TRAINING AS A ROAD TO COMPLIANCE ~ The 1 st Year Experience ~ Lessons Learned . Joanne McDevitt System-Wide Management Training and Compliance Officer University of Colorado EDUCAUSE Conference 4/12/07.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
System-Wide Management Training and Compliance Officer
University of Colorado
EDUCAUSE Conference 4/12/07
Universities are responding to an avalanche of training requirements, recommendations, and best practices – all citing training as an important indicator of a good compliance program.
The amended FSG guidelines retain the original compliance framework based on the seven essential elements:
Amended FSG Emphasizes Role of Organizational Leaders (Regents and President of the University) for Compliance Program Accountability – Knowledge of the Compliance Program and Reasonable Oversight
Legal, Regulatory, and External Requirements:
ISO 17799 – “Code of Practice for Information Security Management” is a highly regarded international resource for information security practices and is often consulted when new laws and regulations are drafted. This set of best practices was used as guide for developing the University system’s IT security policies.
Business impact costs include business interruption costs, fines, penalties, and or settlements:
Large fines, penalties, and settlements may be imposed for non-compliance.
Compliance – It would be prudent to work at the front end to avoid audits by external agencies which are labor intensive and costly to the institution.
Avoid Negative Publicity and the Public’s Loss of Confidence in the Organization.
“JohnsHopkins data loss prompts legislative effort,” Baltimore Sun, February 11, 2007.
From Recent Headlines:
The HIPAA Security Rule was developed to promote national standards for HIPAA covered entities. The Rule institutionalizes the foundations of computer information security: confidentiality, integrity, and availability. The Security Rule was purposely written to be technology-neutral and scalable to encompass covered entities of any size. As stated in the National Institute of Standards and Technology (NIST) Special Publication SP 800-66, the Security Rule has three main categories:
NSF funded CIFAC Research Report emphasizes that training, is the best way to minimize IT security breaches.
The Computer Incident Factor Analysis and Categorization (CIFAC) Project was lead by Virginia E. Rezmierski, Ph.D., University of Michigan.
Lesson 2 – Plan Strategically the Need to Comply with the Security Rule
Lesson 3 – Complete a Risk Assessment the Need to Comply with the Security Rule and a Compliance Training Needs Survey
Lesson 4 – Communicate the Reason for the the Need to Comply with the Security Rule Training Requirements
Lesson 5 – Adjust the Training Model the Need to Comply with the Security Rule for the Circumstances
Lesson 6 – Remember, Not Everyone Needs to Know the Need to Comply with the Security Rule Everything
Lesson 7 – Build incentives into training program the Need to Comply with the Security Rule
Lesson 8 – Build infrastructure the Need to Comply with the Security Rule —stretch your existing resources
Lesson 9 – Communicate and Coordinate the Need to Comply with the Security Rule
Lesson 10 – Don’t reinvent the wheel the Need to Comply with the Security Rule
Light at The End of the Road……. the Need to Comply with the Security Rule
If you would like to be enrolled in CU’s web training program, please contact me:
Associate Vice President
System-Wide Management Training
and Compliance Officer
1380 Lawrence St., Suite 1325
Denver, CO 80204
E-mail: [email protected]