Re: Organization of IT compliance responsibilities

[Joanna Grama <jgrama () EDUCAUSE EDU>]

Dear Nick,
This information will not help you much at the immediate moment, but the EDUCAUSE Center for Analysis and Research is 
conducting research even as we speak about IT Governance, Risk, and Compliance issues at colleges and universities.  A 
survey of institutions is underway at the moment and will close at the end of this month.  The survey went to 
institutional primary representatives (those individuals that are named as their institution's primary contact with 
EDUCAUSE).  If your primary representative received the survey invite, please encourage them to complete the survey.

The research will help IT professionals benchmark their governance, risk, and compliance efforts by characterizing the 
state of each in the community. The research will also identify common areas of concern as well as transferable best 
practices and models.  We anticipate publishing the research in early June of this year and hopefully the research will 
address the question that you pose to the group.

In the meantime, the November/December EDUCAUSE Review was focused on IT GRC.  Perhaps you might find something helpful 
in that issue.  It is available at 
http://www.educause.edu/ero/educause-review-print-edition-volume-48-number-6-novemberdecember-2013?utm_source=Informz&utm_medium=Email+marketing&utm_campaign=IT+Issues
 

Kind regards,
Joanna


Joanna Grama, JD, CISSP  
Director of DRA Operations, IT GRC and Cybersecurity Programs
Data, Research, and Analytics

EDUCAUSE
Uncommon Thinking for the Common Good
282 Century Place, Suite 5000, Louisville, CO 80027
direct: 720.406.6769 | main: 303.449.4430 | fax: 303.440.0461 | educause.edu





-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nick 
Lewis
Sent: Tuesday, February 4, 2014 1:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Organization of IT compliance responsibilities

Hi everyone,

We have internally been discussing compliance recently. I'm working through the Higher Education Compliance Alliance 
resources to see what is already out there. The IT security and compliance program we are setting up is going to be 
proposed as an enterprise wide initiative, but only around IT security. I am trying to understand if anyone has their 
information security programs reporting into a formal Compliance Office/Officer? Or even a formal Compliance 
Office/Officer at their university?

Thanks,

Nick

--
Nick Lewis
Information Security Officer - Director, IT Security and Compliance ITS IT Security and Compliance
Email: nlewis10 () slu edu - Phone: 314-977-1786