Finding Text
Federal agency: Department of Education
Federal program title: Student Financial Assistance Cluster
Assistance Listing Numbers: 84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
84.007 – Supplemental Educational Opportunity Grant
84.033 – College Work study Program
84.379 – Teacher Education Assistance for College and Higher Education Grant
84.038 – Federal Perkins Loans Program
Award Period: July 1, 2022, to June 30, 2023
Type of Finding: Other Matters Finding related to Compliance within Uniform Guidance and Significant Deficiency in Internal Controls over Compliance.
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm Leach-Bliley Act because they appear to be significantly engaged in wiring funds to consumers (16 CFR 313.3(k)(2)(vi)). Institutions agree to comply with GLBA in their Program Participation Agreement with ED. Institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the Federal student financial aid programs (16 CFR 314.3; HEA 483(a)(3)(E) and HEA 485B(d)(2)). ED provides additional information about cybersecurity requirements at https://studentprivacy.ed.gov/security. ED also issued an Electronic Announcement on GLBA compliance that can be found at https://fsapartners.ed.gov/knowledge-center/library/electronicannouncements/2023-02-09/updates-gramm-leach-bliley-act-cybersecurity-requirements.
Condition: CLA identified that the college fails to meet one of the compliance requirements outlined in the GLBA Safeguards Rule within 16 CFR 314.
Questioned costs Known: None.
Context: During our testing, we noted the College failed to meet one of the compliance requirements outlined in the GLBA Safeguards Rule. The College has been continuously drafting and implementing policies as part of their written information security program, however as of June 30, 2023, one requirement was not met.
Cause: The College is currently drafting the necessary policy which was not formally in place.
Effect: Failure to have a complete written information security program in place causes the College to not be GLBA compliant and potentially put institutional and student data at risk.
Repeat Finding: No.
Recommendation: We recommend the College finalize its written information security program to ensure its compliant with the GLBA Safeguards Rule along with appropriately managing its information technology and cybersecurity risks.
Views of responsible officials and planned corrective actions: There is no disagreement with the audit finding. Management has addressed their corrective action plan in a separately issued letter.