Table of Contents
- #Overview | #Standards | #Getting Started | #Resources
- Compliance with Legal and Contractual Requirements (ISO 18.1)
- Information Security Reviews (ISO 18.2)
- Compliance with Security Policies and Standards, and Technical Compliance (ISO 15.2)
- Information Systems Audit Considerations (ISO 15.3)
Overview
Compliance issues for higher education necessarily divide into several areas. Each of the areas may require concurrent though potentially separate efforts.
Under the ISO Section on Compliance, the first area (15.1) involves compliance with the myriad laws, regulations or even contractual requirements which are part of the fabric of every institution. These legal requirements may or may not have risk assessment or mitigation value. They do provide a legal baseline, however, from which may spring or even catalyze efforts at risk assessment, vulnerability management/mitigation.
The second area under ISO (15.2) is compliance with our own information security policies, standards and processes. The risk assessment and mitigation value is likely higher in these, in that we have developed these policies in response to vulnerabilities we have anticipated or discovered.
The third main area under ISO (15.3) engages institutions to limit access to enterprise audit tools to prevent misuse or compromise.
The ultimate backbone of higher education is information. Each institution gathers, stores, analyzes, retrieves and secures the information necessary for the proper functioning of all aspects of the mission of higher education. Without continued and uninterrupted access to that information, as well as assurances that the information is secure and reliable, we would be unable to fulfill our educational, research, and service missions.
Protecting the information against the backdrop of this institutional mandate are the various laws, regulations, contractual requirements and security controls which are part of the fabric of each institution. As part of our risk management efforts, they act as controls which help enhance your organization's reputation and minimize risk & other negative consequences by ensuring compliance with the law and signed contractual agreements. However, understanding what you need to know and what your organization needs to do to maintain compliance is sometimes a difficult road. The path to establishing these controls takes a complete look at the areas in which your institution has responsibilities, whether legal or contractual. The context in which information is created, received, stored and destroyed must be known intimately before compliance activities can effectively take shape.
This section of resources is intended to serve as a guide-map in your continued quest for compliance. Specific guidance should be sought from legal counsel employed by your university.
Important elements to consider when developing a compliance framework include the following:
- Awareness of relevant regulations/laws (do you know what you need to follow?)
- Approach to complying with each item (do you know what your organization is doing to follow the law?)
- Management of institutional records (do you know what you need to keep and for how long?)
- Awareness of how records are managed by your institution.
#Top of page
Standards
27002:2013 Information Security Management |
800-100: Information Security Handbook: A Guide for Managers |
PO4 |
Requirement 3 |
#Top of page
Getting Started
Getting started on compliance is a twofold task. The first task is to identify each and every law or regulation which may apply to your situation and the tasks that are accomplished. Secondly, we also need to know what compliance requirements we may have under the myriad contracts that are executed to further institution business.
The first task of identifying laws and regulation may have mostly common themes with other similar institutions. There will be differences state to state, but the overarching theme of protecting information and establishing information security protocols are consistent.
The second task is more daunting. Each institution has a number of contracts with varying rights and responsibilities. Rights and responsibilities can sometimes merge in the area of information security, as the task of securing information may sometimes be just as difficult as monitoring the information security duties of a vendor.
Advice from your institution's legal advisers should be part of the task. While legal requirements may be a somewhat consistent theme, their application to your individual situation may sometimes require a fresh look.
#Top of page
Compliance with Legal and Contractual Requirements (ISO 18.1)
Objective: "Compliance" under this section has a broad meaning over several disciplines. Under this first section the term "Compliance" is about complying with the legal, contractual and records requirements an institution faces to avoid legal or contractual breaches.
Identification of Applicable Legislation (ISO 15.1.1)
Your institution needs to identify all relevant statutory, regulatory and contractual rights, as well as your approach to meeting these requirements. The legal requirements need to be explicitly identified and recognized and a plan in place for meeting applicable requirements.
To meet this part of compliance, controls should be developed which:
1. Identify the persons or person responsible for ascertaining the legal requirements. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements.
Initially on the legal and regulatory side, EDUCAUSE has identified a group of federal laws and sample contract clauses as shown below:
- Family Educational Rights and Privacy Act (FERPA)
- Human Subjects Research
- Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules
- Payment Card Industry Data Security Standards (PCI DSS)
- Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act; GLB Act; GLBA) Safeguards Rule
- Fair and Accurate Credit Transactions Act of 2003 (FACT Act; FACTA) which amended the Fair Credit Reporting Act (FCRA), and amendments thereof, including Red Flags Rule (Identity Theft Prevention Program)
- Standard Non-Disclosure Agreement
- Standard Terms and Conditions for Doing Business With XYZ University - Contractual Terms (e.g., Indiana University)
- Higher Education Opportunities Act of 2008 (HEOA) Technology Mandates (Including: illegal peer-to-peer file sharing, emergency notification, and distance education student verification.)
Additionally, nearly each state has breach laws, personal information protection laws, social security protections laws or other laws related to technology furnished at every institution. Each state must be taken as its own legal island and an institution must know if any of the following impact or enhance security efforts:
- State Security Breach Notification Laws - (e.g., Iowa - Iowa Code § 715C.1e or Texas - Tex. Bus. & Com. Code § 521.03)
- State Computer Hacking and Unauthorized Access Laws (e.g., Arizona - Ariz. Rev. Stat. Ann. § 13-2316)
- State Cyberstalking (e.g., Arkansas - Ark. Code § 5-41-108), Cyberharassment (e.g., Hawaii - Hawaii Rev. Stat. § 711-1106) and Cyberbullying (e.g., North Carolina - N.C. Gen. Stat. §§ 14-458.1, 115C-407.15-17) Laws
State Laws Related to Internet Privacy - (e.g., Delaware - 19-7-705 [Employee E-Mail Communications]) or Minnesota - 325M.01 to .09 [Privacy of Personal Information])
- Uniform Electronic Transactions Act States (e.g., Florida - Fla. Stat. §668.50)
- State Laws Relating to Data Disposal (e.g. Connecticut - Conn. Gen. Stat. Ann. §42-471)
- State Spyware Laws (e.g. Indiana - Ind. Code § 24-4.8-1et seq.)
- State Phishing Laws (e.g., Illinois - 740 ILCS §§ 7/1 - 7/15)
- State Virus/Contaminant/Destructive Transmission Laws (e.g., Georgia - Ga. Code Ann. § 16-9-153 (a) (1) (A) - See SB 127(2005))
- State Legislation Related to "Sexting" (e.g., North Dakota - H.B. 1371)
- State Consumer Report Security Freeze Laws (e.g., Virginia - 2009 Chapter 406, Va. Code §59.1-444.1 et seq
- State "Copier" Laws (e.g., New York)
The National Conference on State Legislatures site is a good starting place to research the laws relating to your state.
2. Identify the person or person responsible for reviewing contracts to determine any information security requirements, whether they are requirements of the institution or requirements of the vendor. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements.
On the contract side it will require a reading of each and every contract which involves the various tasks that may impact information in your institution. Contracts have a way of being more complex than they need to be, but each contract should ultimately state what each party has as their responsibilities as well as who is assigned liability in contemplated (or even not contemplated) events under the contract. It is crucial to know what your contractual responsibilities are so that you can look at physical and technical controls you have in place and determine if they are adequate for the assumed contractual liability.
#Top of page
Intellectual Property Rights (ISO 15.1.2)
Intellectual Property (IP) requirements are a dominant issue at any institution of higher education. They become an information security issue when intellectual property laws or contracts or licenses/patents require an institution to keep matters confidential or to assure that copyright or other laws are not violated with regard to intellectual property. Appropriate controls to assure compliance with these laws need to be in place, including:
- An intellectual property rights compliance policy (which meets copyright policy requirements of certain laws);
- Ensuring proper use of software and other technology licenses;
- Education and awareness on respecting IP rights;
- Keeping track of IP assets.
EDUCAUSE has significant IP and Copyright resources:
- Copyright
- Copyright Act of 1976
- Copyright and Intellectual Property Policies
- Copyright Infringement
- Copyright Term Extension Act
- Copyright Tutorials
- Federal Copyright Law
- Intellectual Property
#Top of page
Protection of Organizational Records (Records Management) (ISO 15.1.3)
Every institution deals with the issues inherent in managing organizational records and data, whether electronic or in paper. As part of the compliance controls at every institution, important records as well as records we are legally obligated to retain need to be protected from loss, destruction and falsification.
ISO has a separate standard, ISO 15489 "Information and Documentation — Records Management". This standard goes into greater detail about how an institution recognizes the context in which records are created, received, used, stored and destroyed as an implicit part of the data governance process.
This "records management" function may be placed anywhere in an institution, and sometimes it is part of an institutions IT structure. Regardless, records management has components of compliance that are unavoidable.
EDUCAUSE has excellent materials on records management, including an Electronic Records Management Toolkit. Regardless of the ownership of this function at your institution, as part of your information security purview, there are information security considerations. You need to be aware of:
- Your institution's policies and guidelines on retention, storage, handling and disposal of records should be reviewed. Oftentimes this will require a security control to ensure that these policies and guidelines are carried out properly. (Refer to the Records Retention and Disposition Toolkit for additional information and templates.)
- Policies which protect records from loss, destruction or falsification.
#Top of page
Data Protection and Privacy of Personal Information (Records Management) (ISO 15.1.4)
The data every institution uses in its mission of teaching is a valuable resource which needs to be protected commensurate with how it is classified. Students and Staff entrust the institution with a given data set and there is an implied bargain that the data so entrusted will be protected from any use or disclosure other than as agreed to when the data was given.
To do this, each institution has to govern the data it uses so that it will be received, made, used, stored shared or destroyed in a purposeful manner which recognizes the pact to protect data in an institution's daily mission. Areas to consider in a data governance program include:
- Sensitivity Level. An institution should be classifying data as to sensitivity to assure that proper security protection is in place appropriate with the given data set. EDUCAUSE has excellent materials, including a toolkit, on the classification of data.
- Retention Period. Consistent with records management practices, an institution needs to be aware of the period in which data is to be retained, to assure that data's availability and integrity for that retention period.
- Data Utilization. In every part of a College which controls a given data set, appropriate procedures for how that data is utilized must be established. This includes access restrictions, proper handling, logging and auditing.
- Data Back-up. How an institution creates back-up copies of data and software is a critical element. Procedures need be in place which memorialize and verify the implementation and inventory of back-up copies.
- Management of Storage Media. Processes to insure proper management of storage media, including restrictions of types of media, audit trails for movement of media, secure disposal of media no longer in use and redundant storage.
- Electronic Data Transfers.
- Disposal of Media.
Prevention of Misuse of Information Processing Facilities (ISO 15.1.5)
Users of institutional data should be deterred from using information processing facilities for unauthorized purposes.
Regulation of Cryptographic Controls (ISO 15.1.6)
Cryptographic controls should be used in compliance with all relevant agreements, laws, and regulations.
Information Security Reviews (ISO 18.2)
Objective:
#Top of page
Compliance with Security Policies and Standards, and Technical Compliance (ISO 15.2)
Objective: The security of information systems needs to be regularly reviewed, and that review needs to be done against the backdrop of each institution's own controls, policies and standards they have in place.
Compliance with Security Policies and Standards (ISO 15.2.1)
Managers have compliance responsibility to make sure that applicable security procedures related to their area of control are implemented and performed correctly to achieve compliance with internal security policies and standards.
Technical Compliance Checking (ISO 15.2.2)
Information systems need a compliance check against security implementation standards.
#Top of page
Information Systems Audit Considerations (ISO 15.3)
Objective: Audits of institutional systems shall be planned and agreed such as to minimize the risk of disruptions to business.
When system audit tools are used, these should be separated from the development and operational systems environments to prevent any misuse or compromise. Both software and data files should be restricted from access by IT personnel (e.g. in tape libraries) or users (e.g. in user areas).
#Top of page
Resources
Campus Case Studies On This Page
Enhancing Application Security With a Web Application Firewall - UC, Irvine
EDUCAUSE Resources
- EDUCAUSE/Cornell Institute for Computer Policy and Law
- EDUCAUSE Policy Initiatives
- Federal Privacy Law
- FERPA
- Gramm-Leach-Bliley (GLB) Act
- Higher Education Act
- HIPAA
- ID Theft Red Flags
- PCI DSS
- Policy and Law
- Policy and Law: Campus
- Policy and Law: Federal
- Policy and Law: State
Initiatives, Collaborations, & Other Resources
- In Progress
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).