Finding Text
Federal Agency: U.S. Department of Education
Federal Program Name: Student Financial Assistance Cluster
Assistance Listing Number: 84.007 (Federal Supplemental Educational Opportunity Grants Program),
84.033 (Federal Work Study Program), 84.038 (Federal Perkins Loan
Program), 84.063 (Federal Pell Grant Program), 84.268 (Federal Direct
Student Loans Program), 93.364 (Nursing Student Loans)
Federal Award Identification Number and Year: N/A; 2022-2023
Award Period: July 1, 2022 – June 30, 2023
Pass-Through Agency: N/A
Pass-Through Numbers: N/A
Type of Finding:
Significant Deficiency in Internal Control over Compliance
Other Matters
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires
financial institutions to explain their information-sharing practices to their customers and to safeguard
sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that
participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the
Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi).
Condition: Under an institution’s Program Participation Agreement with the Department of Education
and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular
attention to information provided to institutions by the Department or otherwise obtained in support of
the administration of the federal student financial aid programs.
Questioned costs: None
Context: During our testing of the College’s information technology, we noted the following items in the
University’s written security program did not meet the following compliance requirements:
Identify the approval of the appropriate individual leading the written information security
program.
Identify documentation that the written information security program was approved by an
appropriate individual.
Identify a periodic inventory of data, noting where it is collected, stored, and transmitted.
Identify information regarding secure development practices for applications.
Identify information regarding multi-factor authentication.
Identify a specific retention period.
Identify a change management policy.
Identify documentation of maintaining a log of authorized users’ activity while looking for
unauthorized data.
Identify documentation that shows regular testing and monitoring of safeguards the College has
implemented.
Identify documentation that relates to the implementation of policies and procedures to ensure
that personnel are able to enact information security programs.
Identify how the College will oversee its information system service providers.
Identify information on how the written information security program is evaluated and adjusted
based on monitoring results.
Cause: The College has continued to make progress in updating the College’s written security program
to become compliance with all requirements; however, due to capacity and demands on the information
technology individuals, this is still a work in process.
Effect: The student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the College designate an individual to oversee the information
security function and work to update the College’s written security program to ensure compliance with
all the standards.
Views of responsible officials: There is no disagreement with the audit finding.