The Dear Colleague letter of July 29, 2015 (https://ifap.ed.gov/dpcletters/GEN1518.html and https://ifap.ed.gov/dpcletters/GEN1612.html) requires specific requirements of institutions handling Title IV data when signed up for SAIG (https://ifap.ed.gov/dpcletters/attachments/20152016SAIGFormWatermarked.pdf#page=31).
LETU InfoSec Compliance Reference: These requirements are outlined below and detailed in the LETU Information Security program & Compliance Reference.
2019: Additional information about the GLBA Safeguards FY19 Supplement is available here: https://er.educause.edu/blogs/2019/7/the-safeguards-rule-audit-objective-is-here
|Develop, implement, and maintain a written information security program;|
|Designate the employee(s) responsible for coordinating the information security program;||Title IV Information Security Program Responsibilities|
|Identify and assess risks to customer information;|
Data Classification Standard
NIST Framework for Improving Critical infrastructure CyberSecurity v1.1 (available internally)
|Design and implement an information safeguards program|
LETU Continuity Plan (available internally)
|Select appropriate service providers that are capable of maintaining appropriate safeguards; and|
Acceptable Use for Technology Systemshttp://www.letu.edu/start/publications/policy/letu-policy-handbook.pdf
|Periodically evaluate and update their security program.||Annual evaluation: Security Awareness Program: Title IV Data|
Additional FSA Cybersecurity Compliance information is available at https://ifap.ed.gov/eannouncements/Cyber.html