U.S. Department of Education
Year ended June 30, 2024
Student Financial Assistance Cluster:
Federal Pell Grant Program (Assistance Listing #84.063)
Federal Direct Student Loans (Assistance Listing #84.268)
Compliance Requirement: Special Tests and Provisions
Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the BOCES, on an annual
basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and
integrity of customer (student) information that could result in the unauthorized disclosure, misuse,
alteration, destruction, or other compromise of such information, and assess the sufficiency of any
safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include
consideration of risk in each relevant area of operations, including:
Employee training and management.
Information systems, including network and software design, as well as information processing,
storage, transmission, and disposal.
Detecting, preventing, and responding to attacks, intrusions, or other system failures.
Condition: During our testing, we noted the following:
A periodic inventory of data, noting where it is collected, stored, and transmitted was not performed.
Vulnerability scanning and penetration testing is not completed annually.
A written information security program is not fully in place. Policies surrounding risk management
have not been implemented.
Unsupported operating systems in use.
Cause: The expected documentation supporting the required controls to adequately confirm compliance
with GLBA safeguards was not complete.
Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for
safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not
be assured.
Context: Inquiry and observation of the information received from the BOCES related to compliance with
GLBA.
Auditor’s Recommendation: The BOCES should review the GLBA safeguarding rules and as soon as
practical implement and document the controls necessary for compliance with the rule, focusing on the
completion of a documented, thorough, and standardized risk assessment and management reporting
framework. The BOCES should perform comprehensive risk assessments on a regular basis, which is
suggested to be at least annually, and at any significant change in infrastructure or business process.
Contact Period Responsible for Corrective Action Plan: Warren Taylor, Chief Financial Officer
Corrective Action Plan and Timing of Planned Corrective Action Plan: The BOCES is actively engaged
in a formal Request for Proposals (RFP) process to procure a qualified vendor for the design and
implementation of a comprehensive Information Security Program aligned with GLBA requirements. The
selected vendor will conduct a full assessment of existing controls, help develop required policies and
procedures, and assist in ensuring full compliance with GLBA mandates, including employee training,
information systems safeguards, and incident response protocols. This process will be completed by
December 2025. As part of the upcoming vendor engagement, a complete data inventory and structured
risk assessment will be conducted. This will identify where sensitive data is collected, stored, transmitted,
and processed, and will form the basis for implementing technical and administrative safeguards. This
process will be completed by March 2026. In the past several years the BOCES has reviewed several
student systems and was unable to identify a system that met all of their needs due to the differences
between requirements applicable to school districts and those appropriate to the unique needs of a BOCES.
The organization is on track to discontinue the use of all unsupported operating systems by June 30, 2026.