IT Compliance Framework for Higher Education

Key Takeaways

  • Implementation of a university-wide IT compliance framework can prevent redundant effort and provide a way to benchmark IT compliance efforts against regulatory requirements.
  • It is essential to establish the five general requirements of the model presented here just to ensure an institution's compliance effort is moving in the right direction — becoming compliant with data privacy regulations.
  • Finally, meeting requirements for information security and compliance is an ongoing activity and will need continual refinement, updating, and monitoring, especially as regulations change.

Carlos Lobato is IT Compliance Officer for New Mexico State University.

Institutions of higher education increasingly must comply with various federal and state regulatory requirements focused on data privacy and protection. The potential overlap of effort in meeting these requirements can be avoided if a higher education institution implements a university-wide IT compliance framework to ensure compliance at a high level with various applicable federal and industry regulations such as FERPA (The Family Educational Rights and Privacy Act), HIPAA (The Health Insurance Portability and Accountability Act), GLBA (The Gramm-Leach-Bliley Act), FISMA (The Federal Information Security Management Act), RFR (The Red Flags Rule), and PCI DSS (The Payment Card Industry Data Security Standards).

In 2012 the Information and Communication Technologies department at New Mexico State University (NMSU ICT) developed an IT compliance framework model, which is currently in its early stages of being implemented. In this article NMSU ICT shares some lessons learned to-date and our model to help other institutions benchmark their IT compliance efforts.

The IT Compliance Framework Model

The compliance model is intended to provide institutions of higher education with a short visual checklist to identify essential gaps in meeting major regulatory requirements and to ensure compliance moves in the right direction at a holistic university-wide level. Note that if an essential requirement is not met, the end result is an overall noncompliance status/rating. Therefore, institutions should focus their overall efforts on establishing a strong foundation for compliance by ensuring that the five main regulatory requirements are the first ones addressed, as shown in table 1. In using the table, institutions should replace the letters NMSU with their own institutions' initials and assess their existing practices to determine if all of the five essential requirements have been met or if one of the core requirements is not being met. A quick determination can be made by simply answering yes or no in each category.

Table 1. IT Compliance Framework for Information Security

Laws and Regulations

Designate Responsibility Required or Recommended (1)

Establish Information Security Program (2)

Establish Policies & Procedures (3)

Monitoring/

Incident Handling/ Compliance (4)

Recommend a Training/Awareness Program (5)

 

Yes

No

Yes

No

Yes

No

Yes

No

Yes

No

FERPA

Governance Committee

 

X

 

X

 

X

 

X

 

HIPAA

Security Official and Privacy Official

 

X

 

X

 

X

 

X

 

GLBA

One or more employees

 

X

 

X

 

X

 

X

 

Red Flags Rule

Employee

 

X

 

X

 

X

 

X

 

FISMA

Committee or Employee

 

X

 

X

 

X

 

X

 

PCI DSS

individual or team for information security responsibilities

 

X

 

X

 

X

 

X

 

NM State Law

There is no information security state law that regulates safeguarding and data breach notification of personally identifiable information (PII); the State Information Security Policy can be used as a best practices guide, however.

NMSU*

 

X

 

X

 

X

 

X

 

X

* This row represents NMSU's original determination in 2012, based on not having formal documentation to substantiate compliance with the requirements. Although NMSU had many mitigating and informal controls, regulations require formal documentation and processes.

1. Regulations require the formal designation of Information Security Responsibility. Best information security practices recommend the designation of this responsibility to a chief information security officer (CISO). NMSU had not formally appointed a CISO because the formal designation requires this assignment of responsibility to be part of the CISO’s job description. NMSU is in the process of formally addressing this requirement.

2. Regulations require the establishment of an Information Security Program. Best information security practices recommend a risk-based approach, which is also required or recommended by the various regulations. NMSU is in the process of formally documenting and establishing a program.

3. Regulations require the development of IT Policies and Procedures, which should map to the risk-based information security program. NMSU is in the process of modifying and creating policies according to the program.

4. Regulations require ongoing Monitoring/Incident Handling/Compliance to ensure ongoing compliance and proper protection of regulated data. NMSU is currently drafting an incident handling policy and implementing other active monitoring controls.

5. Regulations require the development of a holistic Training and Awareness Program to ensure that end users are made aware of their information security responsibilities and various safe computing and data security practices and related threats to privacy. NMSU is currently developing a formal training and awareness program.

Moving Compliance in the Right Direction

It is essential to establish the five general requirements just to ensure an institution's compliance effort is moving in the right direction — becoming compliant with data privacy regulations. Once the essential general requirements are in place, more specific controls may be needed to ensure compliance with each individual regulation. Regardless, the implementation of the general control should precede the implementation of more specific controls. The following provide an example of a general control and a specific control.

  • General control: Creating a university-wide training and awareness program to meet requirement number 5 above would be met by the creation of a general training program for computer and data security, which should be mandatory for all employees of the institution and tracked in a database.
  • Specific control: To meet the FERPA training requirement, a specialized training program should be developed covering FERPA's specific regulatory requirements, with regular refresher courses to ensure ongoing proper protection and privacy of student data.

Implementing the model is a major undertaking that will take considerable time. NMSU ICT estimated that it may take 2–5 years to fully implement the model and recommends the development of a general visual implementation roadmap to show the university's executive administration visually the progression of implementation and whether deadlines are being met — and if not, why not. A roadmap can also be provided to management via a simple five-item checklist, which can and should be implemented in chronological order.

  1. Designation of formal information security responsibility is required by all data-privacy regulations and should be the first requirement met to ensure the proper implementation of a university-wide information security program. This university-wide responsibility should be designated to an employee (CISO or similar role). Ideally, the CISO should report to the chief information officer (CIO) with a dotted line to an audit committee or university auditor to ensure proper vetting of any conflicts of interest between the CIO's operating requirements and the CISO's implementation of good information security practices. This reporting line is recommended to ensure risk acceptance by the proper decision makers (the audit committee and/or board of regents). An alternative to the implementation of good information security practices would be to establish a university-wide IT Security Committee to govern IT security. A CISO should still be appointed to manage/implement the program and to be held accountable in the event of noncompliant practices.
  2. Upon formal designation of responsibility, the CISO should establish a risk-based information security program/plan, which should consider (a) compliance with applicable laws and regulations, (b) management needs, and (c) best management practices.
  3. Once the risk-based information security program/plan is drafted, IT policies should be developed according to regulatory requirements and the risk-based information security program. Policies, procedures, and guidelines are essential in implementing an information security program because they provide the governing directives for the institution, but determining an ideal set of policies is not easy. At NMSU ICT and as part of developing the model, various recommended practices were reviewed and compared to regulatory requirements. It was determined that policies and procedures should be developed in 22 broad areas as recommended by the various IT frameworks and as required by the various data-privacy regulations. The 22 areas are based on generally accepted frameworks such as ISO, COBIT 5, and NIST standards.
  4. Even data-privacy regulations recognize that data breaches or other IT compromises are inevitable. Therefore, data-privacy regulations require the creation of incident handling policies and procedures to ensure proper handling of data breaches/incidents according to regulatory requirements. Institutions should develop such policies and procedures based on processes established as part of the information security program.
  5. Training and awareness are a requirement of the various data-privacy regulations; therefore, a mandatory general computer and data security training program should be implemented covering various safe computing and data security practices. All employees should be trained and the training logged into a database. Additionally, highly specialized training programs should be developed and customized for employees who handle regulated data (FERPA, HIPAA, etc.), depending on the applicable federal, state, or industry regulation.

NMSC ICT reviewed various generally accepted best information security practices from different IT professional associations (ISACA, SANS, etc.) and included them as part of the model. We then noticed that best practices mirror regulatory requirements.

Using the Model

Overall, institutions should be able to replace the letters NMSU in the model/matrix with their institution's initials and quickly benchmark and assess their existing practices against the IT compliance framework. Additionally, not all regulations may be applicable to all institutions, and therefore each institution should identify the applicable regulations and determine if they are headed in the right direction in their compliance efforts. Also, an information security implementation plan/roadmap should be developed to meet the specific needs of the institution, taking into consideration its local culture and environment. Finally, meeting requirements for information security and compliance is an ongoing activity and will need continual refinement, updating, and monitoring, especially as regulations change.