Finding Text
Criteria: 2 CFR 200.303(a) requires that “the non-Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework,” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).”
The Program Participation Agreement (PPA) with the United States Department of Education requires the institution to comply with the Standards for Safeguarding Customer Information as described in 16 CFR Part 314 which includes the development of a comprehensive written security program that includes the following parts:
• 16 CFR 314.4(a) requires institutions to designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program.
• 16 CFR 314.4(b) requires institutions to provide for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.
• 16 CFR 314.4(c) requires institutions to provide for the design and implementation of safeguards to control the risks the institution provides through its risk assessment.
• 16 CFR 314.4(d) requires institutions to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented.
• 16 CFR 314.4(e) requires institutions to develop policies and procedures to ensure that personnel are able to enact the information security program.
• 16 CFR 314.4(f) requires institutions to develop policies and procedures to oversee its information system service providers.
Condition: The institution’s written information security program did not include the following elements required by regulation as agreed to in the Program Participation Agreement:
• The written information security program does not designate an individual responsible for overseeing and implementing the institution’s information security program or enforcing the information security program.
• The institution has performed a risk assessment utilizing internal resources but has not based the information security program on the results of this assessment, nor has the institution included all required elements of internal and external risks to the security, confidentiality, or integrity of customer information. The institution’s risk assessment is missing an inventory of IT systems that process and store customer information and the compliance with information security elements related to multifactor authentication, access control, change management, logging and alerting and encryption.
• The institution has not identified, designed or implemented safeguards for all of the risks identified in the risk assessment. The safeguards do not include the identification of security events or detection and response capabilities to support incident response.
• The institution has not been able to test safeguards because safeguards have not been designed or implemented in response to the risk assessment.
• The institution has not developed written policies and procedures to ensure that personnel are able to enact the information security program. There is a lack of evidence of leadership being required to report to the board or an appropriate supervisory council to ensure those charged with governance are informed on the current state of the information security program.
• The institution has not developed policies and procedures to oversee information service providers.
Cause: The institution has not created or implemented a comprehensive information security policy.
Effect: The absence of internal controls and policies and procedures could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of student account information.
Context: Under an institution’s Program Participation Agreement with the US Department of Education, schools must protect student financial aid information, with particular attention to information provided to institutions by the US Department of Education or otherwise obtained in support of the administration of federal student financial aid programs.
Questioned Costs: There were no questioned costs identified.
Repeat Finding: This is not a repeat finding.
Recommendation: We recommend that the institution complete a comprehensive risk assessment, create a comprehensive information security policy based on that assessment, and implement those policies through the use of safeguards and other policies and procedures.
Views of responsible officials: Management agrees with this finding. See corrective action plan.