Audit committee hears IT security update tied to Gramm-Leach-Bliley Act compliance

Doctor Sherry Loudermill, the university's chief information officer, told the Austin Peay State University Board of Trustees Audit Committee that the IT department has completed its annual information security update required under the Gramm-Leach-Bliley Act (GLBA).

The update matters because GLBA imposes safeguards on institutions that handle consumers' financial information; Loudermill said the law applies to the university "because our students receive federal financial aid." The CIO said IT has updated the risk register, completed tabletop exercises for cyber incidents and disasters, and maintains an information security program that documents GLBA safeguards compliance.

Loudermill said employees completed mandatory information-security training for the fifth year running, with a 94% completion rate; accounts for those who did not complete the training were removed until the training is finished. She also said the university completed a third-party network penetration test and is working to remediate the findings, completed a national cybersecurity review that enables requests for state and federal cyber grants, and finished a cyber quotient assessment that qualifies the university for state cyber insurance.

Among changes in 2025, Loudermill said the university added cybersecurity awareness training for affiliates, automated restrictions on accounts for users who miss training deadlines (restoring access automatically on completion), and merged the employee and student Microsoft tenants to improve monitoring of student Microsoft accounts. She described the automated account-restriction process as a staff time-saver.

The committee received the item as information; no formal action was requested or taken.