Finding Text
2023-002 - Gramm Leach Bliley Missing Compliance Requirements. Finding Type. Immaterial Noncompliance/Significant Deficiency in Internal Control over Compliance (Special Tests & Provisions). Programs. Student Financial Assistance Cluster; U.S. Department of Education; Numbers 84.007, 84.033, 84.063, and 84.268; Award Numbers P007A222103, P033A222103, P063P225088, and P268K225088. Criteria. The Federal Trade Commission (FTC) states that the Gramm Leach Bliley Act "requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data." Condition. The most recent written security policy fails to address how the College will oversee its information system service providers and the evaluation and adjustment of its information security program for any changes in the College's operations or the results of risk assessments. Additionally, the College's policy does not include performing annual penetration tests or biannual vulnerability assessments, as required by the Gramm Leach Bliley Act. Cause. The College does not have a review process in place to ensure all safeguard policies set forth in the Gramm Leach Bliley Act are met in the written security policy. Effect. As a result of this condition, the College isn't meeting the safeguard requirements necessary to comply with the FTC. In addition, the lack of safeguard controls creates an increased risk to highly sensitive data that is possessed by the College. Questioned Costs. No costs were required to be questioned as a result of this finding inasmuch as our testing did not reveal any unallowed costs. Recommendation. We recommend that the College implement procedures to ensure that all Gramm Leach Bliley policies are met and confirmed by a second individual. View of Responsible Officials. Management agrees with this finding and has prepared a Corrective Action Plan.