A) Compliance Requirements for Technology Purchases
Critical Business Systems WITH PCI, FERPA, HIPAA, PII
For any systems or cloud services hosting business or academic processes which in any way are involved with student or employee data, or otherwise require PCI, FERPA, GLBA, HIPAA and/or other regulatory compliance, one of the following sets of conditions must be fully completed by the requester and proposed provider, and approved by IT before purchasing the solution. This is a federal government requirement related to Title IV / GLBA compliance.
IT will assist where possible in guiding the requester and vendor through any questions they may have in this important regulatory compliance process and finding the most expedient path to a compliant solution.
You may submit the following information directly via email to ServiceDesk@letu.edu or email that same address requesting further consultation if needed as you prepare the information below.
1) HECVAT + LETU Cloud Guidelines
- LETU Guidelines for Implementing Cloud Applications (attached document)
(These guidelines should be completed to the best of the provider's ability. They help LETU identify follow-up questions. It is okay to leave lines blank if the vendor has no response - we will let them know if that causes concerns for your business need)
- HECVAT Full Form (EDUCAUSE-provided security and Business Continuity evaluation)
https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit
- All requirements under (B) General Purchasing Requirements below
- or -
2) TX-RAMP + LETU Cloud Guidance
- LETU Guidelines for Implementing Cloud Applications (attached document)
(These guidelines should be completed to the best of the provider's ability. They help LETU identify follow-up questions. It is okay to leave lines blank if the vendor has no response - we will let them know if that causes concerns for your business need)
- TX-RAMP Level 2 Certification for any solution storing or transmitting protected consumer/student information (TX-RAMP Certified Cloud Products)
(TX-RAMP certification will typically eliminate a number of required questions from the LETU Guidelines document)
- All requirements under (B) General Purchasing Requirements below
- or -
3) GLBA Self-Attestation
(Non-Preferred, this option may not be used for certain types of data, and in all cases options 1 and 2 are to be preferred and option 3 used only where the above options are not possible. IT must approve use of this option for any vendor)
-
LETU Guidelines for Implementing Cloud Applications (attached document)
-
All requirements under (B) General Purchasing Requirements below
-
Satisfactory response to self-attestation letter as follows:
The Department of Education has updated its requirements to reference and incorporate the FTC’s most current version of the “Standards for Safeguarding Customer Information” commonly known as the Safeguards Rule - part of the Gramm-Leach-Bliley Act (GLBA)
The effective date for most of the changes to the Safeguards Rule which apply to DOE-regulated institutions receiving federal financial aid funding was June 9, 2023.
As an institution we must document compliance with these regulations by collecting confirmation from any software vendors LETU uses to manage, store, or transmit student data that their products and services are either compliant with the requirements of the updated Title IV/GLBA safeguards rules – or exempted by reason of not handling regulated student data and if so receive a statement to that effect from the provider.
The questions we need answered as part of that final compliance process are below.
1. Does your product transmit or store any data unique to specific current, former or prospective students including but not limited to any PII, FERPA, GLBA or other protected information? If so does it transmit this data, store this data, or both?
2. Does your solution enforce the use of MFA for access to the data above?
3. Does your solution encrypt all such data above in transit?
4. Does your solution encrypt all such data above at rest?
Thank you for your assistance in this important process,
-----------------------------------------------------------------------------
Critical Business Systems WITHOUT PCI, FERPA, HIPAA, PII
For any systems or cloud services hosting important business processes which do not require PCI, FERPA and/or HIPAA compliance, the following documents must be completed and approved by IT before purchasing the solution:
- LETU Guidelines for Implementing Cloud Applications (attached document)
- HECVAT Lite or TX-RAMP Level 1
- All requirements under (B) General Purchasing Requirements below
- or -
- Minimum Viable Secure Product (mvsp.dev)
(The LETU InfoSec Council ill determine whether HECVAT-Lite or MVSP is to be used for non-PCI/FERPA/HIPPAA needs)
- All requirements under (B) General Purchasing Requirements below
- or -
- TX-RAMP Level 2 Certification
- All requirements under (B) General Purchasing Requirements below
Non-Critical Business Systems WITHOUT PCI, FERPA, HIPAA, PII
For any systems or cloud services hosting non-critical processes without security, business continuity, or student data concerns, the following must be completed and approved by IT before purchasing the solution:
B) General Purchasing Requirements
- Notify Purchasing office for any purchase expected to exceed $2,000.
- Purchasing Office and IT approval are required for any cloud, software or other technology purchases at or above $2,000
- IT approval is required for any cloud, software or other technology purchases below $2,000
- Documentation of the following areas not currently answered in the HECVAT (can be requested separately in an email to the vendor):
- Total cost and renewal period along w/ a trial period (what is our commitment / ability to move in a different direction)
- SLAs (what can LETU expect in terms of availability and what will be credited to us if SLAs are not met)
- Specific references (what peers or other customers have confirmed the product is effective and reliable)
- Training (who is responsible for support and training questions on the solution)
- Local client config (what requirements does the solution impose on local devices)
- Email/Texting (SPF/DKIM) (is any email or texting capability compliant with applicable regulations and policies)
- Competitors (what alternatives were considered and how did they compare)