In compliance with the Federal Trade Commission’s Safeguards Rule and the , ²Ø¾«¸ó (LU) created this document to summarize our Information Security Program (ISP).  This document describes the objectives of the GLBA standards safeguarding information (i) ensuring the security and confidentiality of student information, (ii) protecting against any anticipated threats or hazards to the security of such information, and (iii) protecting against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student or individual. â¶Ä¯&²Ô²ú²õ±è;
On December 9, 2021, the Federal Trade Commission (FTC) issued  (Final Rule) to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The effective date for most of the changes to the Safeguards Rule is June 9, 2023.
The regulations at 16 C.F.R. Part 314 use the terms “customer” and “customer information.” For the purpose of an institution or servicer’s compliance with GLBA, customer information is information obtained as a result of providing a financial service to a student (past or present). Institutions or servicers provide a financial service when they, among other things, administer or aid in the administration of the Title IV programs; make institutional loans, including income share agreements; or certify or service a private education loan on behalf of a student. â¶Ä¯&²Ô²ú²õ±è;
The objectives of the GLBA standards for safeguarding information are to – â¶Ä¯&²Ô²ú²õ±è;
To achieve the GLBA objectives, LU and servicers are required to develop, implement, and maintain a written, comprehensive information security program. The FTC’s regulations require that the information security program contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the institution or servicer, the nature and scope of their activities, and the sensitivity of any student information. 
LU’s written Information Security Program (ISP) includes the nine required elements included in .
LU has designated the Chief Information Officer (CIO) as the Qualified Individual (QI) responsible for overseeing and implementing LU’s ISP. â¶Ä¯&²Ô²ú²õ±è;
LU intends, as part of the ISP, to undertake to identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromises of such information through a risk assessment.  In implementing the ISP, the QI establishes and maintains procedures for identifying and assessing such risks in each relevant area of the Institution’s operations, including:
LU will continue to monitor/provide each of the following: â¶Ä¯&²Ô²ú²õ±è;
LU will regularly test and monitor the effectiveness of the safeguards’ key controls, systems, and procedures.  This will be accomplished through annual penetration testing and vulnerability assessments preformed bi-yearly. â¶Ä¯&²Ô²ú²õ±è;
LU will employ only capable information security professionals who will be provided with training sufficient to address relevant security risks while staying current with the evolving information security environment.  LU will also provide relevant information security training to personnel at the University identified from the risk assessment. â¶Ä¯&²Ô²ú²õ±è;
The QI will ensure that LU will only select and retain those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access.  In addition, the QI works with University Legal Counsel to develop and incorporate standard, contractual protections applicable to third-party service providers, that require such providers to implement and maintain appropriate safeguards. â¶Ä¯&²Ô²ú²õ±è;
The QI is responsible for evaluating and adjusting the ISP based on any risks identified from testing, monitoring, and/or assessment activities. â¶Ä¯â€¯â¶Ä¯&²Ô²ú²õ±è;
LU has a regularly updated and documented incident response plan that addresses: â¶Ä¯&²Ô²ú²õ±è;
The QI will create a written report to be presented to the LU Board of Trustees at least annually.  The report will cover the overall status of the ISP and its compliance.  The report will also cover material matters related to the ISP, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the ISP. â¶Ä¯â¶Ä¯&²Ô²ú²õ±è;
Last revised: May 2023