Finding 5637 (2023-001)

FINDING 2023-001 – Controls and Noncompliance Related to Student Information Security Federal Department: Department of Education CFDA Number(s): 84,003, 84.063, 84.007, 84.268, 93.364 Program Name(s): Student Financial Aid Cluster Questioned Costs: None Criteria Special Tests and Provisions - Gramm-Leach-Bliley Act -Student Information Security - The Gramm-Leach- Bliley Act (“GLBA”) (Public Law 106-102) requires financial institutions to explain their information sharingpractices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to GLBA (16 CFR 313.3(k)(2)(iv)). Under an institution’s Program Participation Agreement with the Department of Education and the GLBA, institutions must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal financial aid programs. Institutions are required to designate a qualified individual responsible for implementing and monitoring the institution's information and security program. Additionally, the District is required to maintain written security program that addresses the minimum elements required by GLBA. Condition Yosemite Community College District (the “District”) did not have a designated individual responsible for implementing and monitoring the institution’s information and security program and did not have a written security program in place that addresses the minimum required elements under GLBA. Questioned Costs None noted. Context During inquiries with management, management established that there was not a designated individual responsible for implementing and monitoring the institutions information and security program, and there is not currently a written security program in place that addresses the minimum required elements under GLBA. However, management indicated that there were no data breaches or instances of the District’s information systems being compromised during the audit period. Effect Risks pertaining to Student Information Security may not be identified and/or addressed. Cause Turnover in the Information Systems department and a vacant role have caused a lack of available resources for purposes of appointing a designated individual and implementing GLBA compliant policies and procedures. Identification as a Repeat Finding, if Applicable Not applicable Recommendation We recommend that the District designate a qualified individual responsible for implementing and monitoring the institution's information and security program, and to develop and maintain written security program that addresses the minimum elements required by GLBA. Views of Responsible Officials and Planned Corrective Actions See Corrective Action Plan.