Finding Text
Criteria or specific requirement: The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Act requires:
• The information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).
• The institution design and implement safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The minimum safeguards that the written information security program must address are summarized as follows:
o Conduct a periodic inventory of data, noting where it's collected, stored, or transmitted.
o Assess apps developed by the institution.
o Implement multi-factor authentication (MFA) for anyone accessing customer information on the institution's system.
• The institution must regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)).
Condition: During testing we noted the following exceptions:
• Safeguards were not clearly linked in their policy.
o The College did not document that it conducts a periodic inventory of data, noting where it’s collected, stored, or transmitted.
o There was no evidence indicating a discussion to standardize the use of MFA for end users.
• The College does not have a written risk management section of their information technology policies.
• There was no written policy regarding program development and software practices in relation to sensitive information.
• The College does not have a written policy that identifies continuous monitoring or control testing that takes place periodically.
Context: We tested the requirements of GLBA by reviewing College policy and procedures.
Questioned costs: None.
Cause: The College did not have policies or procedures indicating their compliance with certain aspects of GLBA.
Effect: The College did not comply with GLBA requirements.
Repeat Finding: No
Recommendation: We recommend the College update their IT policies and procedures to follow the guidelines outlined by the GLBA.
Views of responsible officials and management’s response: The College agrees with the finding.