Finding Text
Federal Agency: U.S. Department of Education
Federal Program Name: Student Financial Assistance Cluster
Assistance Listing Number: 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work-Study Program
84.038 – Federal Perkins Loan Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
Award Period: July 1, 2022 to June 30, 2023
Type of Finding:
• Significant Deficiency in Internal Control over Compliance
• Other Matters
Criteria or Specific Requirement: The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). The first element that an institution’s written information security program must address is the designation of an individual with responsibility for implementing and enforcing an institution’s written information security program. The regulations refer to this individual as the Qualified Individual. If an institution has not designated a Qualified Individual, it is not in compliance with the GLBA requirements. The Qualified Individual has ultimate responsibility and accountability for implementing and enforcing the institution’s information security program (16 CFR 314.4(a)). Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)). Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 314.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted and Encrypt customer information on the institution’s system and when it’s in transit. Implement multi-factor authentication for anyone accessing customer information on the institution’s system. Dispose of customer information securely. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
Criteria or Specific Requirement (Continued): Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)).
Condition: There are missing items from the Written Information Security Program.
Questioned Costs: N/A
Context: These new GLBA requirements were applicable beginning on June 9, 2023, and there are a few elements missing from the WISP.
Cause: There was not a formal process in place to review against all the new GLBA requirements to ensure compliance.
Effect: The College’s students’ personal information could be vulnerable.
Repeat Finding: No
Auditor’s Recommendation: We recommend that the College review the updated GLBA requirements and ensure their WISP includes all required elements.
Views of Responsible Officials and Planned Corrective Actions: There is no disagreement with the audit finding.