Gramm-Leach-Bliley Act (GLBA)

In compliance with the Federal Trade Commission成人视频檚 Safeguards Rule and the , Lindenwood University (LU) created this document to summarize our Information Security Program (ISP).成人视频� This document describes the objectives of the GLBA standards safeguarding information (i) ensuring the security and confidentiality of student information, (ii) protecting against any anticipated threats or hazards to the security of such information, and (iii) protecting against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student or individual.成人视频�舛寞&苍产蝉辫;

On December 9, 2021, the Federal Trade Commission (FTC) issued成人视频�成人视频�(Final Rule) to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act成人视频檚 (GLBA) requirements for protecting the privacy and personal information of consumers. The effective date for most of the changes to the Safeguards Rule is June 9, 2023.

Other Related Rules and Clarification

• Dear Colleague Letters
• Dear CPA Letter成人视频�
• CPA-19-01

Definition of 成人视频淐ustomer成人视频� for the purpose of GLBA Compliance

The regulations at 16 C.F.R. Part 314 use the terms 成人视频渃ustomer成人视频� and 成人视频渃ustomer information.成人视频� For the purpose of an institution or servicer成人视频檚 compliance with GLBA, customer information is information obtained as a result of providing a financial service to a student (past or present). Institutions or servicers provide a financial service when they, among other things, administer or aid in the administration of the Title IV programs; make institutional loans, including income share agreements; or certify or service a private education loan on behalf of a student.成人视频�舛寞&苍产蝉辫;

Requirements in the GLBA Safeguards Rule成人视频� 

The objectives of the GLBA standards for safeguarding information are to 成人视频摮扇耸悠弹舛寞&苍产蝉辫;

• Ensure the security and confidentiality of student information.成人视频�
• Protect against any anticipated threats or hazards to the security or integrity of such information; and成人视频�
• Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student (16 C.F.R. 314.3(b)).成人视频�舛寞&苍产蝉辫;

To achieve the GLBA objectives, LU and servicers are required to develop, implement, and maintain a written, comprehensive information security program. The FTC成人视频檚 regulations require that the information security program contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the institution or servicer, the nature and scope of their activities, and the sensitivity of any student information.成人视频�

厂肠辞辫别成人视频�

LU成人视频檚 written Information Security Program (ISP) includes the nine required elements included in .

Element 1 成人视频� 16 CFR 314.4(a)成人视频�

LU has designated the Chief Information Officer (CIO) as the Qualified Individual (QI) responsible for overseeing and implementing LU成人视频檚 ISP.成人视频�舛寞&苍产蝉辫;

Element 2 成人视频� 16 CFR 314.4(b)

LU intends, as part of the ISP, to undertake to identify and assess external and internal risks to the security, confidentiality, and integrity of nonpublic financial information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromises of such information through a risk assessment.成人视频� In implementing the ISP, the QI establishes and maintains procedures for identifying and assessing such risks in each relevant area of the Institution成人视频檚 operations, including:

• Acceptable Use Policy
• Privacy and Personal Data Protection

Element 3 成人视频� 16 CFR 314.4(c) (1) through (8)成人视频�舛寞&苍产蝉辫;

LU will continue to monitor/provide each of the following:成人视频�舛寞&苍产蝉辫;

• Access controls and user limits on accessible data.
• Management of data, users, and systems consistent with risk strategy.
• Encryption of customer information in transit over external networks and at rest成人视频�.
• Secure development practices for in-house developed software and applications that access or transmit customer information.
• Implementation of multifactor authentication or reasonably equivalent access controls成人视频�.
• Procedures for the periodic and secure disposal of customer information and review of data retention policies成人视频�.
• Procedures for secure change management of systems成人视频�.
• Controls to monitor and log activities of users and detect unauthorized access成人视频�.

Element 4 成人视频� 16 CFR 314.4(d)成人视频�舛寞 

LU will regularly test and monitor the effectiveness of the safeguards成人视频� key controls, systems, and procedures.成人视频� This will be accomplished through annual penetration testing and vulnerability assessments preformed bi-yearly.成人视频�舛寞&苍产蝉辫;

Element 5 成人视频� 16 CFR 314.4(e)成人视频�舛寞&苍产蝉辫;

LU will employ only capable information security professionals who will be provided with training sufficient to address relevant security risks while staying current with the evolving information security environment.成人视频� LU will also provide relevant information security training to personnel at the University identified from the risk assessment.成人视频�舛寞&苍产蝉辫;

Element 6 成人视频� 16 CFR 314.4(f)成人视频�舛寞&苍产蝉辫;

The QI will ensure that LU will only select and retain those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access.成人视频� In addition, the QI works with University Legal Counsel to develop and incorporate standard, contractual protections applicable to third-party service providers, that require such providers to implement and maintain appropriate safeguards.成人视频�舛寞&苍产蝉辫;

Element 7 成人视频� 16 CFR 314.4(g)成人视频�舛寞&苍产蝉辫;

The QI is responsible for evaluating and adjusting the ISP based on any risks identified from testing, monitoring, and/or assessment activities.成人视频�舛寞成人视频�舛寞&苍产蝉辫;

Element 8 成人视频� 16 CFR 314.4(h)成人视频�舛寞&苍产蝉辫;

LU has a regularly updated and documented incident response plan that addresses:成人视频�舛寞&苍产蝉辫;

• The goals of the incident response plan.成人视频�
• The internal processes for responding to a security event.成人视频�
• The definition of clear roles, responsibilities, and levels of decision-making authority.成人视频�舛寞
• External and internal communications and information sharing.成人视频�
• Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls.成人视频�
• Documentation and reporting regarding security events and related incident response activities; and成人视频�
• The evaluation and revision as necessary of the incident response plan following a security event成人视频�.

Element 9 成人视频� 16 CFR 314.4(i)成人视频�舛寞 

The QI will create a written report to be presented to the LU Board of Trustees at least annually.成人视频� The report will cover the overall status of the ISP and its compliance.成人视频� The report will also cover material matters related to the ISP, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses thereto, and recommendations for changes in the ISP.成人视频�舛寞舛寞&苍产蝉辫;

Last revised: May 2023