Finding Text
Criteria: Institutions shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in the objectives of section 501(b) of the Act (16 CFR 314.3(a)).
Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 314.4(b)).
Condition: The Organization failed to implement the new Gramm-Leach-Bliley Act’s (GLBA) standards for safeguarding customer information to their student information security policy. We consider this finding to be a material weakness in relation to Special Tests and Provisions. Statistical sampling was not used in making sample selections.
Questioned Costs: N/A
Cause: The condition was caused by the Organization’s security officer being unaware of the new GLBA requirements.
Effect: The result is the Organization did not meet the requirements for protecting and securing data obtained from the Department of Education’s systems for the purposes of administering the Title IV programs.
Recommendation: We recommend the Organization update their student information security program to adhere to the regulations and await guidance from the Department of Education.
Views of Responsible Officials: Management agrees with this Single Audit Finding and response is included in the Corrective Action Plan.