Skip to end of metadata
Go to start of metadata

Table of Contents


Compliance issues for higher education necessarily divide into several areas.  Each of the areas may require concurrent though potentially separate efforts.

Under the ISO Section on Compliance, the first area (15.1) involves compliance with the myriad laws, regulations or even contractual requirements which are part of the fabric of every institution. These legal requirements may or may not have risk assessment or mitigation value. They do provide a legal baseline, however, from which may spring or even catalyze efforts at risk assessment, vulnerability management/mitigation.

The second area under ISO (15.2) is compliance with our own information security policies, standards and processes. The risk assessment and mitigation value is likely higher in these, in that we have developed these policies in response to vulnerabilities we have anticipated or discovered.

The third main area under ISO (15.3) engages institutions to limit access to enterprise audit tools to prevent misuse or compromise.

The ultimate backbone of higher education is information. Each institution gathers, stores, analyzes, retrieves and secures the information necessary for the proper functioning of all aspects of the mission of higher education. Without continued and uninterrupted access to that information, as well as assurances that the information is secure and reliable, we would be unable to fulfill our educational, research, and service missions.

Protecting the information against the backdrop of this institutional mandate are the various laws, regulations, contractual requirements and security controls which are part of the fabric of each institution. As part of our risk management efforts, they act as controls which help enhance your organization's reputation and minimize risk & other negative consequences by ensuring compliance with the law and signed contractual agreements. However, understanding what you need to know and what your organization needs to do to maintain compliance is sometimes a difficult road. The path to establishing these controls takes a complete look at the areas in which your institution has responsibilities, whether legal or contractual. The context in which information is created, received, stored and destroyed must be known intimately before compliance activities can effectively take shape.

This section of resources is intended to serve as a guide-map in your continued quest for compliance. Specific guidance should be sought from legal counsel employed by your university.

Important elements to consider when developing a compliance framework include the following:

  • Awareness of relevant regulations/laws (do you know what you need to follow?)
  • Approach to complying with each item (do you know what your organization is doing to follow the law?)
  • Management of institutional records (do you know what you need to keep and for how long?)
  • Awareness of how records are managed by your institution.

Top of page


27002: Information Security Management
Chapter 15: Compliance
800-100: Information Security Handbook: A Guide for Managers
800-53: Recommended Security Controls for Federal Information
Systems and Organizations
800-14: Generally Accepted Principles and Practices for Securing
Information Technology Systems
Requirement 3
Requirement 9
Requirement 12

Top of page

Getting Started

Getting started on compliance is a twofold task. The first task is to identify each and every law or regulation which may apply to your situation and the tasks that are accomplished. Secondly, we also need to know what compliance requirements we may have under the myriad contracts that are executed to further institution business.

The first task of identifying laws and regulation may have mostly common themes with other similar institutions. There will be differences state to state, but the overarching theme of protecting information and establishing information security protocols are consistent.

The second task is more daunting. Each institution has a number of contracts with varying rights and responsibilities. Rights and responsibilities can sometimes merge in the area of information security, as the task of securing information may sometimes be just as difficult as monitoring the information security duties of a vendor.

Advice from your institution's legal advisers should be part of the task. While legal requirements may be a somewhat consistent theme, their application to your individual situation may sometimes require a fresh look.

Top of page

Compliance with Legal Requirements (ISO 15.1)

Objective: "Compliance" under this section has a broad meaning over several disciplines. Under this first section the term "Compliance" is about complying with the legal, contractual and records requirements an institution faces to avoid legal or contractual breaches.

Identification of Applicable Legislation (ISO 15.1.1)

Your institution needs to identify all relevant statutory, regulatory and contractual rights, as well as your approach to meeting these requirements. The legal requirements need to be explicitly identified and recognized and a plan in place for meeting applicable requirements.

To meet this part of compliance, controls should be developed which:

1. Identify the persons or person responsible for ascertaining the legal requirements. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements.

Initially on the legal and regulatory side, EDUCAUSE has identified a group of federal laws and sample contract clauses as shown below:

Additionally, nearly each state has breach laws, personal information protection laws, social security protections laws or other laws related to technology furnished at every institution. Each state must be taken as its own legal island and an institution must know if any of the following impact or enhance security efforts:

The National Conference on State Legislatures site is a good starting place to research the laws relating to your state.

2. Identify the person or person responsible for reviewing contracts to determine any information security requirements, whether they are requirements of the institution or requirements of the vendor. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements.

On the contract side it will require a reading of each and every contract which involves the various tasks that may impact information in your institution. Contracts have a way of being more complex than they need to be, but each contract should ultimately state what each party has as their responsibilities as well as who is assigned liability in contemplated (or even not contemplated) events under the contract. It is crucial to know what your contractual responsibilities are so that you can look at physical and technical controls you have in place and determine if they are adequate for the assumed contractual liability.

Top of page

Intellectual Property Rights (ISO 15.1.2)

Intellectual Property (IP) requirements are a dominant issue at any institution of higher education. They become an information security issue when intellectual property laws or contracts or licenses/patents require an institution to keep matters confidential or to assure that copyright or other laws are not violated with regard to intellectual property. Appropriate controls to assure compliance with these laws need to be in place, including:

  • An intellectual property rights compliance policy (which meets copyright policy requirements of certain laws);
  • Ensuring proper use of software and other technology licenses;
  • Education and awareness on respecting IP rights;
  • Keeping track of IP assets.

EDUCAUSE has significant IP and Copyright resources:

Top of page

Protection of Organizational Records (Records Management) (ISO 15.1.3)

Every institution deals with the issues inherent in managing organizational records and data, whether electronic or in paper. As part of the compliance controls at every institution, important records as well as records we are legally obligated to retain need to be protected from loss, destruction and falsification.

ISO has a separate standard, ISO 15489 "Information and Documentation — Records Management".  This standard goes into greater detail about how an institution recognizes the context in which records are created, received, used, stored and destroyed as an implicit part of the data governance process.

This "records management" function may be placed anywhere in an institution, and sometimes it is part of an institutions IT structure. Regardless, records management has components of compliance that are unavoidable.

Educause has excellent materials on records management, including an Electronic Records Management Toolkit. Regardless of the ownership of this function at your institution, as part of your information security purview, there are information security considerations. You need to be aware of:

  • Your institution's policies and guidelines on retention, storage, handling and disposal of records should be reviewed. Oftentimes this will require a security control to ensure that these policies and guidelines are carried out properly. (Refer to the Records Retention and Disposition Toolkit for additional information and templates.)
  • Policies which protect records from loss, destruction or falsification.

Top of page

Data Protection and Privacy of Personal Information (Records Management) (ISO 15.1.4)

The data every institution uses in its mission of teaching is a valuable resource which needs to be protected commensurate with how it is classified.  Students and Staff entrust the institution with a given data set and there is an implied bargain that the data so entrusted will be protected from any use or disclosure other than as agreed to when the data was given.

To do this, each institution has to govern the data it uses so that it will be received, made, used, stored shared or destroyed in a purposeful manner which recognizes the pact to protect data in an institution's daily mission.  Areas to consider in a data governance program include:

  • Sensitivity Level.  An institution should be classifying data as to sensitivity to assure that proper security protection is in place appropriate with the given data set.  Educause has excellent materials, including a toolkit,  on the classification of data.
  • Retention Period.  Consistent with records management practices, an institution needs to be aware of the period in which data is to be retained, to assure that data's availability and integrity for that retention period.
  • Data Utilization.   In every part of a College which controls a given data set, appropriate procedures for how that data is utilized must be established.  This includes access restrictions, proper handling, logging and auditing.
  • Data Back-up.  How an institution creates back-up copies of data and software is a critical element.  Procedures need be in place which memorialize and verify the implementation and inventory of back-up copies.
  • Management of Storage Media.  Processes to insure proper management of storage media, including restrictions of types of media, audit trails for movement of media, secure disposal of media no longer in use and redundant storage.
  • Electronic Data Transfers.
  • Disposal of Media.
Prevention of Misuse of Information Processing Facilities (ISO 15.1.5)

Users of institutional data should be deterred from using information processing facilities for unauthorized purposes.

Regulation of Cryptographic Controls (ISO 15.1.6)

Cryptographic controls should be used in compliance with all relevant agreements, laws, and regulations.

Compliance with Security Policies and Standards, and Technical Compliance (ISO 15.2)

Objective: The security of information systems needs to be regularly reviewed, and that review needs to be done against the backdrop of each institution's own controls, policies and standards they have in place.

Compliance with Security Policies and Standards (ISO 15.2.1)

Managers have compliance responsibility to make sure that applicable security procedures related to their area of control are implemented and performed correctly to achieve compliance with internal security policies and standards.

Technical Compliance Checking (ISO 15.2.2)

Information systems need a compliance check against security implementation standards.

Top of page

Information Systems Audit Considerations (ISO 15.3)

Objective:   Audits of institutional systems shall be planned and agreed such as to minimize the risk of disruptions to business.

The importance of independent audit as a control cannot be minimized. It can take many forms, from reviewing other safeguards and identifying their strengths and weaknesses, to monitoring user behavior and system activity. Audits are a key element in managing vulnerabilities.

When system audit tools are used, these should be separated from the development and operational systems environments to prevent any misuse or compromise. Both software and data files should be restricted from access by IT personnel (e.g. in tape libraries) or users (e.g. in user areas).

Top of page


Top of page

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

compliance compliance Delete
regulations regulations Delete
laws laws Delete
legislation legislation Delete
policy policy Delete
standards standards Delete
mandates mandates Delete
educause educause Delete
heisc heisc Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.