Finding 9095 (2023-001)

2023-001: Gramm-Leach-Bliley Act Federal Agency: U.S. Department of Education Federal Program Name: Student Finacial Aid Cluster Assistance Listing Number: 84.063, 84.268, 84.007, 84.033 Federal Award Identification Number: P007A221715, P033A221715, Po63P221544, P268K231544 Award Period: July 1, 2022 - June 30, 2023 Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Criteria or specific requirement: Internal Control - Per 2 CFR section 200.303(a), a non-Federal entity must Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non- Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Compliance – The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR 314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR 313.3(k)(2)(vi). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The regulations require the written information security program to include nine elements for institutions with 5,000 or more customers, (16 CFR 314.3(a)). The elements that an institution must address in its written information security program are at 16 CFR 314.4. Condition: Certain elements of the College’s information security program were not maintained in written form. Questioned costs: None Context: The College’s written information security program did not cover the following requirements as of the required deadline in June 2023: Conduct a periodic inventory of data, noting where it's collected, stored or transmitted. Encrypt customer information on the institution's system and when it's in transit; Implement multi-factor authentication for anyone accessing customer information on the institution's system; Maintain a log of authorized users' activity and keep an eye out for unauthorized access; and, Provides for the institution to regularly test or otherwise monitor effectiveness of the safeguards it has implemented (16 CFR 314.4(d)) Cause: The College engaged an external consultant to aid in the development of comprehensive written information security program, but the resulting written policies and procedures were not complete as of the June 2023 deadline. However the College had implemented the required actions under the requirements, and was actively managing information security within the intent of the requirements. The program was later written to codify College process. Effect: Information security management may not be optimized and responses delayed without the written plan. Repeat Finding: No Recommendation: We recommend the College ensure its written information security program addresses the required minimum elements as outlined in 16 CFR 314.4. Views of responsible officials: Management acknowledges that the policy components were not in a written comprehensive format, however the College was and continues to conduct those actions required in a written plan, and subsequent to the deadline has created the written documents to satisfy the requirements without compromise to any student information