Finding 8008 (2023-001)

2023-001 Gramm-Leach-Bliley Act (GLBA) Federal Agency: Department of Education Federal Program Title: Student Financial Assistance Cluster ALN Numbers: Various Award Period: July 1, 2022 through June 30, 2023 Type of Finding: • Significant Deficiency in Internal Control Over Compliance • Other Matters Criteria or specific requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The written information security program (WISP) for institutions with fewer than 5,000 customers must address seven elements (16 CFR 314.3(a) and 16 CFR 314.6). The elements that an institution must address in its written information security program are at 16 CFR 314.4. At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution. In addition, the written security program provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Condition: There were multiple missing items from the Written Information Security Program. We did not identify the adaptation of secure development practices within the WISP. If software is not developed by members of the College, GLBA compliance requires Universities WISP to define standards for evaluating, assessing or testing the security of externally developed applications which transmit sensitive information. We also did not identify the need for an annual penetration test and semi-annual vulnerability within the WISP. GLBA compliance requires monitoring capabilities be in place in order to proactively ensure a secure IT infrastructure. Questioned costs: None Context: These new GLBA requirements were applicable beginning on June 9, 2023 and there were multiple elements missing from their WISP. Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance. Effect: Student personal information could be vulnerable. Repeat Finding: No Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements. Views of responsible officials: There is no disagreement with the audit finding.