The university has a responsibility to comply with applicable legal, regulatory, and contractual requirements with respect to safeguards over information and information assets. Additionally, such compliance protects the university's reputation and minimizes the risk of the negative financial consequences associated with noncompliance. Because the university operates in such a complex legal, regulatory, and contractual environment, a formal framework is necessary to promote compliance. Such a framework should address legal compliance, compliance with internal policies, standards, and guidelines, and audit objectives.
Safeguards for Domain 12 Information Security & Privacy Program
Legal requirements compliance
In order to ensure compliance with requirements, the institution must identify a comprehensive list of information security- and information privacy-related compliance obligations pertaining to the institution. Offices with appropriate expertise are assigned management responsibility for compliance for each obligation. Assigned compliance personnel are made aware of and accountable for ensuring compliance with these obligations. Throughout this process, advice on legal requirements should be sought from content experts, such as the organization's legal advisors.
Compliance responsibility at IU follows a tiered model. When a regulation, law, or contractual obligation requires IU's compliance for information or technology security or privacy, an individual or office is assigned responsibility for oversight of that compliance sector university-wide or for a specific campus. This tiered model, as it applies to policies, is detailed in The Policy Hierarchy Explained.
However, it is important to understand that every employee at IU is also individually responsible for ensuring that he or she is complying with university policies, regulations, laws, and contractual obligations.
The individuals or offices assigned information security and privacy compliance oversight responsibility track requirements, issue policies and implementation guidance, provide awareness and training materials, and spot-check or otherwise undertake activities to reasonably affirm that the university is complying with the requirements.
Report an Incident at IU assists in directing complaints and reports to the correct party for prompt attention.
Security and privacy policies and standards compliance
Information systems should be regularly reviewed for compliance with information security and privacy policies and standards. Managers should ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance.
Campus and unit management is responsible for periodically assessing and reviewing compliance. Offices responsible for compliance obligations also periodically spot-check or otherwise undertake activities to reasonably affirm that the university is complying with the requirements.
The university-wide Internal Audit unit acts as an independent appraisal function to examine and evaluate university activities, including information security and privacy activities, as a service to management and the Board of Trustees.
Audit considerations
In order to minimize interference during the information systems audit process, and to maximize the effectiveness of such audits, protections are needed to safeguard operational systems and audit tools.
Audit responsibilities at IU are independently organized. Internal Audit does not participate directly in the scope of university activities which enables objectivity and promotes an unbiased, impartial environment that avoids conflict of interest.
Individuals assigned audit duties do not report to those responsible for systems activities and processes. In addition, systems are not audited in a “live” environment. If an audit must occur in a “live” environment, all attempts would be made to conduct the audit during off-peak hours.
Summary of domain objectives
- Ensure operation within the university's legal, regulatory, and contractual framework
- Recognize that the design, operation, use, and management of information and information assets may be subject to legal, regulatory, and contractual requirements
- Obtain advice from content experts, such as the university's legal counsel, as appropriate
- Ensure compliance with university security and privacy policies, standards, and guidelines through regular reviews of information and information assets against these documents
- Maximize the effectiveness of and minimize the interference of the audit process by employing appropriate safeguards during the audit process
Supplemental resources
- HIPAA for researchers at IU | IU Knowledge Base
- About IU's research systems and services and HIPAA compliance | IU Knowledge Base
- What is the Digital Millennium Copyright Act? | IU Knowledge Base
- PCI-DSS Compliance Memo | Office of the Treasurer
- PCI-DSS Compliance Conference | Office of the Treasurer
- Policy I-580: Risks of Potential Identity Theft in the Use of Stored-Value and Payroll Deduct outlines relevant provisions of the university's Identity Theft Prevention Program to ensure that the risks of identity theft are minimized
- Do you plan to travel abroad and take your university issued laptop computer, digital storage device, or any encryption products with you? The Export Control Office in the Office of Research Administration can help you determine if your university-issued electronic components require a license prior to international travel, can provide tips for international travel with information stored on electronic components, and can provide a list of sanctioned and restricted parties and entities with whom IU is prohibited by federal law from doing business with. Contact them at export@iu.edu.
- Compliance | EDUCAUSE/Internet2 Information Security Guide