Information Security Compliance

Transcription

1 T A Uified Approach to Iformatio Security Compliace By M. Peter Adler he iformatio age has led to a heighteed cocer that persoal iformatio is ot beig protected. The high speed at which private iformatio ca be used ad shared, ofte without permissio, eables ad icreases the possibility of idetity theft ad other uauthorized uses of persoal iformatio. Iitially, self-regulatio through the implemetatio of good security practices was thought to be the way to protect electroic persoal iformatio. I the latter part of the twetieth cetury, a sectoral approach to iformatio security regulatio started to gai favor with the passage of laws protectig health ad fiacial iformatio. However, betwee February 2005 ad July 2006, there were 237 reported security breaches ivolvig the compromise of more tha 89 millio records cotaiig persoal iformatio. 1 Of these, 83 icidets ivolved istitutios of higher educatio, icludig academic medical ceters. The umber of reported security icidets demostrates that self-regulatio has geerally failed. M. Peter Adler, JD, LLM, CISSP, CIPP, is Presidet of Adler IfoSec & Privacy Group LLC ad former Chief Iformatio Security Officer at the Uiversity of Colorado. 46 Educause r e v i e w September/October 2006 I l l u s t r a t i o b y J e a - F r a ç o i s M a r t i, M. P e t e r A d l e r September/October 2006 Educause r e v i e w 47

2 A piecemeal approach may also udermie the itegratio of iformatio security compliace ito other istitutioal compliace programs. As a result, cotrollig risks to persoal iformatio through ehaced iformatio security has become the subject of state ad federal laws. The recet upsurge i the umber of state ad federal laws ad regulatios represets a emergig legal stadard that imposes obligatios o colleges ad uiversities to protect the data they collect, store, process, use, ad disclose. These laws icreasigly affect how higher educatio istitutios, ofte operatig i multiple jurisdictios, hadle persoal iformatio, icludig sesitive health ad fiacial data. May of the ew laws require disclosures to victims whe there is uauthorized access to systems cotaiig sesitive iformatio. Failure to protect this type of iformatio will ievitably result i public embarrassmet ad the fiacial costs associated with maagig the respose to icidets ad may also result i ivestigatios, fies, ad other pealties. Colleges ad uiversities facig these growig legal obligatios are ofte perplexed about how to comply with so may laws ad regulatios. May do ot approach iformatio security compliace i a orgaized ad itegrated fashio. Some have permitted iformatio security compliace to be hadled by more tha oe departmet. For example, the health ceter or the uiversity hospital may be tasked with Health Isurace Portability ad Accoutability Act (HIPAA) compliace, the registrar may be held resposible for the privacy of studet educatioal records uder the Family Educatioal Rights ad Privacy Act (FERPA), while the fiacial aid office or departmets usig credit cards may focus o compliace with the Gramm- Leach-Bliley Act (GLBA) or the Paymet Card Idustry Data Security Stadard (PCIDSS). Complicatig these efforts are regulatory requiremets affectig umerous istitutioal departmets, such as research facilities, as well as exteral busiess parters. As a result, efforts are ofte icomplete, redudat, or iadequate ad expesive. A piecemeal approach may also udermie the itegratio of iformatio security compliace ito other istitutioal compliace programs, such as iformatio privacy ad istitutioal goverace. For example, a decetralized approach to iformatio security could make it harder to moitor ad report the cotrols that are icreasigly a part of istitutioal audits. For all of these reasos, colleges ad uiversities eed to cosider udertakig a uified approach to iformatio security compliace. Iformatio Security Laws ad Regulatios A umber of state ad federal laws ad regulatios suggest or impose a obligatio o colleges ad uiversities to create ad maitai a iformatio security program. Family Educatioal Rights ad Privacy Act (FERPA) The federal Family Educatioal Rights ad Privacy Act of 1974 (FERPA) provides a postsecodary studet the right to ispect his or her educatio records ad establishes coditios cocerig the disclosure of those records to third parties. Although the act does ot specifically require that iformatio security be implemeted, the protectio of electroic studet records will require iformatio security coverig the studet records subject to this federal law. Gramm-Leach-Bliley Act (GLBA) Uder the Gramm-Leach-Bliley Act (GLBA), the Federal Trade Commissio (FTC) has jurisdictio over the activities of higher educatio istitutios. The FTC regulatios cotai both privacy ad security requiremets. Colleges ad uiversities that comply with FERPA will be deemed by the FTC to be i compliace with its privacy provisios. However, educatioal istitutios remai subject to the GLBA security provisios as foud i the FTC safeguard regulatios ( FTC Safeguards ), which became effective o May 23, Uder the FTC Safeguards, higher educatio istitutios are to implemet security measures to protect customer iformatio that is persoally idetifyig iformatio such as ames, addresses, accout ad credit iformatio, ad Social Security umbers. This most ofte applies to higher educatio i the area of studet loas but may also apply whe credit cards or other loas are issued directly to studets. The FTC Safeguards are aimed at esurig the security ad cofidetiality of customer iformatio. Higher educatio istitutios are required to protect agaist ay aticipated threats or hazards to the security or itegrity of such records ad to protect agaist uauthorized access to or use of such records or iformatio that could result i substatial harm or icoveiece to the perso oted i the record. To comply, colleges ad uiversities must develop comprehesive iformatio security programs, assess the eed for employee traiig, ad iclude obligatios i their agreemets with third parties that have access to the fiacial records covered by the rules. Although the FTC has ot begu eforcemet actios agaist higher educatio istitutios, it demostrated a willigess to pursue ocompliace whe it charged three mortgage compaies for ot followig the FTC Safeguards. 2 Amog other thigs, the coset order i each of these cases requires the compay to retai a idepedet professioal to certify, withi 180 days, that its iformatio security program meets the stadards listed i the order ad also to make this certificatio every other year for te years. The Health Isurace Portability ad Accoutability Act (HIPAA) The Admiistrative Simplificatio provisios of the Health Isurace Portability ad Accoutability Act of 1996 (HIPAA) cotai both security ad privacy provisios. HIPAA applies to covered etities that use certai electroic trasactios etities such as most health care providers, health plas, ad health care clearighouses. I the higher educatio area, HIPAA most ofte applies to cliics used by both studets ad staff ad to academic medical ceters. The security 48 Educause r e v i e w September/October 2006

3 Takig a uified approach to iformatio security compliace would require a istitutio to adhere to the most striget state law i order to comply with all of them. regulatios of HIPAA require covered etities to protect specific types of idividually idetifiable health iformatio kept i electroic form, referred to as Electroic Protected Health Iformatio (EPHI). To comply with the HIPAA security regulatios, covered etities are to protect systems that store, process, ad trasmit EPHI. Etities must coduct periodic risk aalyses to determie ad implemet reasoable ad appropriate admiistrative, physical, ad techical safeguards. The security regulatios also require the implemetatio of riskmaagemet processes, icludig policies ad procedures ad other documetatio ad traiig. Although HIPAA does ot allow idividuals to sue covered etities that do ot comply with the law, it does provide crimial ad civil pealties for ocompliace. The Califoria Law o Notificatio of Security Breach (SB 1386) The Califoria Law o Notificatio of Security Breach (SB 1386) applies to people, busiesses, ad govermet agecies, icludig colleges ad uiversities. The law requires that wheever a security breach results i the potetial compromise of certai persoal iformatio, otice must be give to ay data subjects who are residets of Califoria. The type of persoal iformatio that triggers the otice requiremet uder this Califoria law icludes ame (first ame or iitial ad last ame) plus ay of the followig: Social Security umber Driver s licese or Califoria Idetificatio Card umber Fiacial accout umber or credit/ debit card umber (alog with ay PIN or other access code where required for access to the accout) Notice must be provided as soo as possible. However, a delay i otifyig may be permitted if legitimate law eforcemet agecies determie that givig otice to the data subject would impede a crimial ivestigatio. Notice may also be delayed if the orgaizatio sufferig the breach is takig ecessary measures to determie the scope of the breach ad restore reasoable itegrity to the system. The Califoria Office of Privacy Protectio published recommeded practices to comply with the Califoria Law o Notificatio of Security Breach. The recommeded practices are divided ito three parts: (1) Protectio ad Prevetio; (2) Preparatio for Notificatio; ad (3) Notificatio. The recommeded practice of Protectio ad Prevetio cotais a umber of best practices regardig iformatio security ad icidet respose, icludig most of the security practices ad procedures required by GLBA ad HIPAA. Thirty-two states have passed similar legislatio sice Califoria SB 1386 became law i July Yet because most of the otice of security breach laws apply to a state s citizes, colleges ad uiversities have bee required to respod to security icidets regardless of whether a local state law exists. Takig a uified approach to iformatio security compliace would require a istitutio to adhere to the most striget state law i order to comply with all of them. I additio, the federal govermet is cotemplatig a atioal otice of security breach law, which could preempt state law. FDA Rule o Electroic Records ad Electroic Sigatures (21 C.F.R. Part 11) I 1997, the U.S. Food ad Drug Admiistratio (FDA) issued 21 C.F.R. Part 11, which cosists of regulatios that provide criteria for the acceptace of electroic records. These criteria iclude specific iformatio security ad electroic sigature practices. Part 11 applies to electroic records that are created, modified, maitaied, archived, retrieved, or trasmitted uder ay FDA regulatios. Part 11 also applies to electroic records submitted to the FDA uder the Federal Food, Drug, ad Cosmetic Act ad the Public Health Service Act, eve if such records are ot specifically idetified i FDA regulatios. Therefore, it applies to most aspects of research, quality assurace, cliical activities, maufacturig, ad distributio of drugs, biologics, ad devices. Virtually aythig over which the FDA has jurisdictio, as well as some items subject to Public Health Service purview, is covered by the terms of Part 11. Therefore, higher educatio etities that coduct research uder the jurisdictio of the FDA or the Public Health Service must comply with these regulatios whe submittig electroic records. Orgaizatios subject to these regulatios are required to idetify all iformatio systems ad applicatios covered by the regulatios, develop a pla for brigig the systems ad applicatios ito compliace, ad demostrate that all of the items cotaied i the pla have bee accomplished. The FDA recetly issued guidace for orgaizatios to follow whe implemetig compliace with 21 C.F.R. Part 11. Although the guidace cotais oly obidig recommedatios, the FDA s curret approach is to iterpret Part 11 arrowly ad to use discretio i eforcig the requiremets for validatio, audit trails, record retetio, ad record copyig. Eforcemet discretio will also be applied to all orgaizatios usig legacy systems, which are those systems that were operatioal before the effective date of Part 11 (August 1997). However, the FDA guidelies state that the FDA iteds to eforce all other provisios of Part 11, icludig the followig cotrols ad requiremets: Limitig system access to authorized idividuals Use of operatioal system checks Use of authority checks Use of device checks Determiatio that those who develop, maitai, or use electroic systems have the educatio, traiig, ad experiece to perform their assiged tasks Establishmet of ad adherece to writte policies that hold idividuals accoutable for actios iitiated uder their electroic sigatures 50 Educause r e v i e w September/October 2006

4 A close review of ewer statutes, regulatios, ad cases demostrates that this emergig legal stadard for iformatio security closely resembles other established iformatio security stadards. Appropriate cotrols over systems documetatio Cotrols for ope systems correspodig to cotrols for closed systems Requiremets related to electroic sigatures Orgaizatios that are ot usig legacy systems ad that fail to comply with the above cotrols could be subject to a FDA eforcemet actio, icludig seizure, ijuctio, ad debarmet. For example, i a warig letter set to a college that was foud i violatio of the Federal Food, Drug, ad Cosmetic Act, the FDA Detroit District director wrote: I additio to the above listed violatios, our Ivestigator oted that the laboratory is usig a electroic record system for processig ad storage of data from the atomic absorptio ad HPLC istrumets that is ot set up to cotrol the security ad data itegrity i that the system is ot password cotrolled, there is o systematic back-up provisio, ad there is o audit trail of the system capabilities. The system does ot appear to be desiged ad cotrolled i compliace with the requiremets of 21 CFR, Part 11, Electroic Records. 4 Compliace with this regulatio ca be achieved by followig a uified approach to iformatio security compliace. The Paymet Card Idustry Data Security Stadard (PCIDSS) I additio to the foregoig laws ad regulatios, the paymet card idustry recetly created a private cotractual compliace requiremet: the Paymet Card Idustry Data Security Stadard (PCIDSS). The PCIDSS requires that all merchats, icludig colleges ad uiversities, that use credit cards comply with a umber of techical, physical, ad admiistrative requiremets. Failure to comply with the PCIDSS could result i large pealties ad suspesio of the right to use credit cards for paymet purposes. Puttig It All Together The Emergig U.S. Legal Stadard Although the laws ad regulatios oted above collectively represet a emergig legal stadard, they rarely specify the iformatio security measures that colleges ad uiversities should implemet i order to satisfy that stadard. Most of the laws ad regulatios simply state that covered etities are to establish ad maitai reasoable or appropriate security procedures, safeguards, or coutermeasures. Further guidace or specific directio is ot provided. Yet a close review of ewer statutes, regulatios, ad cases demostrates that this emergig legal stadard for iformatio security closely resembles other established iformatio security stadards. Oe example of a established stadard is the 800 series issued by the Natioal Istitute of Stadards ad Techology (NIST). Aother is the Iteratioal Stadards Orgaizatio (ISO) Framework of Security: ISO Uder both the ISO stadards ad the NIST stadards, maagemet of iformatio security requires the followig: A sset Idetificatio ad A ssessmet: Idetify the iformatio ad physical assets that must be protected withi a orgaizatio Risk Assessmet ad Aalysis: Coduct a assessmet of the risks ad aalyze them agaist the probability of occurrece Implemetatio of Safeguards to Couter Idetified Risks: For risks that are idetified as havig a high probability of occurrig, implemet reasoable ad appropriate safeguards to lower the probability to a acceptable level Addressig Third-Party Security through Cotracts or Service Provider Agreemets: Cotrol potetial risks created by third parties through the use of cotracts that require third parties to implemet reasoable ad appropriate safeguards whe they process, store, use, or trasmit orgaizatioal assets Traiig: Trai studets, faculty, staff, ad third parties o policies ad procedures ad other safeguards ad security practices to protect orgaizatioal assets Moitorig ad Testig: Regularly moitor ad test the effectiveess of implemeted safeguards agaist kow or potetial risks Reviewig ad Revisig the Iformatio Security Program: Review ad revise the iformatio security program whe safeguards are o loger effective agaist kow or potetial risks The above steps represet a commoly accepted process for security of iformatio ad other assets withi a orgaizatio. It is a process foud i HIPAA ad 21 C.F.R. Part 11 ad GLBA. The process has bee adopted i the coset orders issued as a result of FTC actios. It is also foud i the cotractually required PCIDSS. Rather tha madate specific security measures, each of these laws ad regulatios advocates the process of assessmet ad aalysis ad selectio of safeguards that are appropriate for a set of potetial risks. The lack of hard-ad-fast rules regardig which specific iformatio security measures a istitutio should implemet to satisfy its legal obligatios has puzzled may lawyers ad compliace officers. Security professioals are more comfortable with the emergig iformatio security legal stadard because for years, they have implemeted measures that are reasoable whe measured agaist idetified risks to achieve the desired level of security. Sice this process is the same uder all U.S. iformatio security laws ad regulatios, compliace with all may be achieved by udertakig a uified approach to iformatio security compliace. Meetig the Emergig Legal Stadard through a Uified Approach Istitutios that follow a uified approach to iformatio security compliace will be esured of a efficiet ad cohesive method to achieve ad maitai iformatio security protectios. As metioed above, a uified approach is effective 52 Educause r e v i e w September/October 2006

5 because HIPAA, the FTC regulatios for GLBA, 21 C.F.R. Part 11, PCIDSS, ad the laws o otice of security breach (e.g., Califoria s SB 1386) specify or suggest may of the same security risk aalyses ad maagemet practices (see Table 1). 5 Agai, by usig a uified approach to iformatio security compliace, istitutios subject to multiple iformatio security laws, regulatios, ad guidelies will be able to comply with all of them at oe time. This is accomplished by determiig which laws ad regulatios are applicable, coductig a risk aalysis that covers those laws ad regulatios, ad the implemetig at least the miimum level of required safeguards. Whe there are coflictig state laws, as foud i the otice of security breach laws, compliace should focus o the most striget law applicable to the affected data subjects. A Typical Iformatio Security Compliace Assessmet To demostrate how a uified approach works, this sectio describes the steps i a typical approach to coductig a Table 1. Suggested Safeguards SECURITY PRACTICE (E.G., ISO OR NIST 800) HIPAA STANDARDS GLBA (FTC REGULATIONS) 21 C.F.R. PART 11 PCIDSS LAWS ON NOTICE OF SECURITY BREACH (GUIDELINES) ADMINISTRATIVE SAFEGUARDS Security Maagemet Process (e.g., risk aalysis, risk maagemet, periodic reviews of effectiveess) Assiged Security Resposibility (e.g., partial or complete assigmet of resposibility for protectio of iformatio) X Workforce Security (e.g., authorizatio ad/or supervisio of workforce or cotractors, clearace ad termiatio procedures) Maagemet of Iformatio Access Security Icidet Procedures X Cotigecy Plaig (e.g., data backup pla, disaster recovery pla, emergecy mode operatio pla, testig ad revisio procedures, applicatios ad data criticality aalysis) (i geeral terms) X Evaluatio (e.g., opiio of compliace) X X X Cotracts (e.g., extesio of iformatio security through cotracts or other writte arragemet) X Security Awareess ad Traiig (e.g., security remiders, traiig o malicious software protectio, log-i moitorig ad password maagemet) Facility Access Cotrols (e.g., cotigecy operatios, facility security pla, access cotrol ad validatio procedures, maiteace records) Physical Safeguards (i geeral terms) X Workstatio Use ad Security (i geeral terms) X Device ad Media Cotrols (e.g., disposal, media reuse, accoutability) X Techical Safeguards Access Cotrols (e.g., uique user idetificatio, emergecy access procedure, automatic logoff, ecryptio ad decryptio) Audit Cotrols Itegrity Cotrols (e.g., mechaism to autheticate data) Perso or Etity Autheticatio Trasmissio Security (e.g., itegrity cotrols or ecryptio) 54 Educause r e v i e w September/October 2006

6 Figure 1. A Typical Iformatio Security Compliace Assessmet Step 1: Ascertai Applicable Laws NIST/ISO Security Stadards Requiremets iformatio security compliace assessmet (see Figure 1). Step 1: Ascertai Applicable Laws ad Regulatios The first step i the process is to determie the laws, regulatios, ad guidelies applicable to the istitutio. As the foregoig discussio o the growig umber of laws ad regulatios illustrates, this is a importat prelimiary step. This determiatio ot oly will assist i preparig the project pla but also will guide the perso coductig the assessmet i selectig the iformatio to be collected ad the type of risk aalysis that should be performed. Idetifyig the appropriate law is ot always a straightforward process. Depedig o their activities ad operatios, higher educatio istitutios ca be affected by a umber of laws. I additio, some regulatios apply oly to specific departmets or activities withi a istitutio. I other cases, oe or more state laws o the same subject may be applicable. Oce the applicable law is determied, a appropriate iformatio security risk aalysis model, such as ISO or NIST 800 Series, should be selected. The model to be used will deped o the applicable laws ad regulatios, as well as the iformatio security goals of the istitutio. Step 2: Prepare the Project Pla Step 3: Gather Iformatio ad Idetify Assets Step 4: Perform Risk Aalysis Step 5: Report Fidigs ad Recommedatios Step 6: Prepare the Implemetatio Pla Step 7: Moitor, Test, Review, ad Modify the Iformatio Security Program The followig are some of the threshold questios that should be asked: Documetatio Review Iterviews Are studet records kept electroically? What type of iformatio is stored? Does the higher educatio istitutio provide health care services to studets, faculty, ad staff? Are electroic trasactios used for paymet or other purposes? Does the higher educatio istitutio use credit cards for paymet purposes? What type of research iformatio is stored o computer systems? Is this iformatio cetralized, or is it dispersed across the istitutioal system? Does the higher educatio istitutio coduct research that directly ivolves electroic filigs with the FDA? What state otice of security breach laws may be applicable? Does the uiversity or college have iteratioal campuses? If so, what types of persoal iformatio are trasferred betwee the U.S. ad foreig facilities? Step 2: Prepare the Project Pla After the legal ad regulatory requiremets are idetified, a thorough project pla is prepared. This documet is used to guide the project, providig schedules, tasks, ad milestoes. The project pla will idetify resources ad iclude periodic briefigs ad reports to the admiistratio ad other stakeholders. Step 3: Gather Iformatio ad Idetify Assets Iformatio gatherig icludes the idetificatio of assets to be protected, documet review, ad iterviews with both maagemet ad other stakeholders. The idividuals who are iterviewed Step 7: may be departmet persoel, IT staff, seior maagemet, legal cousel, audit ad compliace persoel, risk maagemet staff, ad facilities maagemet persoel. The scope of the iterviews will differ slightly, depedig o the state, federal, ad iteratioal laws ad regulatios that are applicable. The discovery process will review techical, physical, ad admiistrative security practices. Techical security icludes vulerability scaig ad cofiguratio aalysis, as well as assessmet of system policies ad etwork architectures. Physical security icludes the protectio of iformatio security facilities, the safeguardig of portable media ad laptop computers, ad media disposal practices. Admiistrative security icludes iformatio security ifrastructure, goverace, maagemet effectiveess, policies ad procedures, ad existig compliace efforts. Iformatio gathered i this step also icludes writte policies ad procedures, Iteret policies ad procedures, sactios ad discipliary procedures, ad other documets evidecig istitutioal efforts to protect persoal iformatio, documets such as busiess associate cotracts, procedures for assigig, modifyig, or removig access rights, ad password-maagemet policies. I additio to the threshold legal iquiries stated above, the discovery process should, at a miimum, cover the followig areas: The idividual(s) resposible for iformatio privacy ad security withi the istitutio Iformatio ad other assets that the istitutio eeds to protect i order to esure cotiued busiess operatios How the iformatio security fuctio is structured withi the istitutio; 56 Educause r e v i e w September/October 2006

7 Studets, faculty, ad staff require traiig to be educated o their resposibilities cocerig safe ad secure iformatio-processig practices. how policies ad procedures are to be implemeted ad itegrated with curret compliace activities How well departmets work together to esure that iformatio security practices are uiform; which third parties have access to the istitutio s iformatio system What type of persoal iformatio is used ad disclosed by the istitutio What cotractors ad other orgaizatios receive persoal iformatio from the istitutio The future plas ad proposed budget for improvig iformatio security withi the istitutio How chage maagemet methodologies ca be optimized to implemet a comprehesive iformatio security compliace program Step 4: Perform Risk Aalysis I this step, the iformatio gathered i Step 3 is itegrated ito the selected risk aalysis. The quality ad effectiveess of risk aalysis results will deped heavily o how well Step 3 was accomplished. The risk aalysis icludes techical, admiistrative, ad physical security icludig orgaizatioal cosideratios ad thirdparty cotracts (e.g., busiess associate cotracts, service provider agreemets). I this way, compliace requiremets for third-party cotractors are itegrated ito the overall iformatio security compliace efforts. Curret cotracts are reviewed, ad if ecessary, model thirdparty cotracts cotaiig ecessary safeguard provisios are provided. Step 5: Report Fidigs ad Recommedatios The results of the risk aalysis are documeted i a risk aalysis report i this step. The report should list idetified threats ad vulerabilities, as well as the safeguard selectio criteria. To demostrate due diligece, the report should iclude ad referece specific portios of the applicable security regulatios. To maximize effectiveess, the risk aalysis report should also cotai a pla ad a schedule for implemetig the chages ecessary to ehace iformatio security ad to attai compliace with applicable laws ad regulatios. Step 6: Prepare the Implemetatio Pla for Selected Safeguards The implemetatio pla provided i the risk aalysis report is put ito effect i this step. The pla should ecompass all the safeguards idetified i the risk aalysis ad also iclude procedures for the selectio of security system vedors ad the istallatio of security equipmet. At this stage of the compliace process, it is importat to itegrate those measures implemeted for iformatio security compliace with other compliace efforts curretly uder way withi the istitutio, icludig those required by other state ad federal laws. The itegratio of compliace programs will esure uiformity ad avoid redudacy. For example, time, moey, ad other resources may be saved by usig existig policies ad procedures to comply with the iformatio security regulatios. A key safeguard is iformatio security traiig. Studets, faculty, ad staff require traiig to be educated o their resposibilities cocerig safe ad secure iformatio-processig practices. Traiig should also iclude timely ad periodic updates to emergig U.S. ad state iformatio security laws. Step 7: Periodically Moitor, Test, Review, ad Modify the Iformatio Security Program Iformatio security operatios ad maagemet are ogoig processes. Give the chagig ature of techology, istitutios should regularly moitor ad test the effectiveess of implemeted safeguards agaist kow or potetial risks. Doig so ivolves testig areas of the etwork or applicatios agaist emergig risks ad suggestig corrective actio whe vulerabilities are discovered. Istitutios should also perform periodic risk aalysis to validate that safeguard selectio ad implemetatio features cotiue to be reasoable, appropriate, ad effective. Special Cosideratios i Followig a Uified Approach The eviromet at colleges ad uiversities has ot bee coducive to the cetralized maagemet of iformatio security, due maily to historical ad practical cosideratios. This poit is stated ofte i the 2003 EDUCAUSE Ceter for Applied Research (ECAR) study Iformatio Techology Security: Goverace, Strategy, ad Practice i Higher Educatio, which otes: I may collegiate eviromets, particularly larger oes, a decetralized culture is the orm. As a result, idividual schools, laboratories, ad departmets may cotrol a portio of ay or all of the previously metioed IT assets, makig the job of the IT security admiistrator much more difficult. Rather tha beig able to automatically push ew security patches out to all devices o the etwork or madate the use of security tools like virus protectio software, may uiversity IT security officers fid they must educate ad persuade their user commuity to keep their machies secure. 6 Nevertheless, the oly way toward a effective istitutio-wide iformatio security program is to be certai that all system users uderstad ad follow basic ad soud iformatio security practices. Rather tha imposig a cetralized iformatio security model as foud i corporate IT departmets, may higher educatio istitutios are followig a model referred to as embraced autoomy. Uder the embraced autoomy model, campuses ad other costituets work with a Iformatio Security Officer (ISO) or other cetral authority to assess ad implemet reasoable ad appropriate iformatio security practices. This requires participatio by campuses, braches, colleges, departmets, ad offices withi the istitutio. Although the exact approach to be followed will deped o the orgaizatioal structure of each higher educatio etity, this model 58 Educause r e v i e w September/October 2006

8 ofte utilizes a iformatio security committee comprisig all key data holders, users, ad processors. Oce the scope of the istitutio-wide iformatio security program is idetified, the stadards to be implemeted must be idetified through a collaborative process, usually led by the ISO. I this way, all stakeholders will be more likely to accept the policies, procedures, ad guidelies. Implemetatio of the stadards is maaged locally, with assistace from the ISO, who takes actio oly if the local implemetatio is ot accomplished accordig to stadards. Coclusio The icreased umber of govermetmadated ad private cotractual iformatio security requiremets has caused higher educatio security professioals to view iformatio security as aother aspect of regulatory or cotractual compliace. The existece of fies, pealties, or loss (icludig bad publicity) has also icreased the icetive to implemet comprehesive iformatio security practices. By adoptig a uified approach to iformatio security compliace, higher educatio istitutios will be able to effectively maage the growig umber of iformatio security compliace programs. This approach begis by reviewig all of the iformatio security requiremets imposed by the emergig statutory, regulatory, ad cotractual legal stadards. These stadards are the compared with the more established atioal ad iteratioal iformatio security stadards. After a thorough risk assessmet ad aalysis, the legal stadards ad the iformatio security stadards are bleded to create a complete iformatio security compliace program. A uified approach to iformatio security compliace thus eables colleges ad uiversities ot oly to address idetified risks but also to comply with the law. e Notes 1. A Chroology of Data Breaches Reported sice the ChoicePoit Icidet, Privacy Rights Clearighouse Web site, < org/ar/chrodatabreaches.htm>, July 25, I re Subelt Ledig Services, FTC, File No (November 16, 2004); I the Matter of Natiowide Mortgage Group, Ic., ad Joh D. Eubak, FTC File No (April 15, 2005); I re Superior Mortgage Corp., FTC, File No (September 28, 2005). 3. These thirty-two states are Arizoa, Arkasas, Colorado, Coecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illiois, Idiaa, Kasas, Louisiaa, Maie, Miesota, Motaa, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolia, North Dakota, Ohio, Oklahoma, Pesylvaia, Rhode Islad, Teessee, Texas, Utah, Washigto, ad Wiscosi. 4. Warig Letter from the FDA Detroit District Office to Earlham College, July 29, 2002, <http: w w w. f d a. go v / f o i / w a r i g _ l e t t e r s / g 3419 d. pdf>. 5. FERPA is ot icluded i this table because it does ot have ay specific security laws or regulatios ad will default to the ISO or the NIST 800 series. 6. Robert B. Kvavik ad Joh Voloudakis, Iformatio Techology Security: Goverace, Strategy, ad Practice i Higher Educatio, EDUCAUSE Ceter for Applied Research (ECAR) Study, vol. 5 (2003), < LibraryDetailPage/666?ID=ERS0305>, p. 25.