Skip To Top Navigation Skip To Content Skip To Footer
The Kennel
Students huddled talking on campus

Policy 5407: Information Security Program

Policy 5407

Information Security Program

Revision Date: 11/17/2025
Last Review: 11/17/2025
Responsible Office: Information Technology

Policy:

Louisiana Tech University maintains an Information Security Program to protect the security, confidentiality, and integrity of customer financial information in compliance with the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission’s Standards for Safeguarding Customer Information (16 CFR Part 314).

This program establishes a framework for safeguarding covered data obtained from students, parents, employees, and other individuals in connection with financial services provided by the University. It defines the administrative, technical, and physical safeguards required to:

  • Protect customer information against unauthorized access or disclosure.
  • Ensure the security and confidentiality of covered data.
  • Comply with applicable federal and state regulations, including the Family Educational Rights and Privacy Act (FERPA) when educational records contain financial information.

This policy applies to all University departments, employees, student workers, and service providers who access, process, or maintain covered data.

Definitions:

Covered Data and Information: For purposes of this policy, covered data refers to any nonpublic personal information whether in paper, electronic, or other form about a student, parent, employee, or other individual that is handled or maintained by the University in connection with providing a financial service or product. This includes information protected under the Gramm-Leach-Bliley Act (GLBA) such as student financial aid records, loan data, and payment information. It may also include educational records containing financial details that are protected under the Family Educational Rights and Privacy Act (FERPA).

Customer Information: Any record containing nonpublic financial information about an individual who receives a financial service or product from the University, maintained in any form (paper, electronic, or otherwise), by or on behalf of the University.

Information Security Program: The comprehensive set of administrative, technical, and physical safeguards established by the University to protect covered data and ensure compliance with the GLBA Safeguards Rule.

Procedures:

  1. Information Security Committee

The Information Security Committee (ISC) is established under the Office of Information Technology (OIT) to oversee and maintain Louisiana Tech University’s Information Security Program in compliance with the Gramm-Leach-Bliley Act (GLBA) and related federal requirements. The ISC ensures the protection of covered data obtained in connection with financial services, student financial aid, and other University operations. The Committee is chaired by the Director of Information Technology and includes representatives from Financial Aid, the Comptroller’s Office, Human Resources, the Registrar’s Office, Internal Audit, and University Police. Additional members may be appointed as needed to provide expertise in areas where covered data is stored, processed, or transmitted.

The Committee’s primary responsibilities include developing and maintaining the Information Security Program, identifying and assessing risks covered data, and coordinating the implementation of safeguards across all departments. The ISC reviews University policies, procedures, and operational practices to ensure appropriate administrative, technical, and physical controls are in place. These controls include secure authentication, encryption, system monitoring, and incident response measures. The Committee also oversees employee awareness and training efforts to promote proper data handling, breach reporting, and compliance with university security requirements.

In addition to internal oversight, the ISC is responsible for reviewing and monitoring third-party service providers who have access to covered data to ensure compliance with GLBA and University standards. The Committee meets at least annually to evaluate the effectiveness of the Information Security Program, review any incidents or risks identified during the year, and recommend updates to address emerging cybersecurity threats or regulatory changes. Through these ongoing efforts, the Information Security Committee provides leadership and accountability for safeguarding the University’s financial and confidential information.

  1. Information Security Committee

Louisiana Tech University conducts ongoing risk assessments to identify and evaluate internal and external risks that could compromise the security, confidentiality, or integrity of covered data. These assessments are designed to ensure that appropriate safeguards are implemented to protect customer information handled by the University in connection with financial services and student financial aid. The risk assessment process is coordinated by the Office of Information Technology (OIT) under the oversight of the Information Security Committee (ISC).

The risk assessment process involves identifying reasonably foreseeable threats such as unauthorized access, system failure, human error, or malicious activity, and analyzing the adequacy of existing controls to mitigate those risks. Each department that maintains or processes covered data is responsible for participating in this process by evaluating its systems, procedures, and data handling practices. Areas of review include employee access controls, network and system security, storage and transmission of data, physical protection of records, and procedures for the secure disposal of confidential information.

Following each assessment, findings are documented and used to guide the implementation or enhancement of administrative, technical, and physical safeguards. The ISC reviews assessment results to ensure that high risk areas receive appropriate attention and resources. Risk assessments are conducted at least annually or whenever significant changes occur to the University’s information systems, technology infrastructure, or regulatory environment. Through this proactive approach, Louisiana Tech University maintains a continuous process of identifying and addressing security risks to uphold the protection of covered data and comply with GLBA and other applicable data protection requirements.

  1. Information Safeguard and Monitoring 

Louisiana Tech University maintains administrative, technical, and physical safeguards to protect covered data from unauthorized access, disclosure, alteration, or destruction. These safeguards, coordinated by the Office of Information Technology (OIT) and the Information Security Committee (ISC), ensure compliance with the Gramm-Leach-Bliley Act (GLBA). Administrative measures include role-based access controls, employee background verification, and required security awareness training. Technical protections involve system security configurations, firewalls, encryption of data in transit and at rest, and regular software updates. Physical safeguards restrict access to secure areas, protect equipment, and ensure proper disposal of confidential information. The University also conducts periodic monitoring and testing to evaluate safeguard effectiveness, address vulnerabilities, and maintain the ongoing confidentiality and integrity of covered data.

  1. Employee Management and Training 

Louisiana Tech University recognizes that employees and student workers play a critical role in safeguarding covered data. All personnel with access to such information must complete periodic information security awareness training administered by the Office of Information Technology (OIT) under the oversight of the Information Security Committee (ISC). Training emphasizes the proper handling, storage, and transmission of customer information; recognizing and reporting potential security incidents; and understanding responsibilities under the Gramm-Leach-Bliley Act (GLBA), FERPA, and University policy.

Supervisors are responsible for ensuring that only authorized personnel have access to covered data and that employees adhere to all established security procedures. Employment practices, including background verification, access provisioning, and termination protocols, are structured to reduce the risk of unauthorized access or misuse of sensitive information.

  1. Information Systems

Louisiana Tech University’s information systems encompass the design, operation, and maintenance of network and software infrastructure, as well as the processing, storage, transmission, retrieval, and disposal of covered data. The Office of Information Technology (OIT) ensures that these systems are reasonably designed to limit unauthorized access, use, or disclosure of confidential information. This includes implementing layered access controls, network segmentation, and continuous monitoring to detect and prevent malicious activity. Systems are maintained with current security patches, up-to-date antivirus protection, and regular vulnerability testing to ensure ongoing compliance with the Gramm-Leach-Bliley Act (GLBA).

Safeguards for processing and storing covered data include requiring all electronic data to be entered into secure, password-protected systems and transmitted using encrypted connections. Covered data must not be stored on unsecured portable devices or external drives. When disposal is necessary, electronic media are securely erased or destroyed to prevent data recovery, and physical records are shredded or disposed of following the University’s document retention and disposal policy. Physical storage areas for confidential information must be secured against unauthorized access and protected from environmental risks such as fire or water damage. The University also maintains an inventory of systems and devices containing covered data and ensures that all measures are in place to protect the confidentiality, integrity, and availability of such data throughout its life cycle.

  1. Managing system Failures

Louisiana Tech University maintains effective systems and procedures to prevent, detect, and respond to technological failures, cyberattacks, and other events that could compromise covered data. The Office of Information Technology (OIT), under the oversight of the Information Security Committee (ISC), ensures that safeguards are in place to protect against data loss, corruption, or unauthorized disclosure resulting from hardware or software malfunction, power interruptions, or security breaches. The University employs preventive measures such as continuous system monitoring, intrusion detection, network firewalls, antivirus software, and regular updates to correct vulnerabilities and maintain system integrity.

In the event of a system failure or security incident, the University follows established procedures to isolate affected systems, restore operations, and protect covered data from further compromise. Backup and recovery systems are maintained to ensure data availability, and critical systems are regularly tested for reliability. The University also conducts routine evaluations of system resilience and disaster recovery capabilities to verify that safeguards remain effective and responsive to emerging threats. Through these measures, Louisiana Tech University ensures the continuity, reliability, and protection of its information systems and the covered data they support.

  1. Monitoring and Testing 

Louisiana Tech University regularly monitors and tests its information security safeguards to ensure they are effective and operate as intended. Ongoing evaluations are conducted to identify weaknesses, verify compliance with established policies, and confirm that controls continue to protect covered data against unauthorized access or misuse. Monitoring activities may include system audits, access reviews, vulnerability scanning, and the review of security event logs. 

The frequency and scope of testing are determined by the sensitivity of the data, prior assessment results, and technological changes. When deficiencies are identified, corrective actions are implemented promptly to maintain the confidentiality, integrity, and availability of covered data. This continuous evaluation process ensures that University safeguards remain resilient and responsive to evolving security threats.

  1. Reporting

Louisiana Tech University maintains a structured process for documenting and reporting on the effectiveness of its Information Security Program. Regular reports summarize the results of risk assessments, safeguard testing, and monitoring activities, as well as any incidents or identified areas for improvement. These reports are reviewed by university leadership to ensure that appropriate corrective measures are implemented and that the program remains compliant with applicable laws and institutional standards. Annual summaries provide an overview of the University’s information security posture, highlight progress toward strategic objectives, and support continued accountability for the protection of covered data.

  1. Service Providers

Louisiana Tech University ensures that all third-party service providers with access to covered data maintain appropriate safeguards consistent with university standards and the Gramm-Leach-Bliley Act (GLBA). Before entering into any agreement, the University evaluates the provider’s ability to protect confidential information through a review of its security practices, privacy controls, and compliance history. Contracts with service providers must include provisions requiring the protection of covered data, restrictions on its use or disclosure, and prompt notification of any suspected or confirmed security incidents.

Service providers are subject to periodic review to verify that security measures remain effective and compliant with contractual and regulatory obligations. The University reserves the right to require corrective actions or terminate agreements with providers that fail to meet established security standards. Through these oversight measures, Louisiana Tech University ensures that the confidentiality and integrity of covered data are maintained throughout all third-party relationships.

  1. Program Maintenance 

Louisiana Tech University’s Information Security Program is a living framework that is reviewed and updated regularly to ensure continued effectiveness and compliance with federal and institutional requirements. The University evaluates the program at least annually, or whenever significant changes occur in technology, operations, or regulatory guidance. Updates may include revisions to policies, procedures, training, or technical safeguards based on risk assessments, audit findings, or emerging cybersecurity threats.

All modifications to the program are documented and approved through the University’s established policy review process to maintain consistency and accountability. By maintaining an adaptive and responsive program, Louisiana Tech University ensures that its information security practices continue to protect covered data and support the University’s mission of safeguarding the privacy and trust of its community.

  1. Roles and Responsibilities 

The effectiveness of Louisiana Tech University’s Information Security Program depends on the active participation and cooperation of all members of the University community. Each administrative unit and individual employee shares responsibility for protecting covered data and maintaining compliance with federal and institutional standards.

Deans, Directors, and Department Heads are responsible for designating appropriate personnel within their areas to ensure adherence to the Information Security Program. They must promote security awareness, verify that safeguards are properly implemented, and ensure that employees under their supervision follow established procedures for handling confidential information.

Employees and Student Workers who have access to covered data must comply with all University security policies and procedures. They are expected to handle information responsibly, report any suspected security incidents immediately, and complete required information security training as part of their job duties.

Information Security Committee oversees the development, implementation, and maintenance of the Information Security Program and advises University leadership on matters affecting information security and regulatory compliance.

Chief Information Security Officer is responsible for managing the technical and operational aspects of the University’s information security safeguards. This includes enforcing security standards, monitoring systems for compliance, responding to incidents, and coordinating investigations when breaches or violations occur.

Together, these roles ensure that Louisiana Tech University maintains a comprehensive and coordinated approach to protecting covered data and fulfilling its obligations under the Gramm-Leach-Bliley Act (GLBA) and related privacy requirements.

  1. Policies 

Louisiana Tech University maintains several related policies and procedures that support and strengthen the Information Security Program. These policies collectively promote the confidentiality, integrity, and availability of institutional data, and ensure compliance with applicable federal and state regulations, including the Gramm-Leach-Bliley Act (GLBA) and the Family Educational Rights and Privacy Act (FERPA).

The following University policies relate directly to information security and data protection:

  • 1409: Guidelines for Unclassified Personnel Files
  • 2213: Policy Concerning Student Social Security Numbers
  • 2302: Campus Computer Use Policy
  • 2303: Policies on Internet Use
  • 2304: Ethical and Legal Use of Computer Software for Members of the Academic Community
  • 2308: Medical History Disclosure
  • 3102: Records Information Policy
  • 6100: Student Handbook
  • 6303: Family Educational Rights and Privacy Act (FERPA)

These policies, along with the University’s Information Security Program, establish a comprehensive framework for safeguarding institutional and personal information in all forms electronic, physical, and verbal.