Finding Text
Agencies: U.S Department of Education
Federal Assistance Listing Number: 84.038, 84.063, 84.007, 84.033, 84.268, and 84.379
Programs: Student financial assistance cluster
Criteria: The College is required to have documented internal controls in place to monitor compliance over special tests in accordance with the Uniform Guidance. On December 9, 2021, the Federal Trade Commission issued final regulations for 16 Code of Federal Regulations Part 314 to implement the Gramm-Leach-Bliley Act (GLBA) information safeguarding standards that institutions must implement. These regulations significantly modified the requirements that institutions must meet under GLBA. The regulations established minimum standards that institutions must meet. The FTC stated that it “believes many of the requirements set forth in the Final Rule are so fundamental to any information security program that the information security programs of many financial institutions will already include them if those programs are in compliance with the current Safeguards Rule.”
Institutions are required to be in compliance with the revised requirements no later June 9, 2023. Institutions are required to develop, implement and maintain a comprehensive information security program that is written in one or more readily accessible parts.
Condition: The College did not have documented controls in place reviewing that the comprehensive information security program was in compliance with the Safeguards Rule and was prepared and in place by June 9, 2023. The College did meet the compliance requirements.
Questioned Costs: The amount of questioned costs could not be determined.
Context: The College is required to have documented controls in place to ensure the College has completed information security program available on or before June 9, 2023. Management could not provide documentation that a review occurred.
Cause: The College did not have proper documented controls in place to ensure that the College was compliant with GLBA Safeguards requirements in the timeframe specified by 16 CFR Part 314.
Effect: The ability to adequately safeguard student electronic data may be compromised if the College does not have controls in place to ensure that a timely-prepared information security program to define the various ways in which data is protected is completed.
Recommendation: We recommend the College review their policies and procedures in place ensure that the information security program review is documented to support the College’s compliance under the Uniform Guidance.
Management Response: Management agrees and has implemented necessary procedures/controls to ensure the College is in compliance with enrollment requirements.