Educause Security Discussion mailing list archives
Re: laws/regulations to comply with
From: Jim Dillon <Jim.Dillon () COLORADO EDU>
Date: Thu, 4 Dec 2008 11:00:30 -0700
There are thousands of state, federal, and international laws that apply to your interaction with other people whenever you are gathered in a group. Might these not be applicable in the right situation or context? How can you be "compliant" with them all, particularly when they are often contradictory. A comprehensive list is a fools errand, it simply can't be done effectively. Don't duplicate what exists elsewhere, reference it. It may be useful for you to ask this question, maybe in a different way, on the ICPL list that is dedicated to policy and law issues. How do the lawyers find their comprehensive lists? A priority list is another issue, I think you can achieve something of that sort, but again it is contextual. Priority here at CU is very much influenced by the degree we emphasize research as an institutional goal and priority. Perhaps put some bounds around your question (e.g. most important security/compliance policies, federal registers, research/human resource/financial, ? ...) I suggest you identify your campus legal, compliance, contracting/purchasing, controllers, campus communications, environmental health and safety, and perhaps research/contracts/grants organizations and find out what their short list of most important items is. There are always more laws that will in the right situation become "need to comply" issues. I think we are up to 43 or more states with privacy laws that project/accompany their citizens. Do you want to list those? When a breach includes someone from California, do you know what your responsibilities are there? What if it included students from Georgia, or maybe from France? I'm really not trying to be unhelpful here, what I think will help you the most is to construct this list in the context of your primary institutional goals and objectives, not simply from a long list of possibilities, because the list is virtually infinite. I'm speaking from experience here, a few years ago I tried this, and it became a fiasco, as has the overall attempt to control all liability through specific targeted policies and training. A good conceptual cross-walk with general objectives that reflect the key requirements of your organization will likely be much more effective and manageable. Jim -----------University of Colorado-------------- Jim Dillon, CISA, CISSP Program Manager Administrative Systems and Data Services jim.dillon () colorado edu 303-735-5682 -------------------Boulder------------------------ -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Youngquist, Jason R. Sent: Thursday, December 04, 2008 8:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] laws/regulations to comply with We are working on writing more formalized policies for the institution. What I'm looking for is a comprehensive set of law/regulations that an institution such as a college might need to comply with. For example, HIPPA, PCI, Red Flag, FERPA, GLBA, CALEA, state & federal laws, etc. Is there any definitive list somewhere or does anyone have any additional suggestions? Thanks. Jason Youngquist Information Technology Security Engineer Technology Services Columbia College 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 jryoungquist () ccis edu http://www.ccis.edu
Current thread:
- laws/regulations to comply with Youngquist, Jason R. (Dec 04)
- <Possible follow-ups>
- Re: laws/regulations to comply with Stanclift, Michael (Dec 04)
- Re: laws/regulations to comply with Raw, Randy (Dec 04)
- Re: laws/regulations to comply with Basgen, Brian (Dec 04)
- Re: laws/regulations to comply with Stephen Vieira (Dec 04)
- Re: laws/regulations to comply with Allison Dolan (Dec 04)
- Re: laws/regulations to comply with David L. Rotman (Dec 04)
- Re: laws/regulations to comply with Chris Kidd (Dec 04)
- Re: laws/regulations to comply with Jim Dillon (Dec 04)
- Re: laws/regulations to comply with Michael Sana (Dec 04)