Finding Text
2024-006—Graham Leach Bliley Act – Student Information Security
U.S. Department of Education
Student Financial Assistance Programs Cluster (Direct)
Federal Work Study Program (84.003)
Federal Pell Grant Program (84.063)
Federal Perkins Loan Program (84.038)
Federal Supplemental Educational Opportunity Grants (84.007)
Federal Direct Loan Program (84.268)
Federal Award Year: 2023-2024
Repeat Finding: No
Criteria
The Code of Federal Regulations (2 CFR 200.303(a)) requires that the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States or the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission.
The Program Participation Agreement (PPA) with the U.S. Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts:
• 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program.
• 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.
• 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment
• 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented.
• 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program.
• 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers.
Condition
The College’s written information security program did not include the following elements required by regulation as agreed to in the PPA:
• The College has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the College included all required elements of internal and external risks to the security, confidentiality or integrity of customer information. The College’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption.
• The College has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response.
• The College has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment.
• The College has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program.
• The College has not developed policies and procedures to oversee information service providers
Cause
The College’s information security policy did not include all of the required elements, in line with the Gramm-Leach-Bliley Act.
Effect
Noncompliance with federal regulations could result in the loss of future federal funding.
Questioned costs
There were no questioned costs with respect to this finding.
Context
Under a College’s PPA with the U.S. Department of Education, institutions must protect student financial aid information, with particular attention to information provided to institutions by the U.S. Department of Education or otherwise obtained in support of the administration of federal student financial aid programs
Recommendation
We recommend the College complete these requirements, in order to be compliance with the Gramm-Leach-Bliley Act.
Views of responsible officials
Management agrees with this finding. See corrective action plan.