Finding Text
2022-007 Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Title: Student Financial Aid Cluster Assistance Listing Number: Various Award Period: July 1, 2021 to June 30, 2022 Type of Finding: - Significant Deficiency in Internal Control Over Compliance - Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as ?financial institutions? and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Condition: Under an institution?s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Questioned costs: None Context: During our audit procedures, it was noted that the College did not perform a risk assessment that addresses the three areas noted in 16 CFR 314.4 (b) which are (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures and document safeguards for identified risks. Cause: The organization did not perform an IT risk assessment tailored specifically to the organization, identify risks or address risks identified as required by the Gramm-Leach-Bliley Act. Effect: The student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College engage a third party or perform the risk assessment for the three areas required by the Gramm-Leach-Bliley Act and ensure that there are documented safeguards for identified risks. Views of responsible officials: There is no disagreement with the audit finding.