The university has a responsibility to comply with applicable legal, regulatory, and contractual requirements with respect to safeguards over information and information assets. Additionally, such compliance protects the university's reputation and minimizes the risk of the negative financial consequences associated with noncompliance. Because the university operates in such a complex legal, regulatory, and contractual environment, a formal framework is necessary to promote compliance. Such a framework should address legal compliance, compliance with internal policies, standards, and guidelines, and audit objectives.
Safeguards for Domain 12 Information Security & Privacy Program
Legal requirements compliance
Security and privacy policies and standards compliance
Audit considerations
Summary of domain objectives
- Ensure operation within the university's legal, regulatory, and contractual framework
- Recognize that the design, operation, use, and management of information and information assets may be subject to legal, regulatory, and contractual requirements
- Obtain advice from content experts, such as the university's legal counsel, as appropriate
- Ensure compliance with university security and privacy policies, standards, and guidelines through regular reviews of information and information assets against these documents
- Maximize the effectiveness of and minimize the interference of the audit process by employing appropriate safeguards during the audit process
Supplemental resources
- UITS Research Technologies systems and services for researchers working with data containing HIPAA-regulated PHI | IU Knowledge Base
- What is the Digital Millennium Copyright Act? | IU Knowledge Base
- PCI-DSS Compliance Conference | Office of the Treasurer
- Policy FIN-ACC-580: Risks of Potential Identity Theft in the Use of Stored-Value and Payroll Deduct outlines relevant provisions of the university's Identity Theft Prevention Program to ensure that the risks of identity theft are minimized
- Do you plan to travel abroad and take your university issued laptop computer, digital storage device, or any encryption products with you? The Export Control Office in the Office of Research Administration can help you determine if your university-issued electronic components require a license prior to international travel, can provide tips for international travel with information stored on electronic components, and can provide a list of sanctioned and restricted parties and entities with whom IU is prohibited by federal law from doing business with. Contact them at export@iu.edu
- Compliance | EDUCAUSE/Internet2 Information Security Guide