Finding Text
Finding Number: 2022-005 Information on the Federal Program: Federal Agency: United States Department of Education (ED) Program Name: Student Financial Assistance Cluster Federal Award Identification Number: N/A Federal Award Year: Year Ended May 31, 2022 Specific Requirement: Required by 16 CFR 314.4, an institution must design and implement safeguards to control the risks identified through risk assessment including by (1) implementing and periodically review access controls, including technical and physical controls to (i) authenticate and permit access only to authorized users to protect against the unauthorized acquisition of student information and (ii) limit authorized users? access only to student information that they need to perform their duties and functions, (2) identifying and managing the data, personnel, devices, systems and facilities that enable them to achieve business purposes in accordance with their relative importance to business objectives and (3) protect by encryption all student information held or transmitted over external networks and at rest. Condition Found: During our audit, we noted the College does not have adequate safeguards and controls in place to mitigate identified information security risks. Context: Based on our testing, an information security risk assessment was completed by a third-party consultant. This risk assessment identified several instances where sensitive information is not encrypted and stands at risk. Based on our discussion with management, the risk assessment was completed in the Spring of 2022 and they did not have enough time to implement sufficient responses and safeguards to the identified information security risks. Questioned Costs: None. Cause and Effect: The College does not have adequate staff on site needed to efficiently implement information security changes. As a result, there are areas where sensitive student information is at risk. Identification as a Repeat Finding, if Applicable: Not a repeat finding Recommendation: We recommend the College create information security policies and implement safeguards for each of the identified risks within the information technology assessment completed. Views of a Responsible Official and Corrective Action Plan: Management agrees with the finding and the recommendation. See Corrective Action Plan on page 42.