Page History

Table of Contents

• #Overview | #Standards | #Getting Started | #ResourcesGetting Started | Overview | Resources | Standards
• Compliance with Legal and Contractual Requirements (ISO 18.1)
• Information Security Reviews (ISO 18.2)

Overview

The ultimate backbone of higher education is information. Each institution gathers, stores, analyzes, retrieves and secures the information necessary for the proper functioning of all aspects of the mission of higher education. Without continued and uninterrupted access to that information, as well as assurances that the information is secure and reliable, we would be unable to fulfill our educational, research, and service missions.

Protecting the information against the backdrop of this institutional mandate are the various laws, regulations, contractual requirements and security controls which are part of the fabric of each institution. As part of our risk management efforts, they act as controls that help enhance your organization's reputation and minimize risk and other negative consequences by ensuring compliance with the law and signed contractual agreements. However, understanding what you need to know and what your organization needs to do to maintain compliance is sometimes a difficult road. The path to establishing these controls takes a complete look at the areas in which your institution has responsibilities, whether legal or contractual. The context in which information is created, received, stored and destroyed must be known intimately before compliance activities can effectively take shape.

This section of resources is intended to serve as a guide-map in your continued quest for compliance. Specific guidance should be sought from legal counsel employed by your university.

Important elements to consider when developing a compliance framework include the following:

• Awareness of relevant regulations/laws. (Do you know what you need to follow?)
• Approach to complying with each item. (Do you know what your organization is doing to follow the law?)
• Management of institutional records. (Do you know what you need to keep and for how long?)
• Awareness of how records are managed by your institution.

#Top of page

...

Standards

#Top of page

...

#Top of page

...

Compliance with Legal and Contractual Requirements (ISO 18.1)

Identification of Applicable Legislation and Contractual Requirements

Your institution needs to identify all relevant statutory, regulatory, and contractual rights, as well as your approach to meeting these requirements. The legal requirements need to be explicitly identified and recognized and a plan in place for meeting applicable requirements.

To meet this part of compliance, controls should be developed which:

1. Identify the persons or person responsible for ascertaining the legal requirements. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements.

Initially on the legal and regulatory side, EDUCAUSE has identified a group of federal laws and sample contract clauses as shown below:

• Family Educational Rights and Privacy Act (FERPA)
• Human Subjects Research
• Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules
• Payment Card Industry Data Security Standards (PCI DSS)
• Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act; GLB Act; GLBA) Safeguards Rule
• Fair and Accurate Credit Transactions Act of 2003 (FACT Act; FACTA) which amended the Fair Credit Reporting Act (FCRA), and amendments thereof, including Red Flags Rule (Identity Theft Prevention Program)
• Standard Confidentiality Agreement or Statement
• Standard Terms and Conditions for Doing Business With XYZ University - Contractual Terms (e.g., Indiana University)
• Higher Education Opportunities Act of 2008 (HEOA) Technology Mandates (Including: illegal peer-to-peer file sharing, emergency notification, and distance education student verification.)

Top of page

Overview

Higher education institutions are subject to numerous laws, regulations, and contractual obligations that specify requirements related to the appropriate management and protection of diverse information sets.

Understanding and maintaining compliance with these different requirements is sometimes a difficult road. The path to establishing compliance takes a complete look at the areas in which your institution has responsibilities, whether legal, regulatory, contractual, or self-imposed.

This section of resources is intended to serve as a roadmap in an institution's quest for compliance. This resource is not intended to serve as legal advice. Specific guidance for specific institutional issues should be sought from campus legal counsel.

Important elements to consider when developing a plan for compliance management include the following:

• Awareness of relevant regulations/laws. (Do you know what you need to follow?)
• Awareness of relevant policies. (Do you know what institutional policies apply to information use?)
• Awareness of relevant contractual agreements. (Do you know what agreements your institution has made that impose conditions on the use of data?)
• Awareness of relevant standards or best practices. (Do you know what standards or best practices your institution chooses to follow with respect to information use?)
• Management of institutional records. (Do you know what you need to keep and for how long?)
• Awareness of how records are managed by your institution.
• Approach to complying with each item. (Do you know what your organization is doing to follow the law?)
• Awareness of internal and/or external audit activities. (Do you know what internal/external audits exist and what is required to meet or pass these reviews?)

Top of page

Compliance with Legal and Contractual Requirements

Identification of Applicable Legislation and Contractual Requirements

Legal requirements need to be explicitly identified and recognized and a plan in place for meeting applicable requirements.

To meet this part of compliance, controls should be developed which:

1. Identify the persons or person responsible for ascertaining the legal requirements. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements.

EDUCAUSE has identified a group of federal laws and sample contract clauses to help start you on this task:

• Family Educational Rights and Privacy Act (FERPA)
• Human Subjects Research, including the Federal Policy for the Protection of Human Subjects ("Common Rule"). Note that different federal agencies may have slightly different rules regarding human subjects research. Always check with your institutional research review board for additional guidance in this area.
• Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Note that HHS developed a free security risk assessment tool.
• Payment Card Industry Data Security Standards (PCI DSS)
• Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act; GLB Act; GLBA) Safeguards Rule
• Fair and Accurate Credit Transactions Act of 2003 (FACT Act; FACTA) which amended the Fair Credit Reporting Act (FCRA), and amendments thereof, including Red Flags Rule (Identity Theft Prevention Program)
• Standard Confidentiality Agreement or Statement
• Higher Education Opportunities Act of 2008 (HEOA) Technology Mandates (Including: illegal peer-to-peer file sharing, emergency notification, and distance education student verification.)
• International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) (e.g., Baylor University's Export Compliance Policy and Purdue University's Export Control Regulations)
• Digital Millennium Copyright Act (DMCA)

Additionally, nearly each Additionally, nearly each state has breach laws, personal information protection laws, social security protections laws, or other laws related to technology furnished at every institution. Each state must be taken as its own legal island and an institution must know if any of the following impact or enhance security efforts:

• State Security Breach Notification Laws - (e.g., Iowa - Iowa Code § 715C.1 or Texas - Tex. Bus. & Com. Code § 521.03)
• State Computer Hacking and Unauthorized Access Laws (e.g., Arizona - Ariz. Rev. Stat. Ann. § 13-2316)
• State Cyberstalking (e.g., Arkansas Code § 5-41-108), Cyberharassment (e.g., Hawaii - Hawaii Rev. Stat. § 711-1106) and Cyberbullying (e.g., North Carolina - N.C. Gen. Stat. §§ 14-458.1, 115C-407.15-17) Laws

• Wiki Markup
  State Laws Related to Internet Privacy - (e.g., Delaware - [19-7-705|http://delcode.delaware.gov/title19/c007/sc01/index.shtml#705] \[Employee E-Mail Communications\]) or Minnesota - [325M.01 to .09|http://www.revisor.leg.state.mn.us/stats/325M] \[Privacy of Personal Information\])

• Uniform Electronic Transactions Act States (e.g., Florida - Fla. Stat. §668.50)
• State Laws Relating to Data Disposal (e.g. Connecticut - Conn. Gen. Stat. Ann. §42-471)
• State Spyware Laws (e.g. Indiana - Ind. Code § 24-4.8-1et seq.)
• State Phishing Laws (e.g., Illinois - 740 ILCS §§ 7/1 - 7/15)
• State Virus/Contaminant/Destructive Transmission Laws (e.g., Georgia - Ga. Code Ann. § 16-9-153 (a) (1) (A) - See SB 127(2005))
• State Legislation Related to "Sexting" (e.g., North Dakota - H.B. 1371)
• State Consumer Report Security Freeze Laws (e.g., Virginia - 2009 Chapter 406, Va. Code §59.1-444.1, Va. Code §59.1-444.2, and Va. Code §59.1-444.3)
• State "Copier" Laws (e.g., New York)

The National Conference on State Legislatures site is a good starting place to research the laws relating to your state.

2. Identify the persons or person responsible for reviewing contracts to determine any information security requirements, whether they are requirements of the institution or requirements of the vendor. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements.

On the contract side it will require a reading of each and every contract which involves the various tasks that may impact information in your institution. Contracts have a way of being more complex than they need to be, but each contract should ultimately state what each party has as their responsibilities, as well as who is assigned liability in contemplated (or even not contemplated) events under the contract. It is crucial to know what your contractual responsibilities are so that you can look at physical and technical controls you have in place and determine if they are adequate for the assumed contractual liability. Reference: Data Protection Contractual Language

#Top of page

Intellectual Property Rights

Intellectual Property (IP) requirements are a dominant issue at any institution of higher education. They become an information security issue when intellectual property laws, contracts, or licenses/patents require an institution to keep matters confidential or to assure that copyright or other laws are not violated with regard to intellectual property. Appropriate controls to assure compliance with these laws need to be in place, including:

• An intellectual property rights compliance policy (which meets copyright policy requirements of certain laws);
• Ensuring proper use of software and other technology licenses;
• Education and awareness on respecting IP rights;
• Keeping track of IP assets.

EDUCAUSE has significant IP and Copyright resources:

• Copyright
• Copyright Act of 1976
• Copyright and Intellectual Property Policies
• Copyright Infringement
• Copyright Term Extension Act (CTEA)
• Copyright Tutorials
• Digital Millennium Copyright Act (DMCA)
• Fair Use
• Intellectual Property
• Licensing

#Top of page

Protection of Organizational Records (Records Management)

Every institution deals with the issues inherent in managing organizational records and data, whether electronic or in paper. As part of the compliance controls at every institution, important records as well as records we are legally obligated to retain need to be protected from loss, destruction, and falsification.

ISO has a separate standard, ISO 15489 "Information and Documentation — Records Management". This standard goes into greater detail about how an institution recognizes the context in which records are created, received, used, stored, and destroyed as an implicit part of the data governance process.

This "records management" function may be placed anywhere in an institution, and sometimes it is part of an institution's IT structure. Regardless, records management has components of compliance that are unavoidable.

EDUCAUSE has excellent materials on records management, including an Electronic Records Management Toolkit. Regardless of the ownership of this function at your institution, as part of your information security purview there are information security considerations you need to be aware of:

• Your institution's policies and guidelines on retention, storage, handling, and disposal of records should be reviewed. Oftentimes this will require a security control to ensure that these policies and guidelines are carried out properly. (Refer to the Records Retention and Disposition Toolkit for additional information and templates.)
• Policies that protect records from loss, destruction, or falsification.

#Top of page

Data Protection and Privacy of Personal Information (Records Management)

The data every institution uses in its mission of teaching is a valuable resource that needs to be protected commensurate with how it is classified. Students and staff entrust the institution with a given data set and there is an implied bargain that the data so entrusted will be protected from any use or disclosure other than as agreed to when the data was given.

To do this, each institution has to govern the data it uses so that it will be received, made, used, stored, shared, or destroyed in a purposeful manner which recognizes the pact to protect data in an institution's daily mission. Areas to consider in a data governance program include:

• Sensitivity Level. An institution should be classifying data as to sensitivity to assure that proper security protection is in place appropriate with the given data set. EDUCAUSE has excellent materials, including the Data Classification Toolkit.
• Retention Period. Consistent with records management practices, an institution needs to be aware of the period in which data is to be retained, to assure that data's availability and integrity for that retention period.
• Data Utilization. In every part of an institution that controls a given data set, appropriate procedures for how that data is utilized must be established. This includes access restrictions, proper handling, logging, and auditing.
• Data Back-up. How an institution creates back-up copies of data and software is a critical element. Procedures need be in place that memorialize and verify the implementation and inventory of back-up copies.
• Management of Storage Media. Processes to ensure proper management of storage media, including restrictions of types of media, audit trails for movement of media, secure disposal of media no longer in use, and redundant storage.
• Electronic Data Transfers.
• Disposal of Media. Visit the Guidelines for Information Media Sanitization for current practices and recommendations.

#Top of page

Regulation of Cryptographic Controls

Cryptographic controls should be used in compliance with all relevant agreements, laws, and regulations. For more on this topic, visit the Cryptography chapter.

#Top of page

...

Information Security Reviews (ISO 18.2)

In order to meet compliance requirements, it is necessary to continually review compliance methods, systems, and processes of departments that are affected by various policies, regulatory requirements, and laws to ensure that their approach to compliance is effective. For example, a particular credit card Point of Sale system (POS) can be implemented at a point in time on your campus, and your reviews may indicate that the application is in full compliance with PCI DSS. However, two years later, the payment application may no longer be considered fully compliant by the PCI SSC and if reviews aren't conducted on a recurring basis, this could result in non-compliance with PCI DSS requirements.

#Top of page

Independent Review of Information Security

It is important to have unbiased reviews of information security organization programs and initiatives on a recurring basis in order to measure and ensure effectiveness. Often, these reviews are carried out by multiple parties: internal audit departments, external auditors, and assessments performed by contractors or consultants. It is also important that individuals performing reviews and assessments are qualified to do so. The primary objective of independent reviews is to measure effectiveness and ensure continuous improvements are made. In the event your campus does not have an internal audit function, you may be able to develop a cooperative agreement with another campus or hire a consulting firm to conduct an audit and/or assessment of specific areas you need to have assessed. Review the Information Security Risk Assessment Consultants guidance to determine if you need to develop an RFP or can use one of the firms listed to assist your campus.

#Top of page

Compliance with Security Policies and Standards

Managers have compliance responsibility to make sure that applicable security procedures related to their area of control are implemented and performed correctly to achieve compliance with internal security policies and standards. Many campuses are considering the implementation of Governance, Risk, and Compliance (GRC) solutions to automate compliance reviews and reporting, as well as assisting with determining corrective actions that need to be managed. Take a look at the resource Frequently Asked Questions about Governance, Risk, and Compliance (GRC) Systems to help you determine if a GRC system is a good investment for your information security program. EDUCAUSE has additional resources on IT GRC. 

Technical Compliance Reviews

Technical compliance reviews are also performed by many campuses. From vulnerability and DLP (data loss prevention) assessments to penetration testing, there are a number of technical solutions available to help information security teams conduct effective reviews of IT infrastructure and the information lifecycle (processing, transmitting, storing). Some of these tools can disrupt business and IT operations if used by untrained individuals, which leads some campuses to use third parties for these purposes. However, these examinations are just a 'snapshot' at a point in time and must be repeated at recurring intervals in order to become an effective method or process.

#Top of page

...

Resources

. The National Conference on State Legislatures Privacy and Security site is a good starting place to research the laws relating to your state (including the latest on state security breach legislation).

2. Identify the persons or person responsible for reviewing contracts to determine any information security requirements, whether they are requirements of the institution or requirements of the vendor. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements.

Every contract that involves institutional data must be documented and any controls specified in that contract must also be documented. It is crucial to know what your institution's contractual responsibilities are so that you can look at the physical and technical controls you have in place and determine if they are adequate for the assumed contractual liability. In instances where contracting parties have access to institutional data, you want to be sure that you can audit the contractual controls and protections that the other party has agreed to follow.

Reference: Data Protection Contractual Language

Top of page

Intellectual Property Rights

Intellectual Property (IP) rights are a dominant issue at any institution of higher education. Institutions have many different types of research and proprietary information that can be protected via these rights. These rights are also attached to the different technologies that an institution might buy or license from others (and the rights are then protected via contract provisions). Appropriate controls to identify and protect intellectual property include:

• An intellectual property rights compliance policy (which meets copyright policy requirements of certain laws);
• Ensuring proper use of software and other technology licenses;
• Education and awareness on respecting IP rights;
• Keeping track of IP assets.

EDUCAUSE has significant IP and Copyright resources:

• Copyright Support and Guides
• Copyright Act of 1976
• Copyright and Intellectual Property Policies
• Copyright Infringement
• Copyright Term Extension Act (CTEA)
• Digital Millennium Copyright Act (DMCA)
• Fair Use
• Intellectual Property
• Licensing

Top of page

Protection of Organizational Records (Records Management)

Every institution deals with the issues inherent in managing organizational records and data, whether electronic or in paper. As part of the compliance controls at every institution, important records as well as records we are legally obligated to retain need to be protected from loss, destruction, and falsification.

ISO has a separate standard, ISO 15489, "Information and Documentation — Records Management." This standard goes into greater detail about how an institution recognizes the context in which records are created, received, used, stored, and destroyed as an implicit part of the data governance process.

This records management function may be placed anywhere in an institution, and sometimes it is part of an institution's IT structure. Regardless, records management has components of compliance that are unavoidable.

EDUCAUSE has excellent materials on records management, including an Electronic Records Management Toolkit. Regardless of the ownership of this function at your institution, as part of your information security purview there are information security considerations you need to be aware of:

• Your institution's policies and guidelines on retention, storage, handling, and disposal of records should be reviewed. Oftentimes this will require a security control to ensure that these policies and guidelines are carried out properly. (Refer to the Records Retention and Disposition Toolkit for additional information and templates.)
• Policies that protect records from loss, destruction, or falsification.

Top of page

Regulation of Cryptographic Controls

Cryptographic controls should be used in compliance with all relevant agreements, laws, and regulations. For more on this topic, visit the Encryption chapter.

Top of page

Information Security Reviews

In order to meet compliance requirements, it is necessary to continually review compliance methods, systems, and processes of departments that are affected by various policies, regulatory requirements, and laws to ensure that their approach to compliance is effective. For example, a particular credit card Point of Sale system (POS) can be implemented at a point in time on your campus, and your reviews may indicate that the application is in full compliance with PCI DSS. However, two years later, the payment application may no longer be considered fully compliant by the PCI SSC and if reviews aren't conducted on a recurring basis, this could result in noncompliance with PCI DSS requirements.

Top of page

Independent Review of Information Security

It is important to have unbiased reviews of information security organization programs and initiatives on a recurring basis in order to measure and ensure effectiveness. Often, these reviews are carried out by multiple parties: internal audit departments, external auditors, and assessments performed by contractors or consultants. It is also important that individuals performing reviews and assessments are qualified to do so. The primary objective of independent reviews is to measure effectiveness and ensure continuous improvements are made. In the event that your campus does not have an internal audit function, you may be able to develop a cooperative agreement with another campus or hire a consulting firm to conduct an audit and/or assessment of specific areas you need to have assessed. Note: For some institutions, an independent review may include representatives from legal counsel, an executive leadership team, and/or a system office.

Top of page

Compliance with Security Policies and Standards

Managers have compliance responsibility to make sure that applicable security procedures related to their area of control are implemented and performed correctly to achieve compliance with internal security policies and standards. Many campuses are considering the implementation of Governance, Risk, and Compliance (GRC) solutions to automate compliance reviews and reporting, as well as assisting with determining corrective actions that need to be managed. Take a look at the resource Frequently Asked Questions about Governance, Risk, and Compliance (GRC) Systems to help you determine if a GRC system is a good investment for your information security program. EDUCAUSE has additional resources on IT GRC. 

Technical Compliance Reviews

Technical compliance reviews are also performed by many campuses. From vulnerability and DLP (data loss prevention) assessments to penetration testing, there are a number of technical solutions available to help information security teams conduct effective reviews of IT infrastructure and the information lifecycle (processing, transmitting, storing). Some of these tools can disrupt business and IT operations if used by untrained individuals, which leads some campuses to use third parties for these purposes. However, these examinations are just a 'snapshot' at a point in time and must be repeated at recurring intervals in order to become an effective method or process.

Top of page

Resources

Top of page

Standards

Top of #Top of page

...

Questions or comments? Contact us.

...