Finding Text
2023-002 - Gramm Leach Bliley Missing Compliance Requirements. Finding Type. Immaterial Noncompliance/Significant Deficiency in Internal Control over Compliance (Eligibility). Program. Student Financial Assistance Cluster; U.S. Department of Education; Numbers 84.007, 84.033, 84.063, and 84.268; Award Numbers P007A212007, P033A212007, P063P211632, and P268K221632. Criteria. The Federal Trade Commission (FTC) states that the Gramm Leach Bliley Act "requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data." Condition. The most recent written security policy fails to address how the College will evaluate and adjust its information security program for any changes in the College's operations or the results of risk assessments. Cause. The College does not have a review process in place to ensure all safeguard policies set forth in the Gramm Leach Bliley Act are met in the written security policy. Effect. As a result of this condition, the College isn't meeting the safeguard requirements necessary to comply with the FTC. In addition, the lack of safeguard controls creates an increased risk to highly sensitive data that is possessed by the College. Questioned Costs. None. Recommendation. We recommend that the College implement procedures to ensure that all Gramm Leach Bliley policies are met and confirmed by a second individual. View of Responsible Officials. Management agrees with this finding and has prepared a Corrective Action Plan.