The initial process in developing compliance initiatives is to identify which laws, regulations, and policies are applicable to your institution. To that end, confer with your legal and/or audit departments, and review the Higher Education Compliance Alliance Matrix, our brief list of the most common federal data protection laws, and the EDUCAUSE Library Compliance page for additional guidance and resources. Identify key stakeholders and/or partners across the institution who regularly deal with institutional compliance issues (e.g., legal, risk management, privacy, audit). Key stakeholders may vary from campus to campus. Perform a high level gap analysis of each compliance requirement that is applicable to determine where progress needs to be made. Develop a prioritized action plan that will help you organize your efforts (one section of your Information Security plan). Develop a policy, standard, roles and responsibilities, and/or procedures in collaboration with other key stakeholders at your institution. Take advantage of resources in the Guide such as the Information Security Policies, Privacy, and Risk Management chapters, as well as the HEISC GRC FAQ. Familiarize yourself with common standards and regulations that address specific requirements (e.g., PCI DSS, HIPAA, GLBA, NIST). Determine whether Governance, Risk, and Compliance (GRC) solutions can assist you with managing compliance. Visit the EDUCAUSE IT GRC Program for additional resources.
|