Finding Text
Criteria or Specific Requirement: The Gramm-Leach Bliley Act (GLBA) requires financial institutions to
explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314).
The regulation states that the college must designate a qualified individual responsible for overseeing and
implementing your information security program and enforcing your information security program.
(16 CFR 314.4(a)). The entity shall have a Written Information Security Program (WISP) that outlines the
design and implementation of the risk assessment procedures. (16 CFR 314.4(b)). At a minimum, the
institution’s written information security program must address the implementation of the minimum
safeguards identified in 16 CFR 314.4(c)(1) through (8) including: Assess apps developed by the institution.
In addition, the written security program provides for the institution to regularly test or otherwise monitor the
effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).
Condition: The college was missing all the requirements from the Gramm-Leach-Bliley Act except for
having a Written Information Security Program, approval by appropriate individual, implement and
periodically review access controls, and proper disposal of customer information securely. These GLBA
requirements were applicable beginning on June 9, 2023, and there were multiple elements missing from
their Written Information Security Program.
Context: The institution has been in compliance with previous iterations of GLBA compliance. The Written
Information Security Program (WISP) which was required as of June 9, 2023 had missing elements. Some
controls were in place whereas others were not. They did, however, have a WISP as of the deadline but it
was missing some required information.
Questioned Costs: N/A
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure
compliance.Effect: Student personal information could be vulnerable.
Repeat Finding: No
Recommendation: We recommend that the College review the updated GLBA requirements and ensure
their Written Information Security Program (WISP) includes all required elements.
Views of Responsible Officials: Management agrees with the finding and has developed a plan to correct
the finding.