Information Security Program: Controls, Safeguards and Compliance (incl Title IV Department of Education requirements)

titleIV departmentofeducation TitleIV-GLBA-SafeguardsRule-ComplianceDocumentation

The LETU Information Security program consists of a series of controls, remediation and compliance review steps. These steps are detailed in the document below.

Control	Reference and Remediation
Develop, implement, and maintain a written information security program;	LETU Information Security Program Home Index (Controls, Safeguards and Compliance) LETU Information Security Program & Compliance Reference Security Awareness Program: Title IV Data
a. Designate a Qualified Individual to implement and supervise your company's information security program	Title IV Information Security Program Responsibilities
b. conduct a risk assessment	Data Classification Standard LETU Policy 6.2: Data Classification (Secure Document: available internally) Annual Risk Assessment (Secure Document: available internally) NIST Framework for Improving Critical infrastructure CyberSecurity v1.1 (Secure Document: available internally)
c. Design and implement safeguards to control the risks identified through your risk assessment	Security Safeguards Program: Title IV Data
c (1). Implement and periodically review access controls	Annual Systems Re-Authorization/FERPA agreement Overview (Secure Document: available internally) Reauth Collection Script (Secure Document: available internally)
c (2). Know what you have and where you have it	Data Inventory (Secure document: available internally)
c (3). Encrypt customer information on your system and when it's in transit	Data Inventory (Secure document: available internally)
c (4). Assess your apps	LETU HECVAT and Cloud Vendor Guidelines (Required for approval of new Information Systems Vendors) Data Inventory (Secure document: available internally) Change Request Process (Secure document: available internally)
c (5). Implement multi-factor authentication for anyone accessing customer information on your system	LETU Multifactor Authentication (MFA) Requirement
c (6). Dispose of customer information securely	LETU Policy 6.12: Data Retention (Secure Document: available internally) Disposal of Disk, Tape and other Media Data Retention Procedures
c (7). Anticipate and evaluate changes to your system or network	Change Request Process (Secure document: available internally) Orion Network Config Manager (Secure system: available internally)
c (8) Maintain a log of authorized users' activity and keep an eye out for unauthorized access	Title IV Safeguards c(8) documentation (Secure Document: available internally)
d. Regularly monitor and test the effectiveness of your safeguards	Vulnerability Scanning (Secure Document: available internally) Penetration Testing (Secure Document: available internally)
e. Train your staff	LETU 6.11 Cyber Security Training Policy (Secure Document: available internally)
f. Monitor your service providers	LETU HECVAT and Cloud Vendor Guidelines (Required for approval of new Information Systems Vendors) Acceptable Use for Technology Systems LETU Policy 6.1: Acceptable Use for Technology Systems (Secure Document: available internally)
g. Keep your information security program current	Security Awareness Program: Title IV Data
h. Create a written incident response plan	LETU Information Technology Continuity Plan (Secure document: available internally)
i. Require your Qualified Individual to report to your Board of Directors	Annual Information Security / Risk Assessment Report to LETU Board of Trustees occurs in Fall of each year. (Secure document: available internally)

Addtl Title IV / GLBA Safeguards References:

The Controls, Safeguards and Compliance References above include elements incorporated from Title IV / GLBA Safeguards guidance. Key regulatory references and guidance used in review of TItle IV / GLBA Safeguards compliance as part of LETU's Information Security Program are below.
The Dear Colleague letter of July 29, 2015 (https://ifap.ed.gov/dpcletters/GEN1518.html and https://ifap.ed.gov/dpcletters/GEN1612.html) requires specific requirements of institutions handling Title IV data when signed up for SAIG (https://ifap.ed.gov/dpcletters/attachments/20152016SAIGFormWatermarked.pdf#page=31). As of 2023, GENERAL-23-09, updates the above for compliance with FTC Standards for Safeguarding Customer Information (16 U.S.C § 314) as required by Title IV of the US Higher Education Act (20 U.S.C §§ 1070-1099d) and the GLBA Privacy Rule (16 U.S.C § 313). Compliance requirements are additionally summarized by the FTC in https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know Addtl annual Audit Guidance from ED (May 23): Part 5 - Clusters of Programs (whitehouse.gov)
LETU InfoSec Compliance Reference: These requirements are outlined below and detailed in the LETU Information Security program & Compliance Reference. Additional information from FSA: https://fsapartners.ed.gov/title-iv-program-eligibility/cybersecurity Additional information from FTC RE: Safeguards: https://www.ftc.gov/legal-library/browse/rules/safeguards-rule Additional information from FTC on Service provider Monitoring: Federal Register :: Standards for Safeguarding Customer Information (2021-Dec-09) Additional information from EDUCAUSE: 2022 GLBA Safeguards Audit procedures: https://er.educause.edu/articles/2022/8/fy22-federal-single-audit-safeguards-rule-objective-unchanged GLBA Safeguards FY19 Supplement: https://er.educause.edu/blogs/2019/7/the-safeguards-rule-audit-objective-is-here

The Controls, Safeguards and Compliance References above include elements incorporated from Title IV / GLBA Safeguards guidance. Key regulatory references and guidance used in review of TItle IV / GLBA Safeguards compliance as part of LETU's Information Security Program are below.

The Dear Colleague letter of July 29, 2015 (https://ifap.ed.gov/dpcletters/GEN1518.html and https://ifap.ed.gov/dpcletters/GEN1612.html) requires specific requirements of institutions handling Title IV data when signed up for SAIG (https://ifap.ed.gov/dpcletters/attachments/20152016SAIGFormWatermarked.pdf#page=31).

As of 2023, GENERAL-23-09, updates the above for compliance with FTC Standards for Safeguarding Customer Information (16 U.S.C § 314) as required by Title IV of the US Higher Education Act (20 U.S.C §§ 1070-1099d) and the GLBA Privacy Rule (16 U.S.C § 313).

Compliance requirements are additionally summarized by the FTC in
https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know

Addtl annual Audit Guidance from ED (May 23): Part 5 - Clusters of Programs (whitehouse.gov)

LETU InfoSec Compliance Reference: These requirements are outlined below and detailed in the LETU Information Security program & Compliance Reference.

Additional information from FSA: https://fsapartners.ed.gov/title-iv-program-eligibility/cybersecurity

Additional information from FTC RE: Safeguards: https://www.ftc.gov/legal-library/browse/rules/safeguards-rule

Additional information from FTC on Service provider Monitoring: Federal Register :: Standards for Safeguarding Customer Information (2021-Dec-09)

Additional information from EDUCAUSE:

2022 GLBA Safeguards Audit procedures: https://er.educause.edu/articles/2022/8/fy22-federal-single-audit-safeguards-rule-objective-unchanged
GLBA Safeguards FY19 Supplement: https://er.educause.edu/blogs/2019/7/the-safeguards-rule-audit-objective-is-here

Additional FSA Cybersecurity Compliance information is available at https://ifap.ed.gov/eannouncements/Cyber.html

0 reviews

Details

Article ID: 123644

Created

Tue 1/5/21 8:22 AM

Modified

Mon 6/12/23 2:47 PM

Updating...

Information Security Program: Controls, Safeguards and Compliance (incl Title IV Department of Education requirements)

Details

Related Articles (3)

Deleting...