Finding Text
Finding 2023-004 – Gramm-Leach Bliley Act—Student Information Security
Repeat Finding: No
Federal Program Title – U.S. Department of Education
Student Financial Assistance Cluster
Federal Direct Student Loans: 84.268
Federal Pell Grant Program: 84.063
Federal Work-Study Program: 84.033
Federal Supplemental Educational Opportunity Grants: 84.007
Federal Award Year 2022-2023
Condition
While the College does have a program that addresses information security, the College did not have a readily accessible program document to address the required safeguards for the nine required elements under the implementing regulations of the Gramm-Leach Bliley Act (GLBA) known as the “Safeguards Rule” by June 9, 2023.
Criteria
In accordance with 16 CFR 314.4(c), an institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). This includes the following: (1) implement and periodically review access controls, (2) conduct a periodic inventory of data, noting where it’s collected, stored or transmitted, (3) encrypt customer information on the institution’s system and when it’s in transit, (4) assess apps developed by the institution, (5) implement multi-factor authentication for anyone accessing customer information on the institution’s system, (6) dispose of customer information securely, (7) anticipate and evaluate changes to the information system or network, and (8) maintain a log of authorized users’ activity and keep an eye out for unauthorized users.
2 CFR Section 200.303 requires entities receiving Federal awards establish and maintain internal controls deigned to reasonably ensure compliance with Federal laws, regulations, and program compliance requirements. Effective internal controls should include procedures in place to ensure that reviews are being completed over information security policies and that they are in compliance with GLBA requirements.
Questioned Costs
There were no questioned costs.
Cause
Due to conflicting priorities, the College’s Information Security Program was not fully documented by June 9, 2023. The formal document is under development with an expected completion date by June 30, 2024.
Prevalence
Frequent. The required elements were not combined into a single program document that is available upon request by appropriate entities.
Effect
While substantive work has been completed through the College’s Information Security program in implementing the nine elements of the GLBA Safeguards Rule and eight standards identified above, failure to have a formal program document outlining all of the standards of GLBA, results in the failure to meet the requirements outlined in the Act and is deemed as noncompliance.
Recommendation
We recommend that the College create a formal Information Security Program document outlining the standards that are in place to address the GLBA requirements. Additionally, we recommend the College place the document in a readily accessible location for distribution to appropriate entities by approved individuals.
Views of responsible officials
We agree with this finding. See corrective action plan.