1 / 32

Training as a Road to Compliance - The 1st Year Experience: Lessons Learned

This presentation discusses the mounting requirements, recommendations, and best practices universities are facing in terms of training as a key indicator of a good compliance program. It covers topics such as the Sarbanes-Oxley Act, the Amended Federal Sentencing Guidelines, sources of training requirements, and information privacy and security laws.

gilberth
Download Presentation

Training as a Road to Compliance - The 1st Year Experience: Lessons Learned

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TRAINING AS A ROADTO COMPLIANCE~The 1st Year Experience ~Lessons Learned Joanne McDevitt System-Wide Management Training and Compliance Officer University of Colorado EDUCAUSE Conference 4/12/07

  2. Lesson 1 -Training is here to stay – Mounting Requirements, Recommendations, and Best Practices Universities are responding to an avalanche of training requirements, recommendations, and best practices – all citing training as an important indicator of a good compliance program.

  3. Sarbanes-Oxley Act (SOX) • SOX is not specifically applicable to non-profits, but some universities adopt its basic principles as best practices. • SOX focus on organizational ethics and compliance influenced the 2004 Federal Sentencing Guidelines amendments which provide a framework for a comprehensive compliance program for all organizations. • SOX includes specific IT security requirements

  4. Amended Federal Sentencing Guidelines (FSG) of 2004 The amended FSG guidelines retain the original compliance framework based on the seven essential elements: • Organization establishes compliance standards and procedures; • Organization’s governing board and CEO are knowledgeable about the compliance and ethics program and exercise reasonable oversight; • Careful delegation and due care in hiring/screening employees;

  5. Amended Federal Sentencing Guidelines (FSG) of 2004 - continued • Organization takes reasonable steps to communicate its standards and procedures in all aspects of compliance program and conducts effective training programs related to individual’s respective roles and responsibilities; • Organization takes reasonable steps to ensure that the compliance and ethics program is followed including monitoring, auditing and hot lines; • Organization’s compliance and ethics program is promoted and enforced and promoted consistently throughout the organization including appropriate incentives and disciplinary measures; • Make modifications to organization’s compliance program as necessary.

  6. Amended Federal Sentencing Guidelines (FSG) of 2004 - continued Amended FSG Emphasizes Role of Organizational Leaders (Regents and President of the University) for Compliance Program Accountability – Knowledge of the Compliance Program and Reasonable Oversight • Governing Board • Organizational Leadership • Specific individuals with program responsibility

  7. Amended FSG Emphasizes Ongoing Risk Assessment and Program Modification • Organizations shall conduct ongoing risk assessments • Take appropriate steps to design, implement, and modify each of the seven essential program elements to reduce the risk of violations of the law

  8. FSG Training – Effective Training Programs – Sources of Training Requirements • Mandatory training requirements from law and regulation • University’s policy mandates  • Internal audit requirements  • External audit requirements • Best practices – ex. Title VII – use of the affirmative defense in litigation • Experiences of other institutions • Opinion of our internal area experts • Audit work plans of the funding agencies, for example, HHS, NIH, FDA, and NSF. • Avoiding fines and penalties • Avoiding negative headlines • Reducing business response costs • Benchmarking of practices at other universities

  9. Information Privacy and Security Laws Legal, Regulatory, and External Requirements: • CRS 24-37.5-404.5 Institutions of Higher Education Information Security Plans. • Gramm-Leach-Bliley Act (GLBA), Security Rule. • Payment Card Industry Data Security Standard (PCIDSS). • Health Insurance Portability and Accountability Act (HIPAA), Security Rule.

  10. Information Privacy and Security – Industry Practices ISO 17799 – “Code of Practice for Information Security Management” is a highly regarded international resource for information security practices and is often consulted when new laws and regulations are drafted. This set of best practices was used as guide for developing the University system’s IT security policies.

  11. Information Privacy and Security Policies Internal Requirements: • The Laws of the Regents, Section 14.A.4. • Web Application and Interfaces Audit Report (2006). • HIPAA Security Rule, Specific Issues Audit Report (2005).

  12. Information Privacy and Security Policies-continued Internal Requirements: • APS “IT Security in Personnel Job Descriptions, Responsibilities, and Training.” • APS “IT Security in University Operations, Continuity, and Contracting.” • APS “IT Security Program Policy.” • APS “IT Resource User Responsibilities.”

  13. Privacy and Security Breaches - Business Impact Costs Business impact costs include business interruption costs, fines, penalties, and or settlements: • The fines themselves may be the minimal part of the cost for security breaches to the institution. • In working through and communicating an individual breach, the cost in time and effort expended for a number of highly skilled, highly compensated, and typically busy/fundamentally important positions combined with external service provider fees ( hired security companies doing forensic work, etc.), and mailings/communications will much outweigh the cost of the fines.

  14. Privacy and Security Breaches - Business Impact Costs - continued Large fines, penalties, and settlements may be imposed for non-compliance.

  15. Privacy and Security Compliance - Avoiding Federal Audits and Huge Expenditure of Time and Resources Compliance – It would be prudent to work at the front end to avoid audits by external agencies which are labor intensive and costly to the institution. • Health and Human Services HIPAA Audit Example: • Summary: The Department of Health and Human Services, Office of the Inspector General served notice of their intention to perform an audit of a Hospital’s compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The objective of the audit is to determine the Hospitals’ level of compliance with the technical safeguards provision of the HIPAA Security Rule relating to network security. During the audit, they will require access to sensitive or confidential information. The HIPAA Security rule requires all covered entities to protect the confidentiality, integrity, and availability of electronic protected health information created, received, maintained, or transmitted by covered entities. HIPAA defines covered entities as health plans, health care providers, and health care clearinghouses. • Note that the entrance conference with the OIG was scheduled 10 days subsequent to the notice being served by HHS, and requested 43 documents as a preliminary request.

  16. Privacy and Security – Don’t Be the Next Headline Avoid Negative Publicity and the Public’s Loss of Confidence in the Organization. “JohnsHopkins data loss prompts legislative effort,” Baltimore Sun, February 11, 2007. • “The loss of computer tapes containing personal information on more than 135,000 Johns Hopkins employees and patients - the data possibly tossed in a trash bin - is spurring consumer protection bills in Annapolis, including one to force prompt disclosure of such breaches.” • “This is a bigger problem than most consumers or organizations even understand," said Troy Allen, chief fraud solutions officer at Kroll, a risk-consulting firm. "What you actually see out there is a very small subset of what's going on." • “…if it can happen at Johns Hopkins, Baltimore's top-rated university and hospital, legislators and consumer advocates worry, it could be happening anywhere. “

  17. Privacy and Security – Don’t Be the Next Headline From Recent Headlines: • December 12, 2006 – University of California, Los Angeles.Hacker(s) gained access to a UCLA database containing personal information on current and former students, current and former faculty and staff, parents of financial aid applicants, and student applicants, including those who did not attend. Exposed records contained names, SSNs, birth dates, home addresses, and contact information. 800,000 records exposed. • December 12, 2006 – University of Texas, Dallas. The University discovered that personal information of current and former students, faculty, and staff may have been exposed by a computer network intrusion – including names, SSNs, home addresses, phone numbers and e-mail addresses. The number of people affected was first thought to be 5,000, but was increased to 35,000 records exposed as of 1/19/07. • January 11, 2007 – University of Idaho, Advancement Services office. Over the Thanksgiving weekend, 3 desktop computers were stolen from the Advancement Services office containing personal information of alumni, donors, employees, and students. 331,000 individuals may have been exposed with as many as 70,000 records containing SSNs, names and addresses.

  18. Federal Sentencing Guidelines - Effective Training ProgramsRelated to Individuals’ Roles and Responsibilities • Integrate training with HR performance management system – performance planning and evaluation: assess training requirements, training effectiveness and changes in organizational behavior and skill set. • Coordination with organization’s supervisors to effectuate needed changes in organizational behavior to align with the University’s strategic objectives.

  19. Internal Audit – The HIPAA Security Rules The HIPAA Security Rule was developed to promote national standards for HIPAA covered entities. The Rule institutionalizes the foundations of computer information security: confidentiality, integrity, and availability. The Security Rule was purposely written to be technology-neutral and scalable to encompass covered entities of any size. As stated in the National Institute of Standards and Technology (NIST) Special Publication SP 800-66, the Security Rule has three main categories: • Administrative Safeguards • Physical Safeguards • Technical Safeguards

  20. Internal Audit – The HIPAA Security Rules – Flagging the Need to Comply with the Security Rule • Possible negative consequences associated with an event that exposes personally identifiable information, especially if the university was in non-compliance with HIPAA or other laws/regulations at the time of the event: • Fines from Visa USA for failure to comply with their Cardholder Information Security Program standards for protecting credit card information, in addition to compliance audits by an external company; • Costs of notifying possibly tens of thousands of people that their information may have been stolen; • Enforcement actions from governments and the injured parties; • Loss of reputation and bad publicity; • Possible reduction in future research funding by public companies and the federal government; • The cost of mounting a legal defense.

  21. Training is the Way to Avoid Security Breaches NSF funded CIFAC Research Report emphasizes that training, is the best way to minimize IT security breaches. • “As a cause of computer-related incidents, researchers concluded that for both of the CIFAC study samples, lack of or deficiency of training/education played an important role in causing computer incidents.” • “Training/education and requirements for IT managers and staff and for non IT staff members is an important – perhaps critical – process to be addressed to eliminate the cause of many of the systems and data incidents, as well as the most serious of the incidents that are occurring.” • “The findings of this study are clear. Having policies in place, making people aware of the requirements and policies, reinforcing them through education and good procedures, and providing training and education were identified by CIFAC respondents as among the most important steps that could be taken to prevent the computer-related incidents that are occurring in colleges and universities. These are the places for IT resource expenditure on campuses.” The Computer Incident Factor Analysis and Categorization (CIFAC) Project was lead by Virginia E. Rezmierski, Ph.D., University of Michigan.

  22. Lesson 2 – Plan Strategically • Align training with institutional (mission) message/values statement • Promote compliance accountability – “knowing what to do/doing the right thing” • Standards of Conduct – include information privacy and security • Align with institutional risk assessment, audit recommendations, legal obligations, and gap analysis • Align with industry standards/benchmarking what other institutions are doing • Consider compliance audits of agencies: for example, HHS Audit of HIPAA Security Rules.

  23. Lesson 3 – Complete a Risk Assessment and a Compliance Training Needs Survey • Identify key areas for compliance training • Identify and understand what training you have and what you need • Identify the compliance training gaps • Evaluate against legal and policy requirements for higher education

  24. Lesson 4 – Communicate the Reason for the Training Requirements • Let faculty and staff understand why you need to do training – why it is required • Don’t be a well kept secret --let employees know up front why they need training – laws, regulations, audits, policies, etc. • Adequate and clear communication helps dispel misplaced notion of administration running amuck or “overcorrecting” for a publicized problem

  25. Lesson 5 – Adjust the Training Model for the Circumstances • Continue with hybrid model (site and web-based training) • Open to developing and delivering via web • CU – incorporated web-based training as part of its portfolio • 36 courses (color-coded chart) • 5-6 web libraries in high risk areas • Internal process –10 step development process • Advantages of web training • Deliverable on demand - available 24/7; • More convenient for employees • Money is saved for travel, instructor, classroom and packaging/distribution costs. • Training can be customized and tailored to the institutions culture and needs. • Content is instantly updateable without republishing manuals, etc. • Provides standardized training ensuring a consistent message across the institution; • Decreases time employees are away from their jobs. • Reach large numbers of employees with mission-critical information • Don’t overdo • Build on successes/what works  -- discard approaches that have been less successful • Ask for feedback and listen to the feedback • Adjust the training depending on the feedback

  26. Lesson 6 – Remember, Not Everyone Needs to Know Everything • Determine what training is needed based on employee’s position/job responsibilities • Focus on required training for a “Role”

  27. Lesson 7 – Build incentives into training program • “Build it and they will come” – not necessarily true • Consider ways for training to “count” within the organization • Talk with faculty governance – • Build into performance planning and evaluation • “The Hammer” --- prerequisites/requirements • don’t get access to university e-mail, computer or systems without privacy and security training

  28. Lesson 8 – Build infrastructure —stretch your existing resources • Be sure your IT/portal people are at the table—you will need them to advise you • Connecting data systems, special programming • Data management -- issues are BIG • Once position based training requirements are identified, determine where to store information and how to access it • Involve ISO and CPO – control for privacy and security risks • Track completion data by position and person • Build easy system for accessing and managing data • User-friendly reports --- can be run for employees, departments, colleges, units, etc. • Analyze IT solutions --- recognize tipping point – when pushing existing systems beyond capabilities or design intent

  29. Lesson 9 – Communicate and Coordinate • Don’t be the best kept secret! • Coordinate rollouts of training – don’t have same training deadlines • Notice – give some • Don’t be the latest e-mail with yet another training requirement • Sound organized • Better yet be organized!

  30. Lesson 10 – Don’t reinvent the wheel • Look to colleagues/universities who are actively engaged in compliance awareness and training • Look to professional organizations (NACUA, EDUCAUSE) who may have training/resource materials • Consider collaboration with others around issues of mutual interest • Develop business plan -- reduce your overall costs of web development through partnerships, collaborations (probably won’t be free but will be cheaper than starting from scratch!)

  31. Light at The End of the Road…….

  32. Good Luck! If you would like to be enrolled in CU’s web training program, please contact me: Joanne McDevitt Associate Vice President System-Wide Management Training and Compliance Officer 1380 Lawrence St., Suite 1325 Denver, CO 80204 Phone: 303-556-4339 Fax: 303-825-7630 E-mail: joanne.mcdevitt@cudenver.edu WD #17724

More Related