Finding 7882 (2023-002)

Significant Deficiency

Requirement

Questioned Costs

Year

2023

Accepted

2024-01-08

Audit: 10258

Organization: West Shore Community College (MI)

Auditor: Rehmann Robson LLC

AI Summary

Core Issue: The College's security policy lacks necessary safeguards for compliance with the Gramm Leach Bliley Act, particularly regarding oversight of information service providers and security assessments.
Impacted Requirements: The policy fails to include annual penetration tests and biannual vulnerability assessments, increasing risks to sensitive data.
Recommended Follow-Up: Implement a review process to ensure compliance with all Gramm Leach Bliley policies, with confirmation from a second individual.

Finding Text

2023-002 - Gramm Leach Bliley Missing Compliance Requirements. Finding Type. Immaterial Noncompliance/Significant Deficiency in Internal Control over Compliance (Special Tests & Provisions). Programs. Student Financial Assistance Cluster; U.S. Department of Education; Numbers 84.007, 84.033, 84.063, and 84.268; Award Numbers P007A222103, P033A222103, P063P225088, and P268K225088. Criteria. The Federal Trade Commission (FTC) states that the Gramm Leach Bliley Act "requires financial institutions to explain their information-sharing practices to their customers and safeguard sensitive data." Condition. The most recent written security policy fails to address how the College will oversee its information system service providers and the evaluation and adjustment of its information security program for any changes in the College's operations or the results of risk assessments. Additionally, the College's policy does not include performing annual penetration tests or biannual vulnerability assessments, as required by the Gramm Leach Bliley Act. Cause. The College does not have a review process in place to ensure all safeguard policies set forth in the Gramm Leach Bliley Act are met in the written security policy. Effect. As a result of this condition, the College isn't meeting the safeguard requirements necessary to comply with the FTC. In addition, the lack of safeguard controls creates an increased risk to highly sensitive data that is possessed by the College. Questioned Costs. No costs were required to be questioned as a result of this finding inasmuch as our testing did not reveal any unallowed costs. Recommendation. We recommend that the College implement procedures to ensure that all Gramm Leach Bliley policies are met and confirmed by a second individual. View of Responsible Officials. Management agrees with this finding and has prepared a Corrective Action Plan.

Corrective Action Plan

2023-002 – Gramm Leach Bliley Missing Compliance Requirements. Auditor Description of Condition and Effect. The most recent written security policy fails to address how the College will oversee its information system service providers and the evaluation and adjustment of its information security program for any changes in the College's operations or the results of risk assessments. Additionally, the College's policy does not include performing annual penetration tests or biannual vulnerability assessments, as required by the Gramm Leach Bliley Act. As a result of this condition, the College isn't meeting the safeguard requirements necessary to comply with the FTC. In addition, the lack of safeguard controls creates an increased risk to highly sensitive data that is possessed by the College. Auditor Recommendation. We recommend that the College implement procedures to ensure that all Gramm Leach Bliley policies are met and confirmed by a second individual. Corrective Action. To address the missing element of Gramm Leach Bliley #6, procedures will be set in place to ensure oversight of our information service providers. A team will review and track who our providers are ensuring they meet our technical requirements in addition to the needs of our students and staff. To address the missing element of Gramm Leach Bliley #7, procedures will be set in place to ensure oversight of our information security protocols. A team will review our procedures at least annually, and make any necessary adjustments as changes to security protocols continue to evolve. Part of the procedures will include mandatory semi-annual information security training required by all staff, in addition to basic security information provided annually to students. Finally procedures to perform annual penetration testing will be established based on relevant identified risks. This could include any vulnerability assessments, in the form of systematic scans or review of information systems reasonably identified. These assessments should be completed at a minimum semi-annually, or whenever there may be material changes in operations that could be impacted. Responsible Party. Director of Information Technology and Student Services. Anticipated Completion Date. January 1, 2024.

Other Findings in this Audit

7878 2023-001

Significant Deficiency
7879 2023-001

Significant Deficiency
7880 2023-001

Significant Deficiency
7881 2023-001

Significant Deficiency
7883 2023-002

Significant Deficiency
7884 2023-002

Significant Deficiency
7885 2023-002

Significant Deficiency
584320 2023-001

Significant Deficiency
584321 2023-001

Significant Deficiency
584322 2023-001

Significant Deficiency
584323 2023-001

Significant Deficiency
584324 2023-002

Significant Deficiency
584325 2023-002

Significant Deficiency
584326 2023-002

Significant Deficiency
584327 2023-002

Significant Deficiency

Programs in Audit

ALN	Program Name	Expenditures
84.063	Federal Pell Grant Program	$1.29M
84.425	Education Stabilization Fund	$822,050
84.268	Federal Direct Student Loans	$278,537
84.048	Career and Technical Education -- Basic Grants to States	$108,106
84.007	Federal Supplemental Educational Opportunity Grants	$80,151
84.033	Federal Work-Study Program	$21,478