Finding 570430 (2023-006)

Material Weakness

Requirement

Questioned Costs

Year

2023

Accepted

2025-07-02

Audit: 361393

Organization: College of Micronesia - Fsm (FM)

Auditor: Ernst & Young

AI Summary

Core Issue: The College lacks a qualified individual and a formal program to oversee compliance with the Gramm-Leach-Bliley Act (GLBA) for student information security.
Impacted Requirements: Noncompliance with GLBA puts the College at risk of failing to protect sensitive student financial aid information as mandated by federal regulations.
Recommended Follow-Up: Develop a comprehensive GLBA information security program, designate a qualified overseer, provide staff training, and conduct regular reviews to ensure compliance.

Finding Text

Federal Agency: U.S. Department of Education AL Program: Student Financial Assistance Cluster - 84.063 Federal Pell Grant Federal Award No.: Title IV HEA Program OPE ID 01034300 Area: Special Tests and Provisions: Gramm-Leach-Bliley Act Student Information Security Questioned Costs: $--- Criteria: The Gramm-Leach-Bliley Act (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistrance Programs as financial institutions and subject to the Gramm-Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions should comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). Condition: The College does not have a qualified individual to oversee the GLBA information security program. Additionally, the Company does not have an existing GLBA information security program in place. Cause: The non-compliance is due to a lack of awareness and understanding of the GLBA requirements and the absence of a formalized process for establishing and maintaining an information security program Effect: The College is in noncompliance with applicable GLBA requirements. Recommendation: The College should develop and implement a comprehensive GLBA information security program that includes risk assessments, safeguards, and regular testing and monitoring of the effectiveness of these safeguards. A qualified individual with the necessary expertise and authority to oversee the GLBA information security program should also be designated. Provide training to relevant staff on GLBA requirements and the importance of information security. Conduct periodic reviews and updates of the information security program to ensure ongoing compliance with GLBA requirements. Views of responsible officials The College acknowledges the finding. Refer to their corrective action plan.

Corrective Action Plan

Finding 2023-06 – Special Tests and Provisions: Gramm-Leach-Bliley Act–Student Information Security Recommendation The College should develop and implement a comprehensive GLBA information security program that includes risk assessments, safeguards, and regular testing and monitoring of the effectiveness of these safeguards. A qualified individual with the necessary expertise and authority to oversee the GLBA information security program should also be designated. Provide training to relevant staff on GLBA requirements and the importance of information security. Conduct periodic reviews and updates of the information security program to ensure ongoing compliance with GLBA requirements. Response The college acknowledges the finding and will strengthen its student information security by implementing the following: 1) Designate a qualified Information Security Officer from within the IT Division or recruit externally if internal capacity is limited. 2) Develop a GLBA compliance program that includes: • Annual risk assessments • Implementation of administrative, technical, and physical safeguards • Staff training on data privacy • Annual testing of the security protocols Contact: Vice President for Institutional Effectiveness & Quality Assurance (VPIEQA) Completion Date: September 30, 2025

Other Findings in this Audit

570428 2023-004

Significant Deficiency
570429 2023-005

Significant Deficiency
570431 2023-007

Material Weakness
570432 2023-008

Material Weakness
570433 2023-009

Significant Deficiency
570434 2023-009

Significant Deficiency
570435 2023-009

Significant Deficiency
570436 2023-009

Significant Deficiency
570437 2023-009

Significant Deficiency
1146870 2023-004

Significant Deficiency
1146871 2023-005

Significant Deficiency
1146872 2023-006

Material Weakness
1146873 2023-007

Material Weakness
1146874 2023-008

Material Weakness
1146875 2023-009

Significant Deficiency
1146876 2023-009

Significant Deficiency
1146877 2023-009

Significant Deficiency
1146878 2023-009

Significant Deficiency
1146879 2023-009

Significant Deficiency

Programs in Audit

ALN	Program Name	Expenditures
84.063	Federal Pell Grant Program	$9.33M
84.425	Education Stabilization Fund	$1.26M
10.511	Smith-Lever Extension Funding	$772,212
15.875	Economic, Social, and Political Development of the Territories	$671,227
84.047	Trio Upward Bound	$596,043
11.307	Economic Adjustment Assistance	$424,597
11.028	Connecting Minority Communities Pilot Program	$341,775
84.044	Trio Talent Search	$340,205
93.236	Grants to States to Support Oral Health Workforce Activities	$289,130
10.203	Payments to Agricultural Experiment Stations Under the Hatch Act	$190,567
10.322	Distance Education Grants for Institutions of Higher Education in Insular Areas	$83,237
10.514	Expanded Food and Nutrition Education Program	$56,096
10.308	Resident Instruction, Agriculture, and Food Science Facilities and Equipment Grants	$43,325
47.076	Stem Education (formerly Education and Human Resources)	$26,110