In compliance with the Federal Trade Commission’s Safeguards Rule and the Gramm-Leach-Bliley Act (GLBA), Lindenwood University (LU) created this document to summarize our Information Security Program (ISP). This document describes the objectives of the GLBA standards safeguarding information (i) ensuring the security and confidentiality of student information, (ii) protecting against any anticipated threats or hazards to the security of such information, and (iii) protecting against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student or individual.
On December 9, 2021, the Federal Trade Commission (FTC) issued final regulations (Final Rule) to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The effective date for most of the changes to the Safeguards Rule is June 9, 2023.
Other Related Rules and Clarification
Dear Colleague Letters
Dear CPA Letter
Definition of “Customer” for the purpose of GLBA Compliance
The regulations at 16 C.F.R. Part 314 use the terms “customer” and “customer information.” For the purpose of an institution or servicer’s compliance with GLBA, customer information is information obtained as a result of providing a financial service to a student (past or present). Institutions or servicers provide a financial service when they, among other things, administer or aid in the administration of the Title IV programs; make institutional loans, including income share agreements; or certify or service a private education loan on behalf of a student.
Requirements in the GLBA Safeguards Rule
The objectives of the GLBA standards for safeguarding information are to –
- Ensure the security and confidentiality of student information.
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student (16 C.F.R. 314.3(b)).
To achieve the GLBA objectives, LU and servicers are required to develop, implement, and maintain a written, comprehensive information security program. The FTC’s regulations require that the information security program contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the institution or servicer, the nature and scope of their activities, and the sensitivity of any student information.
LU’s written Information Security Program (ISP) includes the nine required elements included in 16 CFR 314.4.
Element 1 – 16 CFR 314.4(a)
LU has designated the Chief Information Officer (CIO) as the Qualified Individual (QI) responsible for overseeing and implementing LU’s ISP.
Element 2 – 16 CFR 314.4(b)
LU intends, as part of the ISP, to undertake to identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromises of such information through a risk assessment. In implementing the ISP, the QI establishes and maintains procedures for identifying and assessing such risks in each relevant area of the Institution’s operations, including:
Element 3 – 16 CFR 314.4(c) (1) through (8)
LU will continue to monitor/provide each of the following:
- Access controls and user limits on accessible data
- Management of data, users, and systems consistent with risk strategy
- Encryption of customer information in transit over external networks and at rest
- Secure development practices for in-house developed software and applications that access or transmit customer information
- Implementation of multifactor authentication or reasonably equivalent access controls
- Procedures for the periodic and secure disposal of customer information and review of data retention policies
- Procedures for secure change management of systems
- Controls to monitor and log activities of users and detect unauthorized access
Element 4 – 16 CFR 314.4(d)
LU will regularly test and monitor the effectiveness of the safeguards’ key controls, systems, and procedures. This will be accomplished through annual penetration testing and vulnerability assessments preformed bi-yearly.
Element 5 – 16 CFR 314.4(e)
LU will employ only capable information security professionals who will be provided with training sufficient to address relevant security risks while staying current with the evolving information security environment. LU will also provide relevant information security training to personnel at the University identified from the risk assessment.
Element 6 – 16 CFR 314.4(f)
The QI will ensure that LU will only select and retain those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access. In addition, the QI works with University Legal Counsel to develop and incorporate standard, contractual protections applicable to third-party service providers, that require such providers to implement and maintain appropriate safeguards.
Element 7 – 16 CFR 314.4(g)
The QI is responsible for evaluating and adjusting the ISP based on any risks identified from testing, monitoring, and/or assessment activities.
Element 8 – 16 CFR 314.4(h)
LU has a regularly updated and documented incident response plan that addresses:
- The goals of the incident response plan.
- The internal processes for responding to a security event.
- The definition of clear roles, responsibilities, and levels of decision-making authority.
- External and internal communications and information sharing.
- Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls.
- Documentation and reporting regarding security events and related incident response activities; and
- The evaluation and revision as necessary of the incident response plan following a security event
Element 9 – 16 CFR 314.4(i)
The QI will create a written report to be presented to the LU Board of Trustees at least annually. The report will cover the overall status of the ISP and its compliance. The report will also cover material matters related to the ISP, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the ISP.
Last revised: May 2023