Versions Compared

Old Version 40

changes.mady.by.user Valerie Vogel

Saved on

compared with

New Version 41

changes.mady.by.user Valerie Vogel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
Top
Top

Table of Contents

Anchor
Getting Started
Getting Started

Tip
titleGetting Started

The initial process in developing compliance initiatives is to identify which laws, regulations, and policies are applicable to your institution. To that end, confer with your legal and/or audit departments, and review the Higher Education Compliance Alliance Matrix, our brief list of the most common federal data protection laws, and the EDUCAUSE Library Compliance page for additional guidance and resources.

  1. Identify key stakeholders and/or partners across the institution who regularly deal with institutional compliance issues (e.g., legal, risk management, privacy, audit). Key stakeholders may vary from campus to campus.

  2. Perform a high level gap analysis of each compliance requirement that is applicable to determine where progress needs to be made.

  3. Develop a prioritized action plan that will help you organize your efforts (one section of your Information Security plan).

  4. Develop a policy, standard, roles and responsibilities, and/or procedures in collaboration with other key stakeholders at your institution.

  5. Take advantage of resources in the Guide such as the Information Security Policies, Privacy, and Risk Management chapters, as well as the HEISC GRC FAQ.

  6. Familiarize yourself with common standards and regulations that address specific requirements (e.g., PCI DSS, HIPAA, GLBA, NIST).

  7. Determine whether Governance, Risk, and Compliance (GRC) solutions can assist you with managing compliance. Visit the EDUCAUSE IT GRC Program for additional resources.

ComplianceTop of page

Anchor
Overview
Overview

Overview

Higher education institutions are subject to numerous laws, regulations, and contractual obligations that specify requirements related to the appropriate management and protection of diverse information sets.

...

  • Awareness of relevant regulations/laws. (Do you know what you need to follow?)
  • Awareness of relevant policies. (Do you know what institutional policies apply to information use?)
  • Awareness of relevant contractual agreements. (Do you know what agreements your institution has made that impose conditions on the use of data?)
  • Awareness of relevant standards or best practices. (Do you know what standards or best practices your institution chooses to follow with respect to information use?)
  • Management of institutional records. (Do you know what you need to keep and for how long?)
  • Awareness of how records are managed by your institution.
  • Approach to complying with each item. (Do you know what your organization is doing to follow the law?)
  • Awareness of internal and/or external audit activities. (Do you know what internal/external audits exist and what is required to meet or pass these reviews?)

Compliance Top of page

Anchor
Compliance
Compliance

Compliance with Legal and Contractual Requirements (ISO 18.1)

Panel
bgColor#FFFFCE

Objective: The goal of this section is to help outline effective practices for identifying compliance obligations, as well as the roles and responsibilities, activities, and controls needed to manage all of the institution’s legal, contractual, and records management requirements.

Identification of Applicable Legislation and Contractual Requirements

Legal requirements need to be explicitly identified and recognized and a plan in place for meeting applicable requirements.

...

Reference: Data Protection Contractual Language

Compliance Top of page

Intellectual Property Rights

Intellectual Property (IP) rights are a dominant issue at any institution of higher education. Institutions have many different types of research and proprietary information that can be protected via these rights. These rights are also attached to the different technologies that an institution might buy or license from others (and the rights are then protected via contract provisions). Appropriate controls to identify and protect intellectual property include:

...

Compliance Top of page

Protection of Organizational Records (Records Management)

Every institution deals with the issues inherent in managing organizational records and data, whether electronic or in paper. As part of the compliance controls at every institution, important records as well as records we are legally obligated to retain need to be protected from loss, destruction, and falsification.

...

  • Your institution's policies and guidelines on retention, storage, handling, and disposal of records should be reviewed. Oftentimes this will require a security control to ensure that these policies and guidelines are carried out properly. (Refer to the Records Retention and Disposition Toolkit for additional information and templates.)
  • Policies that protect records from loss, destruction, or falsification.

Compliance Top of page

Regulation of Cryptographic Controls

Cryptographic controls should be used in compliance with all relevant agreements, laws, and regulations. For more on this topic, visit the Encryption chapter.

Compliance Top of page

Anchor
Reviews
Reviews

Information Security Reviews (ISO 18.2)

Panel
bgColor#FFFFCE

Objective: Ensure that information security compliance requirements are effectively addressed and maintained over time.

In order to meet compliance requirements, it is necessary to continually review compliance methods, systems, and processes of departments that are affected by various policies, regulatory requirements, and laws to ensure that their approach to compliance is effective. For example, a particular credit card Point of Sale system (POS) can be implemented at a point in time on your campus, and your reviews may indicate that the application is in full compliance with PCI DSS. However, two years later, the payment application may no longer be considered fully compliant by the PCI SSC and if reviews aren't conducted on a recurring basis, this could result in noncompliance with PCI DSS requirements.

Compliance Top of page

Independent Review of Information Security

It is important to have unbiased reviews of information security organization programs and initiatives on a recurring basis in order to measure and ensure effectiveness. Often, these reviews are carried out by multiple parties: internal audit departments, external auditors, and assessments performed by contractors or consultants. It is also important that individuals performing reviews and assessments are qualified to do so. The primary objective of independent reviews is to measure effectiveness and ensure continuous improvements are made. In the event that your campus does not have an internal audit function, you may be able to develop a cooperative agreement with another campus or hire a consulting firm to conduct an audit and/or assessment of specific areas you need to have assessed. Note: For some institutions, an independent review may include representatives from legal counsel, an executive leadership team, and/or a system office.

Compliance Top of page

Compliance with Security Policies and Standards

Managers have compliance responsibility to make sure that applicable security procedures related to their area of control are implemented and performed correctly to achieve compliance with internal security policies and standards. Many campuses are considering the implementation of Governance, Risk, and Compliance (GRC) solutions to automate compliance reviews and reporting, as well as assisting with determining corrective actions that need to be managed. Take a look at the resource Frequently Asked Questions about Governance, Risk, and Compliance (GRC) Systems to help you determine if a GRC system is a good investment for your information security program. EDUCAUSE has additional resources on IT GRC

Technical Compliance Reviews

Technical compliance reviews are also performed by many campuses. From vulnerability and DLP (data loss prevention) assessments to penetration testing, there are a number of technical solutions available to help information security teams conduct effective reviews of IT infrastructure and the information lifecycle (processing, transmitting, storing). Some of these tools can disrupt business and IT operations if used by untrained individuals, which leads some campuses to use third parties for these purposes. However, these examinations are just a 'snapshot' at a point in time and must be repeated at recurring intervals in order to become an effective method or process.

Compliance Top of page

Anchor
Resources
Resources

Resources

Panel
bgColor#ADD8E6

Campus Case Studies On This Page
(lightbulb) Identity Finder at The University of Pennsylvania

HEISC Toolkits/Guides

EDUCAUSE Resources

Initiatives, Collaborations, & Other Resources

Compliance Top of page

Anchor
Standards
Standards

Standards

ISO

NIST

COBIT

PCI DSS

2014 Cybersecurity Framework

HIPAA Security

27002:2013 Information Security Management
Chapter 18: Compliance
ISO 27799:2008
ISO/IEC 27007:2011

800-100: Information Security Handbook: A Guide for Managers
800-53: Recommended Security Controls for Federal Information
Systems and Organizations
800-14: Generally Accepted Principles and Practices for Securing
Information Technology Systems

APO12.01
APO12.02
APO12.03
APO12.04
MEA03.01
MEA03.04

Req 3
Req 9
Req 12

ID.GV-3
ID.RA-1
PR.IP-4
PR.IP-12
DE.DP-2

None

ComplianceTop of page

...

(question) Questions or comments? (info) Contact us.

...