Finding 966543 (2023-001)

Compliance Requirements: Gramm-Leach Bliley Act – Student Information Security Condition or Requirement: The Gramm-Leach-Bliley Act (GLBA) requires institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. The written information security program for institutions must address the following seven elements: 1.) Designate a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance. 2.) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. 3.) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment. At a minimum, the institution’s written information security program must address the implementation of the following eight minimum safeguards within the written information security program: i. Implement and periodically review access controls. ii. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. iii. Encrypt customer information on the institution’s system and when it’s in transit. iv. Assess apps developed by the institution. v. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. vi. Dispose of customer information securely vii. Anticipate and evaluate changes to the information system or network. viii. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. 4.) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented. 5.) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program. 6.) Addresses how the institution will oversee its information system service providers. 7.) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program. Condition and Context: The OMB Compliance Supplement requires auditors to verify that the institution has designated a qualified individual to oversee the information security program to and verify the institution has a written information security program that addresses the seven required elements. During our testwork over element 3, we noted that the College’s written information security program did not include information related to conducting periodic inventory of data, noting where it’s collected, stored, or transmitted. Cause and Effect: The cause of the condition found was due to lack of policies and procedures in place to ensure the written information security program addressed the required seven elements, which includes eight minimum safeguards. The effect of the condition found is that the College may not have appropriately designed and implemented safeguards to control the risks identified by the College through its risk assessment. Identification of Questioned Costs: None. Whether the Sampling was a Statistically Valid Sample: The sample was not intended to be, and was not, a statistically valid sample. Identification of Whether the Audit Finding was a Repeat Finding: This is not a repeat finding. Recommendation: We recommend that the College conducts periodic inventory of data and ensure it’s written information security program includes the requirement to conduct periodic inventory of data, noting where it’s collected, stored, or transmitted.