Finding Text
Finding 2023-005 - Significant Deficiency, Compliance
Federal Award No. 84.268, 84.007, 84.379, 84.063, 84.033, 84.038
U.S. Department Of Education
Student Financial Aid Cluster - Special Tests and Provisions
Criteria: The Federal Trade Commission (FTC) issued the FTC Safeguards Rule on December 9, 2021 and gave notice to entities that are required to follow the Gramm-Leach-Bliley Act (GLBA) that each entity would be required to be in compliance with the revised requirements no later than June 9, 2023. The FTC Safeguards Rule expanded the requirements for the written information security program required to be established by the College. The requirements for the written information security program noted at 16 CFR 314.4 require that the College designate a Qualified Individual responsible for overseeing and implementing the College’s information security program, be based on a risk assessment that identifies reasonably foreseeable internal and external risks and establishes safeguards to address those risks, and requires that the following 8 safeguards be documented:
• Implement and periodically review access controls
• Conduct a periodic inventory of data, noting where it is collected, stored, or transmitted
• Encrypt customer information on the institution’s system and when it’s in transit.
• Assess apps developed by the institution
• Implement multi-factor authentication for anyone accessing customer information on the institution’s system
• Dispose of customer information securely
• Anticipate and evaluate changes to the information system or network
• Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
In addition, the College is responsible for regularly testing and monitoring the effectiveness of the safeguards it has implemented and establishing how it will complete the monitoring and testing in the written Information Security Program. The College is also responsible for documenting in the written Information Security Program how it will oversee its information system service providers and shall also provide for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; the results of the required risk assessments; any material changes to the College’s operations or business arrangements; or any other circumstances that it knows or has reason to know may have a material impact on the College’s information security program.
Condition: The College took steps toward meeting the requirements of the FTC Safeguards Rule, including conducting an evaluation of its current compliance and implementing many of the new requirements, but the College failed to update its written Information Security Program to incorporate all of the changes required by the FTC Safeguards Rule by the due date of June 9, 2023 or June 30, 2023.
Context: The College took steps to implement the requirements and established draft policies and procedures to meet the requirements of the FTC Safeguards Rule; however, the College did not formalize the policies and procedures or update its written Information Security Program.
Effect: The failure to meet the requirements of the FTC Safeguards Rule including establishing formal documentation of the written Information Security Program could make the College vulnerable to cyber security and student data protection risks.
Questioned Costs: None noted.
Cause: Given the size of the College’s IT department, the College focused on implementing as many of the safeguards as possible first to meet the FTC Safeguards Rule and did not prioritize a formal update of its written Information Security Program to meet the requirements of the FTC Safeguards Rule.
Indication Of Repeat Finding: This is not a repeat finding.
Recommendation: The College should immediately formalize its written Information Security Program to meet the FTC Safeguards Rule.
Views Of Responsible Officials (Unaudited): The College concurs with the finding and will formalize its written Information Security Program.
Completion Date: Spring 2024
Contact Person: Joshua Bieber, Director of Information Technology