Finding 575394 (2024-001)

Finding 2024-001 Student Financial Aid Cluster – Assistance Listing Numbers - 84.007, 84.063, 84.268; Federal Agency – U.S. Department of Education Grant Period – Year ended August 31, 2024; Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following:  The College is required to designate an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the “Qualified Individual.” This has not occurred.  The College is required to conduct a risk assessment and Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. This was not provided.  The College is required to Maintain a written information security program (WISP). Minimum elements of the written information security program. This was not provided  The College is required to Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted. This was not provided.  The College is required to Monitor and test the effectiveness of your safeguards regularly. This was not provided.  The College is required to provide support related to the security awareness training for all employees. This was not provided.  The College is required to provide the vendor management policy and inventory. This was not provided.  The College is required to Provide support for review based on operations, making documented adjustments and updates to the WISP. This was not provided. Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process.