Finding Text
2023-006 – Gramm-Leach-Bliley Act – Student Information Security – Material Weakness in Internal
Controls over Compliance and Material Noncompliance
Student Financial Assistance Cluster
U.S Department of Education
Federal Assistance Listing Number: 84.063, 84.268, 84.007, 84.033, 84.379
96
Federal Program Name: Federal Pell Grant Program, Federal Direct Student Loans, Federal Supplemental
Educational Opportunity Grants, Federal Work-Study Program
Criteria: Per 16 CFR 314.3, institutions subject to the requirement shall develop, implement, and maintain a
comprehensive information security program that is written in one or more readily accessible parts and contains
administrative, technical, and physical safeguards that are appropriate to the size and complexity, the nature and
scope of their activities, and the sensitivity of any customer information at issue. The information security program
shall include the elements set forth in 16 CFR 314.4 and shall be reasonably designed to achieve the objectives
of 16 CFR 314.3(b). These requirements were effective as of June 9, 2023.
Condition/context: Based on our review of the information provided by the College, they do not currently have a
written policy that addresses the required elements in 16 CFR 314.4.
Questioned costs: None.
Cause/Effect: Staffing shortages have contributed to the delay in implementation of this standard. The absence of
a well-designed and documented policy addressing the standards set forth under the act could put the security,
confidentiality, and integrity of student information at risk.
Repeat finding: No
Recommendation: We recommend the College review the compliance requirements and draft a written policy that
addresses all the required elements under the act.
Views of responsible officials and planned corrective actions:
Responsible Individuals: Andrew Burke, Chief Information Officer
Corrective actions Plan: The college released a Request for Proposal (RFP) to contract with outside information
technology services to guide the development and implement a comprehensive information security program and
address staffing gaps. Outside Chief Information Officer, information security, and technical partnership
completed and contracted effective April 2024. Outside service will guide the college in the review and
implementation of procedures and policies necessary for the required controls to be completed through the
following phase:
Assessment and gap analysis of current infrastructure and cybersecurity measures.
Develop necessary policies and procedures based on NIST guidelines and GLBA requirements.
Detect and respond to ongoing training and incident response planning.
Anticipated Completion Date: to be completed by June 30, 2024