Re: laws/regulations to comply with

[Jim Dillon <Jim.Dillon () COLORADO EDU>]

There are thousands of state, federal, and international laws that apply to your interaction with other people whenever 
you are gathered in a group.  Might these not be applicable in the right situation or context?  How can you be 
"compliant" with them all, particularly when they are often contradictory.

A comprehensive list is a fools errand, it simply can't be done effectively.  Don't duplicate what exists elsewhere, 
reference it.

It may be useful for you to ask this question, maybe in a different way, on the ICPL list that is dedicated to policy 
and law issues.  How do the lawyers find their comprehensive lists?  


A priority list is another issue, I think you can achieve something of that sort, but again it is contextual.  Priority 
here at CU is very much influenced by the degree we emphasize research as an institutional goal and priority.

Perhaps put some bounds around your question  (e.g. most important security/compliance policies, federal registers, 
research/human resource/financial, ? ...)  

I suggest you identify your campus legal, compliance, contracting/purchasing, controllers, campus communications, 
environmental health and safety, and perhaps research/contracts/grants organizations and find out what their short list 
of most important items is.  There are always more laws that will in the right situation become "need to comply" 
issues.  I think we are up to 43 or more states with privacy laws that project/accompany their citizens.  Do you want 
to list those?  When a breach includes someone from California, do you know what your responsibilities are there?  What 
if it included students from Georgia, or maybe from France?

I'm really not trying to be unhelpful here, what I think will help you the most is to construct this list in the 
context of your primary institutional goals and objectives, not simply from a long list of possibilities, because the 
list is virtually infinite.  I'm speaking from experience here, a few years ago I tried this, and it became a fiasco, 
as has the overall attempt to control all liability through specific targeted policies and training.  A good conceptual 
cross-walk with general objectives that reflect the key requirements of your organization will likely be much more 
effective and manageable.

Jim


-----------University of Colorado--------------
Jim Dillon, CISA, CISSP
Program Manager
Administrative Systems and Data Services
jim.dillon () colorado edu        303-735-5682
-------------------Boulder------------------------

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Youngquist, Jason R.
Sent: Thursday, December 04, 2008 8:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] laws/regulations to comply with

We are working on writing more formalized policies for the institution.  What I'm looking for is a comprehensive set of 
law/regulations that an institution such as a college might need to comply with.  For example, HIPPA, PCI, Red Flag, 
FERPA, GLBA, CALEA, state & federal laws, etc.  Is there any definitive list somewhere or does anyone have any 
additional suggestions?


Thanks.
Jason Youngquist
Information Technology Security Engineer
Technology Services
Columbia College
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist () ccis edu
http://www.ccis.edu