Finding 972208 (2023-001)

Finding Reference: 2023-001 U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Nursing Student Loans (Assistance Listing #93.364) Compliance Requirement: Special Tests and Provisions Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) (GLBA) requires the College, on an annual basis, to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer (student) information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the GLBA risk assessment should include consideration of risk in each relevant area of operations, including:  Employee training and management.  Information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  Detecting, preventing, and responding to attacks, intrusions, or other system failures. Condition: During our testing, we noted the following: While the IT Systems Team is the assigned resource for information security matters, the College communicated that it does not have a single qualified individual designated with the responsibility for implementing and enforcing the College’s information security program.  An annual IT risk assessment was not performed.  A vendor management program is not in place.  Mobile device management is not in place.  Backup media is not encrypted.  A full set of policies and procedures is not in place. Finding Reference: 2023-001 (Continued) U.S. Department of Education Student Financial Aid Cluster: Federal Supplemental Educational Opportunity Grants (Assistance Listing #84.007) Federal Work-Study Program (Assistance Listing #84.033) Federal Pell Grant Program (Assistance Listing #84.063) Federal Direct Student Loans (Assistance Listing #84.268) Compliance Requirement: Special Tests and Provisions Cause: The expected documentation supporting the required controls to adequately confirm compliance with GLBA safeguards was not complete. Effect: Without demonstrable, documented controls supporting compliance with the GLBA standards for safeguarding the protected data, compliance with the law and the requirements in the federal PPA may not be assured. Context: Inquiry and observation of the information received from the College related to compliance with GLBA. Auditor’s Recommendation: The College should review the GLBA safeguarding rules and as soon as practical implement and document the controls necessary for compliance with the rule, focusing on the completion of a documented, thorough, and standardized risk assessment and management reporting framework. The College should perform comprehensive risk assessments on a regular basis, which is suggested to be at least annually, and at any significant change in infrastructure or business process. View of Responsible Officials: The College agrees with the findings and is in process of developing a corrective action plan to address. In addition, the College has made it a top priority to hire both a Chief Information Officer and a Chief Information Security Officer but has experienced difficulty getting a qualified pool of candidates.