Finding Text
Finding 2023-006– Gramm-Leach Bliley Act—Student Information Security
Repeat Finding: No
Federal Program Title – U.S. Department of Education
Student Financial Assistance Cluster
Federal Direct Student Loans: 84.268
Federal Pell Grant Program: 84.063
Federal Work-Study Program: 84.033
Federal Supplemental Educational Opportunity Grants: 84.007
Federal Award Year 2022-2023
Condition
City Colleges did not have a documented policy to address a required safeguard for one of the eight required elements under the Gramm-Leach Bliley Act (GLBA). Specifically, the City Colleges did not conduct a periodic inventory of data, nothing where it’s collected, stored or transmitted.
Criteria
In accordance with 16 CFR 314.4(c), an institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). This includes the following: (1) implement and periodically review access controls, (2) conduct a periodic inventory of data, noting where it’s collected, stored or transmitted, (3) encrypt customer information on the institution’s system and when it’s in transit, (4) assess apps developed by the institution, (5) implement multi-factor authentication for anyone accessing customer information on the institution’s system, (6) dispose of customer information securely, (7) anticipate and evaluate changes to the information system or network, and (8) maintain a log of authorized users’ activity and keep an eye out for unauthorized users.
2 CFR Section 200.303 requires entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure that reviews are being completed over information security policies and that they are in compliance with GLBA requirements.
Questioned Costs
There were no questioned costs with respect to this finding.
Cause
City Colleges does not have a periodic data inventory in place. The policy is under development with an expected completion date of Spring 2024.
Effect
Failure to meet the minimum requirements of the GLBA act is noncompliance and increases the risk of unauthorized disclosure, misuse, alteration, destruction, or other comprise of student information.
Recommendation
We recommend City Colleges implement controls to ensure that GLBA requirements are reviewed and addressed in a formally documented policy.
Views of responsible officials
We agree with this finding. See corrective action plan.