Title IV: Department of Education Requirements

LETU InfoSec Compliance Reference: These requirements are outlined below and detailed in the LETU Information Security program & Compliance Reference.

2019: Additional information about the GLBA Safeguards FY19 Supplement is available here: https://er.educause.edu/blogs/2019/7/the-safeguards-rule-audit-objective-is-here

Control	Remediation
Develop, implement, and maintain a written information security program;	LETU Information Security Program & Compliance Reference Security Awareness Program: Title IV Data
Designate the employee(s) responsible for coordinating the information security program;	Title IV Information Security Program Responsibilities
Identify and assess risks to customer information;	Data Classification Standard http://www.letu.edu/start/publications/policy/letu-policy-handbook.pdf Annual Risk Assessment (available internally) NIST Framework for Improving Critical infrastructure CyberSecurity v1.1 (available internally)
Design and implement an information safeguards program	Security Safeguards Program: Title IV Data LETU Continuity Plan (available internally)
Select appropriate service providers that are capable of maintaining appropriate safeguards; and	LETU HECVAT and Cloud Vendor Guidelines (Required for approval of new Information Systems Vendors) Acceptable Use for Technology Systems http://www.letu.edu/start/publications/policy/letu-policy-handbook.pdf
Periodically evaluate and update their security program.	Annual evaluation: Security Awareness Program: Title IV Data

Additional FSA Cybersecurity Compliance information is available at https://ifap.ed.gov/eannouncements/Cyber.html

;