Understanding IT GRC in Higher Education: IT Compliance

A recent EDUCAUSE Center for Analysis and Research (ECAR) Study on information technology governance, risk, and compliance (GRC) programs in higher education found that 51 percent of the institutional respondents agreed that the regulatory environment in higher education is too complex. That study also found that only one in five respondents feel that adequate budget or staffing support IT compliance.¹

With their wide-ranging activities, and as members of a highly regulated industry, institutions of higher education have numerous compliance obligations. Often these obligations extend beyond IT systems and into the operation of the institution itself.

What Is IT Compliance?

When considered generally, "compliance" consists of adherence to applicable laws, rules, and regulations; institutional policies; and contractual commitments. At the enterprise level, a compliance program defines the institutional infrastructures and processes necessary to prevent, as well as to detect, mitigate, and remediate, instances of noncompliance and assigns responsibility for the development of those infrastructures, the implementation of those processes, and the ongoing assessment and oversight of the program itself.

IT compliance identifies the obligations affecting the operation of IT systems. These obligations include laws, regulations, policies, and contractual commitments. IT compliance means operating institutional IT systems and resources in a way that meets the laws and regulations affecting those systems. It also means complying with institutional policy about the use of institutional IT systems and resources and contracts relating to those systems and resources.

Higher education institutions have numerous compliance obligations. For example, institutions must ensure compliance with laws and regulations concerning accreditation, athletics participation, campus safety, donors/giving, export controls, financial aid, healthcare and insurance, records management, research, taxation, and more. Also, a vast array of institutional policies concern intellectual property, privacy, student and staff conduct, and the like. Similarly, institutions have hundreds, if not thousands, of contracts, including most significantly their contractual commitments to their students.

IT compliance in higher education includes the following characteristics:

• Higher education institutions have varied and complex compliance requirements. For IT systems, it is important to understand that compliance requirements are often tied to types of data (health, financial, consumer, and student data for example). This means that one IT system may be subject to multiple compliance requirements if different types of data are used, processed, stored, or transmitted.
• Compliance does not mean just adherence with law. It also means adherence to contract terms and institutional policies.
• Compliance activities cannot be considered a one-time project; instead, they are an ongoing process that must be repeated on a regular basis. Regulatory requirements often change, which then requires a review of institutional compliance.
• Compliance concerns often come to light only after a serious incident occurs that highlights noncompliance. Institutions may minimize the likelihood of a high-profile incident by proactively addressing compliance issues.
• Compliance can be addressed through a risk-management lens, and competing compliance needs can be prioritized according to the seriousness of noncompliance consequences and the severity of a compliance gap. This risk-management lens can help determine where limited resources must be applied to meet compliance needs.
• Like all GRC activities, IT compliance activities require coordination between IT units, business and academic units, legal counsel, institutional compliance offices, and other institutional stakeholders. Multiple stakeholders must be consulted to properly address compliance requirements across the institution.

Key Questions to Ask about IT Compliance

When institutions consider IT compliance, the IT GRC Advisory Committee recommends that leaders ask the following questions:

• What are the laws and regulations that impact the operation of institutional IT resources (or the data contained in those resources)?
• What institutional policies apply to the operation of institutional IT resources (or the data contained in those resources)?
• Do you know what agreements your institution has made or contracts that your institution has entered into that impose conditions on the use of institutional IT resources (or the data contained in those resources)?
• Do you have a resource strategy in place to address compliance? Where possible, compliance investments should be aligned with the institution's risk tolerance and applied where noncompliance poses the largest risk and consequences for the institution.
• Is there already a coordinated enterprise-wide compliance initiative at your institution, and can IT compliance activities fit into or help inform the larger program?

Conclusion

IT compliance is crucial to the accomplishment of institutional compliance objectives in many instances. IT operates the infrastructure of institutional business functions, and any threat to the security or operation of those IT systems also threatens the requirements that underlie many other institutional compliance programs and responsibilities.

EDUCAUSE provides resources that help higher education institutions define and implement campus IT GRC activities. For advice from the IT GRC Advisory Committee, see:

• "Understanding IT GRC in Higher Education: IT Governance"
• "Understanding IT GRC in Higher Education: IT Risk"
• "Understanding IT GRC in Higher Education: IT Compliance" (this article)

We also invite you to contribute to the IT GRC body of knowledge in higher education. To learn more, visit the EDUCAUSE web page on the topic.

Acknowledgments

The EDUCAUSE IT GRC program began in January 2014 to provide resources that help institutions define and implement IT governance, risk, and compliance (GRC) activities on your campus. The inaugural IT GRC Advisory Committee includes Cathy Bates (Appalachian State University), Niraj Bhagat (Southern Methodist University), Mike Chapple (University of Notre Dame), Michael Corn (Brandeis University), Elias G. Eldayrie (University of Florida), Merri Beth Lavagnino (Indiana University), L. Sue McCormick (University of Virginia), Steven J. McDonald (Rhode Island School of Design), Peter J. Murray (University of Maryland, Baltimore), Marty Ringle (Reed College), Cheryl Washington (University of California, Davis), and Madelyn F. Wessel (Virginia Commonwealth University).

While all IT GRC Advisory Committee members contributed to the content of this advice, special acknowledgment is due to the members of "Team Compliance" (Steve McDonald, Cheryl Washington, and Madelyn Wessel), who took responsibility for reducing the many thoughts of the committee into the final advice offered.

1. Jacqueline Bichsel and Patrick Feehan, IT Governance, Risk, and Compliance Programs in Higher Education, (Louisville, CO: ECAR, June 2014).