Information Security Program: Controls, Safeguards and Compliance (incl Title IV Department of Education requirements)

The LETU Information Security program consists of a series of controls, remediation and compliance review steps. These steps are detailed in the document below.
 
 
Control Reference and Remediation
Develop, implement, and maintain a written information security program;

LETU Information Security Program Home Index
(Controls, Safeguards and Compliance)

LETU Information Security Program & Compliance Reference

Security Awareness Program: Title IV Data
 

a. Designate a Qualified Individual to implement and supervise your company's information security program Title IV Information Security Program Responsibilities
b. conduct a risk assessment

Data Classification Standard
LETU Policy 6.2: Data Classification (Secure Document: available internally)

Annual Risk Assessment (Secure Document: available internally)

NIST Framework for Improving Critical infrastructure CyberSecurity v1.1
(Secure Document: available internally)

c. Design and implement safeguards to control the risks identified through your risk assessment

Security Safeguards Program: Title IV Data
 

c (1). Implement and periodically review access controls Annual Systems Re-Authorization/FERPA agreement Overview
(Secure Document: available internally)
Reauth Collection Script
(Secure Document: available internally)
c (2). Know what you have and where you have it Data Inventory (Secure document: available internally)
c (3). Encrypt customer information on your system and when it's in transit Data Inventory (Secure document: available internally)
c (4). Assess your apps LETU HECVAT and Cloud Vendor Guidelines (Required for approval of new Information Systems Vendors)

Data Inventory
(Secure document: available internally)

Change Request Process (Secure document: available internally)
c (5). Implement multi-factor authentication for anyone accessing customer information on your system LETU Multifactor Authentication (MFA) Requirement
c (6). Dispose of customer information securely

LETU Policy 6.12: Data Retention (Secure Document: available internally)
Disposal of Disk, Tape and other Media
Data Retention Procedures

c (7). Anticipate and evaluate changes to your system or network

Change Request Process (Secure document: available internally)

Orion Network Config Manager (Secure system: available internally)

c (8) Maintain a log of authorized users' activity and keep an eye out for unauthorized access Title IV Safeguards c(8) documentation
(Secure Document: available internally)
d. Regularly monitor and test the effectiveness of your safeguards Vulnerability Scanning (Secure Document: available internally)
Penetration Testing (Secure Document: available internally)
e. Train your staff LETU 6.11 Cyber Security Training Policy (Secure Document: available internally)
f. Monitor your service providers

LETU HECVAT and Cloud Vendor Guidelines (Required for approval of new Information Systems Vendors)

Acceptable Use for Technology Systems
  LETU Policy 6.1: Acceptable Use for Technology Systems (Secure Document: available internally)

g. Keep your information security program current Security Awareness Program: Title IV Data
h. Create a written incident response plan LETU Information Technology Continuity Plan (Secure document: available internally)
i. Require your Qualified Individual to report to your Board of Directors Annual Information Security / Risk Assessment Report to LETU Board of Trustees occurs in Fall of each year. (Secure document: available internally)

 

Addtl Title IV / GLBA Safeguards References:

The Controls, Safeguards and Compliance References above include elements incorporated from Title IV / GLBA Safeguards guidance. Key regulatory references and guidance used in review of TItle IV / GLBA Safeguards compliance as part of LETU's Information Security Program are below.

The Dear Colleague letter of July 29, 2015 (https://ifap.ed.gov/dpcletters/GEN1518.html and https://ifap.ed.gov/dpcletters/GEN1612.html) requires specific requirements of institutions handling Title IV data when signed up for SAIG (https://ifap.ed.gov/dpcletters/attachments/20152016SAIGFormWatermarked.pdf#page=31). 

As of 2023, GENERAL-23-09, updates the above for compliance with FTC Standards for Safeguarding Customer Information (16 U.S.C § 314) as required by Title IV of the US Higher Education Act (20 U.S.C §§ 1070-1099d) and the GLBA Privacy Rule (16 U.S.C § 313).

Compliance requirements are additionally summarized by the FTC in
https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know
 
Addtl annual Audit Guidance from ED (May 23): Part 5 - Clusters of Programs (whitehouse.gov)
 

LETU InfoSec Compliance Reference: These requirements are outlined below and detailed in the LETU Information Security program & Compliance Reference.

Additional information from FSA: https://fsapartners.ed.gov/title-iv-program-eligibility/cybersecurity

Additional information from FTC RE: Safeguards: https://www.ftc.gov/legal-library/browse/rules/safeguards-rule

Additional information from FTC on Service provider Monitoring: Federal Register :: Standards for Safeguarding Customer Information (2021-Dec-09)

Additional information from EDUCAUSE:

 

 

Additional FSA Cybersecurity Compliance information is available at https://ifap.ed.gov/eannouncements/Cyber.html