The Dear Colleague letter of July 29, 2015 (https://ifap.ed.gov/dpcletters/GEN1518.html and https://ifap.ed.gov/dpcletters/GEN1612.html) requires specific requirements of institutions handling Title IV data when signed up for SAIG (https://ifap.ed.gov/dpcletters/attachments/20152016SAIGFormWatermarked.pdf#page=31).
LETU InfoSec Compliance Reference: These requirements are outlined below and detailed in the LETU Information Security program & Compliance Reference.
2019: Additional information about the GLBA Safeguards FY19 Supplement is available here: https://er.educause.edu/blogs/2019/7/the-safeguards-rule-audit-objective-is-here
Control | Remediation |
---|---|
Develop, implement, and maintain a written information security program; | |
Designate the employee(s) responsible for coordinating the information security program; | Title IV Information Security Program Responsibilities |
Identify and assess risks to customer information; | Data Classification Standard NIST Framework for Improving Critical infrastructure CyberSecurity v1.1 (available internally) |
Design and implement an information safeguards program | Security Safeguards Program: Title IV Data LETU Continuity Plan (available internally) |
Select appropriate service providers that are capable of maintaining appropriate safeguards; and | LETU HECVAT and Cloud Vendor Guidelines (Required for approval of new Information Systems Vendors) Acceptable Use for Technology Systems http://www.letu.edu/start/publications/policy/letu-policy-handbook.pdf |
Periodically evaluate and update their security program. | Annual evaluation: Security Awareness Program: Title IV Data |
Additional FSA Cybersecurity Compliance information is available at https://ifap.ed.gov/eannouncements/Cyber.html
;