Security Safeguards Program: Title IV Data

Information Security program

The designated coordinator for LETU's Information Security program is the Chief Information Officer. Other roles are detailed at Title IV Information Security Program Responsibilities

Employee Training and Management

• Mandatory Cybersecurity Training / Security Awareness Program: Title IV Data (LETU Policy Handbook 6.11)
• Mandatory New Hire Background Checks
• FERPA Employee Reacknowledgement process (Annual)
• Annual Systems Re-Authorization/FERPA agreement (validation of employee access to specific functions and data, secure link requires login)
• Acceptable Use Policy for Technology (LETU Policy Handbook Policy 6.1)
• LETU Office Computer Local Access Rights (LETU Policy Handbook Policy 6.5)
• Security Policy (LETU Policy Handbook Policy 6.8.1)
• Social Engineering Prevention Policy (LETU Policy Handbook 6.10)
• Mandatory Employee Desktop Screen Timeout/Lock
• OneDrive and FERPA/HIPAA
• Leaked and Poor Password Detection and Prevention (Implemented via Azure AD Password Protection)
• New Employee Orientation (including CyberSecurity)
• National Cyber Security Awareness Month (NCSAM, October, Annually)
• PCI Compliance (Annual Employee Notification)

Information Systems including network and software design, as well as information processing, storage, transmission and disposal

• Multifactor Authentication (MFA) (Mandatory for all LETU employees and all remote access)
• Legacy Protocol Support Sunset (COMPLETE) (including email legacy support sunset)
• LETU PCI Compliance
• Mandatory physical destruction of retired storage media from systems containing protected data
• Off-site Data DR Solution
• Review and sign off by the LeTourneau Information Technology department in consultation with the functional area and in compliance with LETU Policy 6.6 Technology Purchases and Support for any software or system which handles PII / Title IV data and for the administration and maintenance plan for that system including incorporation of LETU's MFA, DLP and other Information Security Safeguards and measures.
• Role Segmentation and Least Privilege principles for ERP (CX) Roles and Functions
• Data Classification Policy (LETU Policy Handbook Policy 6.2)
• LETU Mobile Computing Encryption (LETU Policy Handbook Policy 6.4)
• Identifying and Remediating CDE Security Vulnerabilities (LETU Policy Handbook 542)
• CDE, PCI and Related Policies (LETU Policy Handbook Policies 6.8.1 - 6.8.6)
• Automated Account Mgmt Process (including Separating Employees)
• Network Operations Center (NOC) review of automated user and system risk dashboards

Detecting, preventing and responding to attacks, intrusions or other systems failures.

• Mandatory EDR/Antimalware Technology on LETU-owned systems
• Vulnerability Scanning for LETU server systems (Tenable.io)
• NCATS DHS External Scanning
• Log Analytics Central Log Aggregation
• Risky Sign-on Analysis and Alerting (including automated AI-based restrictions)
• LETU Information Technology Continuity Plan (Secure document: available internally)
• Data Loss Prevention (DLP)
• Intrusion Prevention System (IPS) including Botnet and other risk detection
• Logged Proximity-Card-Based Access Control Systems for LETU Datacenter
• Visual Security System for LETU Datacenter
• Annual Penetration Testing