Finding 951096 (2023-003)

2023-003 – Student Financial Assistance Cluster – Special Tests and Provisions – Student Information Security Criteria or specific requirement The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. The Federal Trade Commission considers institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and are subject to the GBLA. 16 CFR Part 314 requires that information safeguarding standards be implemented by institutions and establishes minimum standards that must be met. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. This written information is required to include seven elements, and institutions were required to be in compliance no later than June 9, 2023. Condition During testing, it was determined that the College’s written policies did not reflect one of the seven required elements. Context The element that was not in compliance is as follows: Provides for the design and implementation of safeguards to control the risks the institution or servicer identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards referenced above include: implement and periodically review access controls; conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted; encrypt customer information on the institution’s system and when it is in transit; assess apps developed by the institution; implement multi-factor authentication for anyone accessing customer information on the institution’s system; dispose of customer information securely; anticipate and evaluate changes to the information system or network; and maintain a log of authorized users’ activity and keep an eye out for unauthorized access. The College had not implemented multi-factor authentication for anyone accessing customer information on its system. The College also did not have a written policy regarding the secure disposal of customer information. Cause The College is in the process of implementing the required aspects of the element, but it was not in compliance by the required date. Effect The College’s written policies did not meet the minimum standards established by 16 CFR Part 314. Recommendation We recommend that the College’s written policies be updated to properly reflect all seven elements required. Views of responsible officials See Corrective Action Plan.