Educause Security Discussion
mailing list archives
Re: laws/regulations to comply with
From: Jim Dillon <Jim.Dillon () COLORADO EDU>
Date: Thu, 4 Dec 2008 11:00:30 -0700
There are thousands of state, federal, and international laws that apply to your interaction with other people whenever
you are gathered in a group. Might these not be applicable in the right situation or context? How can you be
"compliant" with them all, particularly when they are often contradictory.
A comprehensive list is a fools errand, it simply can't be done effectively. Don't duplicate what exists elsewhere,
It may be useful for you to ask this question, maybe in a different way, on the ICPL list that is dedicated to policy
and law issues. How do the lawyers find their comprehensive lists?
A priority list is another issue, I think you can achieve something of that sort, but again it is contextual. Priority
here at CU is very much influenced by the degree we emphasize research as an institutional goal and priority.
Perhaps put some bounds around your question (e.g. most important security/compliance policies, federal registers,
research/human resource/financial, ? ...)
I suggest you identify your campus legal, compliance, contracting/purchasing, controllers, campus communications,
environmental health and safety, and perhaps research/contracts/grants organizations and find out what their short list
of most important items is. There are always more laws that will in the right situation become "need to comply"
issues. I think we are up to 43 or more states with privacy laws that project/accompany their citizens. Do you want
to list those? When a breach includes someone from California, do you know what your responsibilities are there? What
if it included students from Georgia, or maybe from France?
I'm really not trying to be unhelpful here, what I think will help you the most is to construct this list in the
context of your primary institutional goals and objectives, not simply from a long list of possibilities, because the
list is virtually infinite. I'm speaking from experience here, a few years ago I tried this, and it became a fiasco,
as has the overall attempt to control all liability through specific targeted policies and training. A good conceptual
cross-walk with general objectives that reflect the key requirements of your organization will likely be much more
effective and manageable.
-----------University of Colorado--------------
Jim Dillon, CISA, CISSP
Administrative Systems and Data Services
jim.dillon () colorado edu 303-735-5682
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of
Youngquist, Jason R.
Sent: Thursday, December 04, 2008 8:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] laws/regulations to comply with
We are working on writing more formalized policies for the institution. What I'm looking for is a comprehensive set of
law/regulations that an institution such as a college might need to comply with. For example, HIPPA, PCI, Red Flag,
FERPA, GLBA, CALEA, state & federal laws, etc. Is there any definitive list somewhere or does anyone have any
Information Technology Security Engineer
1001 Rogers Street, Columbia, MO 65216
jryoungquist () ccis edu