encrypt customer information on the institution’s system and when it’s in transit.
3. The requirement to provide for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)
Cause: The College has not fully implemented its written information security program to meet all GLBA requirements.
Effect: The College's written information security program is non-compliant with GLBA requirements, potentially exposing customer information to risks due to inadequate approval, missing safeguards, and lack of regular testing or monitoring.
Repeat Finding: No
Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4.
Views of responsible officials: There is no disagreement with the audit finding.