Anchor | ||||
---|---|---|---|---|
|
Table of Contents
- ComplianceGetting Started | ComplianceOverview | ComplianceResources | ComplianceStandards
- Compliance with Legal and Contractual Requirements (ISO 18.1)
- Information Security Reviews (ISO 18.2)
Anchor | ||||
---|---|---|---|---|
|
Tip | ||
---|---|---|
| ||
The initial process in developing compliance initiatives is to identify which laws, regulations, and policies are applicable to your institution. To that end, confer with your legal and/or audit departments, and review the Higher Education Compliance Alliance Matrix, our brief list of the most common federal data protection laws, and the EDUCAUSE Library Compliance page for additional guidance and resources.
|
ComplianceTop of page
Anchor | ||||
---|---|---|---|---|
|
Overview
Higher education institutions are subject to numerous laws, regulations, and contractual obligations that specify requirements related to the appropriate management and protection of diverse information sets.
...
- Awareness of relevant regulations/laws. (Do you know what you need to follow?)
- Awareness of relevant policies. (Do you know what institutional policies apply to information use?)
- Awareness of relevant contractual agreements. (Do you know what agreements your institution has made that impose conditions on the use of data?)
- Awareness of relevant standards or best practices. (Do you know what standards or best practices your institution chooses to follow with respect to information use?)
- Management of institutional records. (Do you know what you need to keep and for how long?)
- Awareness of how records are managed by your institution.
- Approach to complying with each item. (Do you know what your organization is doing to follow the law?)
- Awareness of internal and/or external audit activities. (Do you know what internal/external audits exist and what is required to meet or pass these reviews?)
Compliance Top of page
Anchor | ||||
---|---|---|---|---|
|
Compliance with Legal and Contractual Requirements (ISO 18.1)
Panel | ||
---|---|---|
| ||
Objective: The goal of this section is to help outline effective practices for identifying compliance obligations, as well as the roles and responsibilities, activities, and controls needed to manage all of the institution’s legal, contractual, and records management requirements. |
Identification of Applicable Legislation and Contractual Requirements
Legal requirements need to be explicitly identified and recognized and a plan in place for meeting applicable requirements.
...
Reference: Data Protection Contractual Language
Compliance Top of page
Intellectual Property Rights
Intellectual Property (IP) rights are a dominant issue at any institution of higher education. Institutions have many different types of research and proprietary information that can be protected via these rights. These rights are also attached to the different technologies that an institution might buy or license from others (and the rights are then protected via contract provisions). Appropriate controls to identify and protect intellectual property include:
...
- Copyright Support and Guides
- Copyright Act of 1976
- Copyright and Intellectual Property Policies
- Copyright Infringement
- Copyright Term Extension Act (CTEA)
- Digital Millennium Copyright Act (DMCA)
- Fair Use
- Intellectual Property
- Licensing
Compliance Top of page
Protection of Organizational Records (Records Management)
Every institution deals with the issues inherent in managing organizational records and data, whether electronic or in paper. As part of the compliance controls at every institution, important records as well as records we are legally obligated to retain need to be protected from loss, destruction, and falsification.
...
- Your institution's policies and guidelines on retention, storage, handling, and disposal of records should be reviewed. Oftentimes this will require a security control to ensure that these policies and guidelines are carried out properly. (Refer to the Records Retention and Disposition Toolkit for additional information and templates.)
- Policies that protect records from loss, destruction, or falsification.
Compliance Top of page
Regulation of Cryptographic Controls
Cryptographic controls should be used in compliance with all relevant agreements, laws, and regulations. For more on this topic, visit the Encryption chapter.
Compliance Top of page
Anchor | ||||
---|---|---|---|---|
|
Information Security Reviews (ISO 18.2)
Panel | ||
---|---|---|
| ||
Objective: Ensure that information security compliance requirements are effectively addressed and maintained over time. |
In order to meet compliance requirements, it is necessary to continually review compliance methods, systems, and processes of departments that are affected by various policies, regulatory requirements, and laws to ensure that their approach to compliance is effective. For example, a particular credit card Point of Sale system (POS) can be implemented at a point in time on your campus, and your reviews may indicate that the application is in full compliance with PCI DSS. However, two years later, the payment application may no longer be considered fully compliant by the PCI SSC and if reviews aren't conducted on a recurring basis, this could result in noncompliance with PCI DSS requirements.
Compliance Top of page
Independent Review of Information Security
It is important to have unbiased reviews of information security organization programs and initiatives on a recurring basis in order to measure and ensure effectiveness. Often, these reviews are carried out by multiple parties: internal audit departments, external auditors, and assessments performed by contractors or consultants. It is also important that individuals performing reviews and assessments are qualified to do so. The primary objective of independent reviews is to measure effectiveness and ensure continuous improvements are made. In the event that your campus does not have an internal audit function, you may be able to develop a cooperative agreement with another campus or hire a consulting firm to conduct an audit and/or assessment of specific areas you need to have assessed. Note: For some institutions, an independent review may include representatives from legal counsel, an executive leadership team, and/or a system office.
Compliance Top of page
Compliance with Security Policies and Standards
Managers have compliance responsibility to make sure that applicable security procedures related to their area of control are implemented and performed correctly to achieve compliance with internal security policies and standards. Many campuses are considering the implementation of Governance, Risk, and Compliance (GRC) solutions to automate compliance reviews and reporting, as well as assisting with determining corrective actions that need to be managed. Take a look at the resource Frequently Asked Questions about Governance, Risk, and Compliance (GRC) Systems to help you determine if a GRC system is a good investment for your information security program. EDUCAUSE has additional resources on IT GRC.
Technical Compliance Reviews
Technical compliance reviews are also performed by many campuses. From vulnerability and DLP (data loss prevention) assessments to penetration testing, there are a number of technical solutions available to help information security teams conduct effective reviews of IT infrastructure and the information lifecycle (processing, transmitting, storing). Some of these tools can disrupt business and IT operations if used by untrained individuals, which leads some campuses to use third parties for these purposes. However, these examinations are just a 'snapshot' at a point in time and must be repeated at recurring intervals in order to become an effective method or process.
Compliance Top of page
Anchor | ||||
---|---|---|---|---|
|
Resources
Panel | ||
---|---|---|
| ||
Campus Case Studies On This Page HEISC Toolkits/Guides
EDUCAUSE Resources
Initiatives, Collaborations, & Other Resources
|
Compliance Top of page
Anchor | ||||
---|---|---|---|---|
|
Standards
27002:2013 Information Security Management | 800-100: Information Security Handbook: A Guide for Managers | APO12.01 | Req 3 | ID.GV-3 | None |
ComplianceTop of page
...
Questions or comments? Contact us.
...