FAC Explorer

Finding 7484 (2023-002)

-
Requirement
N
Questioned Costs
-
Year
2023
Accepted
2024-01-04
Audit: 9676
Organization: Austin College (CO)
Auditor: Capincrouse LLP

AI Summary

  • Core Issue: The College did not meet the updated requirements of the Gramm-Leach-Bliley Act (GLBA).
  • Impacted Requirements: Insufficient documentation of security risk assessments, vendor management policies, and lack of an annual report to the board.
  • Recommended Follow-Up: Allocate resources to fully comply with GLBA requirements and implement corrective actions.

Finding Text

Gramm-Leach-Bliley Act (GLBA) Compliance DEPARTMENT OF EDUCATION ALN #: 84.268, 84.063, 84.007, 84.033, 84.038, and 84.379-Student Financial Assistance Cluster Federal Award Identification #: 2022-2023 Financial Aid Year Condition: The College did not sufficiently comply with the updated requirements of GLBA. Criteria: 16 CFR 314.4 Questioned Costs: $0 Context: The College has not sufficiently documented its security risk assessment and safeguards, including general threats, implemented sufficient vendor management policies and reviews, or provided a written, annual report to the board. Cause: The College had noted the updated requirements of GLBA and engaged a third party to assist with addressing and documenting compliance with the updated requirements of GLBA. This process took place after fiscal year-end. Effect: The College may have unintended exposure of student information to security risks. Identification as repeat finding, if applicable: Not applicable. Recommendation: We recommend the College allocate sufficient resources to address all updated requirements of GLBA. Views of Responsible Officials and Planned Corrective Action: Management agrees with the finding. See corrective action plan.

Corrective Action Plan

Gramm-Leach-Bliley Act (GLBA) Compliance Planned Corrective Action: Austin College has employed GreyCastle Securities to fill our vCISO requirement and completed a Risk Assessment on November 16th. We have scheduled a Penetration Test with our vCISO for early Spring. Once the Penetration testing and reporting have been completed, we will be presenting to the Board of Trustees in the last academic year meeting, which will be our practice moving forward. We are currently working with GreyCastle to address other policy and vendor management services with some quotes in hand and being reviewed. Policies such as Incident Response and Information Security Policies have been completed. Additionally, we are working to create Contingency Planning and Processes as well as a disaster recovery site. Most of these items are planned to complete much earlier than June 1st, 2024, but our last Trustee meeting isn’t until May when we’ll present academic year findings. Person Responsible for Corrective Action Plan: Garrett Hubbard – Director of Information Technology Anticipated Date of Completion: June 1st, 2024

Categories

Subrecipient Monitoring

Other Findings in this Audit

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $5.79M
84.063 Federal Pell Grant Program $1.88M
84.038 Federal Perkins Loan Program $1.87M
84.007 Federal Supplemental Educational Opportunity Grants $249,527
84.033 Federal Work-Study Program $206,086
47.076 Stem Education $128,338
47.079 Office of International Science and Engineering $95,388
93.243 Substance Abuse and Mental Health Services_projects of Regional and National Significance $38,079
84.379 Teacher Education Assistance for College and Higher Education Grants (teach Grants) $17,917