Finding Text
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). This would include procedures to document a safeguard for risks identified in the risk assessment process for each of the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures. Condition: The College did not identified safeguards for risks identified. Questioned costs: None Context: During our audit procedures, it was noted that the College performed a HEISC risk assessment; however, within the risk assessment there were no safeguards identified. Cause: Resources have not been allocated to document a risk assessment related to students? information. Effect: The student personal information could be vulnerable. Repeat Finding: Yes, 2021-003. Recommendation: We recommend the College identify and document safeguards over risks identified in the risk assessment. Views of responsible officials and planned corrective action: Management agrees with the finding and has developed a plan to correct it.