Educause Security Discussion mailing list archives
Re: Does the Sarbanes-Oxley Act apply to Higher Ed too?
From: Clyde Hoadley <hoadleyc () MSCD EDU>
Date: Mon, 29 Sep 2003 13:50:51 -0600
Thanks all, That agrees with what I've been able to find on the Web this morning. I couldn't find any clarification by the FTC regarding Sarbanes-Oxley applicability to Higher Ed. If someone has a link to an FTC clarification ref. Sarbanes-Oxley maybe they could pass it on. The FTC did clarify the applicability of Gramm-Leach-Bliley earlier. It appears that many institutions of higher ed are taking Sarbanes-Oxley to heart so that they are indeed "doing the right thing". I found some interesting reading at the links below. I got the first one from someone on this list. Sarbanes-Oxley: How Will It Affect Nonprofits and Higher Education Institutions? (An Interview with Jack McCarthy and John Mattie) http://www.pwcglobal.com/extweb/newcolth.nsf/docid/08F02B1B23D455E385256C9C00679322 The Sarbanes-Oxley Act and Higher Education National Conference Austin, Texas. October 1, 2003 http://www.utsystem.edu/compliance/conferences/homepage.html National Association of College and University Attorneys - check list http://www.centeronline.org/files/Content3/AssocModelSamples/NACUASarbanesOxleyChecklist.doc Also some interesting miscellaneous info at http://www.nacubo.org/public_policy/advisory_reports/ The NACUBO advisory ref. Gramm-Leach-Bliley is at: http://www.nacubo.org/public_policy/advisory_reports/2003/2003-01.pdf -- Clyde Hoadley Security & Disaster Recovery Coordinator Division of Information Technology Metropolitan State College of Denver hoadleyc () mscd edu http://clem.mscd.edu/~hoadleyc/ (303) 556-5074 Mary Shaffer wrote:
This issue was raised at our campus and I was advised by our legal counsel that our systemwide legal counsel and the National Association of Colleges and Universities (NACUA) have concluded that higher education institutions are not legally obligated to comply with the provisions of the Sarbanes-Oxley Act of 2002. FYI, Mary "David L. Wasley" wrote:Well, IANAL (I am not a lawyer) but the Act begins with the statement: "To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes." I've interpreted that to mean "publicly traded corporations" which would not apply to a state institution such as UC. However, that last little clause might augment the interpretation - i.e. to any corporation that claims to be acting in the public interest or for the public benefit. In any case, we should be 'doing the right thing' regardless of what a particular law requires. I think executive level sign off on IT security requirements and implementations makes a lot of sense. I think too often it's one of those 'won't fix the roof until the horse has left the barn' sort of issues... David ----- At 9:50 AM -0600 on 9/29/03, Clyde Hoadley wrote:I know several institutions of Higher Education were taken off guard by Gramm-Leach-Bliley. Does the Sarbanes-Oxley Act apply to Higher Ed too? If so, how? Title: Security and Sarbanes-Oxley Source: SearchSecurity Date Written: September 25, 2003 Date Collected: September 26, 2003 The Sarbanes-Oxley Act, which was signed into law by President Bush on July 30, 2002 and will take effect in 2004 and 2005, was meant to deal with a variety of corporate governance issues, making upper management accountable for a company's actions. A by-product of the Act may be to involve senior management in information security. Under the Act, CEOs and CFOs are mandated to attest that their companies have proper "internal controls" in place. Internal controls are widely interpreted to include adequate data and network security, thereby forcing senior executives to sign off on IT security issues. Security product vendors view the Act as an opportunity to sell their wares, but no single product currently exists that guarantees compliance. In the long term, the Act may help improve security, testing and awareness. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci929451,00.html -- Clyde Hoadley Security & Disaster Recovery Coordinator Division of Information Technology Metropolitan State College of Denver hoadleyc () mscd edu http://clem.mscd.edu/~hoadleyc/ (303) 556-5074 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.-- ======================================================================== From: Mary Shaffer Policy/Program Assurance - Office of the CIO Information Technology Services California Polytechnic State University San Luis Obispo, California 93407 OFFICE: 14-113C E-MAIL: mshaffer () calpoly edu PHONE: 805-756-5538 FAX: 805-756-2000 IT POLICIES: http://www.calpoly.edu/computing/policy.html ======================================================================== ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Does the Sarbanes-Oxley Act apply to Higher Ed too? Clyde Hoadley (Sep 29)
- <Possible follow-ups>
- Re: Does the Sarbanes-Oxley Act apply to Higher Ed too? Melissa Guenther (Sep 29)
- Re: Does the Sarbanes-Oxley Act apply to Higher Ed too? David L. Wasley (Sep 29)
- Re: Does the Sarbanes-Oxley Act apply to Higher Ed too? Ariel Silverstone (Sep 29)
- Re: Does the Sarbanes-Oxley Act apply to Higher Ed too? Mary Shaffer (Sep 29)
- Re: Does the Sarbanes-Oxley Act apply to Higher Ed too? Clyde Hoadley (Sep 29)
- Re: Does the Sarbanes-Oxley Act apply to Higher Ed too? Scott Bradner (Sep 29)