Title IV: Department of Education Requirements

The Dear Colleague letter of July 29, 2015 (https://ifap.ed.gov/dpcletters/GEN1518.html and https://ifap.ed.gov/dpcletters/GEN1612.html) requires specific requirements of institutions handling Title IV data when signed up for SAIG (https://ifap.ed.gov/dpcletters/attachments/20152016SAIGFormWatermarked.pdf#page=31). 

LETU InfoSec Compliance Reference: These requirements are outlined below and detailed in the LETU Information Security program & Compliance Reference.

2019: Additional information about the GLBA Safeguards FY19 Supplement is available here: https://er.educause.edu/blogs/2019/7/the-safeguards-rule-audit-objective-is-here

Control Remediation
Develop, implement, and maintain a written information security program;

LETU Information Security Program & Compliance Reference

Security Awareness Program: Title IV Data

Designate the employee(s) responsible for coordinating the information security program; Title IV Information Security Program Responsibilities
Identify and assess risks to customer information;

Data Classification Standard
LETU Policy 6.2: Data Classification

Annual Risk Assessment (available internally)

NIST Framework for Improving Critical infrastructure CyberSecurity v1.1 (available internally)

Design and implement an information safeguards program

Security Safeguards Program: Title IV Data

LETU Continuity Plan (available internally)

Select appropriate service providers that are capable of maintaining appropriate safeguards; and

LETU HECVAT and Cloud Vendor Guidelines (Required for approval of new Information Systems Vendors)

Acceptable Use for Technology Systems
  LETU Policy 6.1: Acceptable Use for Technology Systems

Periodically evaluate and update their security program. Annual evaluation: Security Awareness Program: Title IV Data

Additional FSA Cybersecurity Compliance information is available at https://ifap.ed.gov/eannouncements/Cyber.html


Article ID: 123644
Tue 1/5/21 8:22 AM
Tue 8/3/21 4:33 PM