IT Reductions and Regulations (EDUCAUSE Quarterly)

By Sharon Blanton

Regulatory obligations and unfunded mandates don’t go away during tough budgetary times.
Moving into maintenance mode increases the need to manage risk closely, often with reduced staff.
To minimize the risk of penalties from failing to meet regulatory requirements, know staff members’ skills and training before you are asked to cut IT budgets.

If you work at an institution of higher education in the United States today, then you are probably in the middle of a budget reduction frenzy. Complaints about the rising cost of education and “administrative bloat” appear regularly in news headlines. Anecdotal data tells me, though, that in times of budgetary constraints the so-called administrative side takes deeper cuts than the academic side. In most institutions, if you are not a full-time faculty member, then by default you belong to the administration. Even though many IT departments live in the academic side of the house, their roles are seen as more administrative.

In talking to my colleagues, it appears that IT is expected to move into maintenance mode, or what I typically refer to as “keeping the ship afloat.” This usually means reducing or cancelling training, putting new projects on hold, and significantly extending the timelines of existing projects. Keeping the ship afloat used to mean that we kept the network, phones, ERP, and LMS systems running, but now, it also means that we have to keep complying with all of the unfunded mandates and regulations that have piled up over the years. With this concern in mind, examine cost-cutting proposals from other departments that suggest they would achieve savings through “increased automation” — without recognizing the ongoing requirements for regulatory compliance. If your campus is in the unfortunate position of having to reduce staff, think carefully about positioning your institution to meet regulatory obligations over the next couple of years.

Regulatory Compliance for IT Departments

Whether in a centralized or decentralized environment, IT has increasingly become responsible for risk management. For which regulations is IT responsible on your campus? Take a moment and jot them down. I will bet that you came up with the Acceptable Use Policy, the Information Security Policy, FERPA, and DMCA. These are the obvious ones — the ones that have gotten a lot of exposure. Now, let’s peel the layers of the onion a little more.

Accreditation: Do any of your colleges, programs, or departments have accreditation coming up? Are there any requirements regarding the types or amount of IT resources available to your students and faculty? Do you offer distance-learning programs? How do you ensure that the student participating in the course is the same one who registered for the course?
FACTA Red Flag Rules: Sure, this a “finance problem,” but what are the solutions? Has IT developed scripts to watch for Red Flag issues? How have these scripts been documented? How will they be updated? Who maintains your identity theft protection policy and program?
Payment Card Industry Data Security Standard (PCI DSS): Probably the most familiar finance related standard, PCI dictates how we process and store credit card transactions and data. Who completes your annual PCI survey? Are your policies and procedures in compliance?
Gramm-Leach-Bliley(GLB) Act: What is this consumer information protection act doing in the list? Our students are financial consumers when they receive loans from us. What technical mechanisms have been put in place to protect their personally identifiable information? Is this handled in central IT, the business office, the bursar’s office, or financial aid?
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act): If the FBI comes knocking, will you have the knowledge and human resources necessary to comply with their warrant? Who will handle the data preservation or wiretapping requests? Are you keeping up with your Student and Exchange Visitor Information System (SEVIS) responsibilities?
Higher Education Opportunity Act (2008): With over 200 pages of regulations that require special record keeping, business processes, and reporting, this piece of legislation is responsible for many of the technical solutions on campus today. Who tracks changes in legislation and ensures that your processes keep you compliant?
Software license management: Is someone making sure that only authorized patrons gain access to your electronic library resources? Do you receive frequent requests for special populations/visitors to gain access to your library? Who manages this control and synchronizes the permissions with your identity management solution?
Family Educational Rights and Privacy Act (FERPA): Everyone knows that we need to protect student records. What technological mechanisms have been put in place to insure the protection of these data? Who makes sure that the appropriate FERPA language goes into all of your IT contracts?
Health Insurance Portability and Accountability Act (HIPPA): This is another regulation protecting personally identifiable information. What safeguards are in place to protect your student health center computers and records?
Digital Millennium Copyright Act (DMCA): Most colleges and universities have developed policies around the protection of digital media. Who receives and acts on DMCA take-down notices at your institution?
Electronic discovery (E-discovery): If you are served with notice of a lawsuit, receive a data preservation request, or suspect an impending lawsuit, what process is in place to take the appropriate actions to correctly preserve digital data? Does someone in your organization understand Rule 37 of the Federal Rules of Civil Procedure? Which employees throughout your organization might play a role in data preservation?
Key card access: Facilities or the Public Safety office probably manages your key card access system. How is that system connected to other enterprise solutions? Who ensures that the locks and cards are programmed properly? Who audits the permissions given to card holders?
Purchasing regulations: At the state and system level can you meet the requirements of all your purchasing regulations? Is someone with technical expertise and information security expertise reviewing all of your RFPs and contracts to mitigate any risk of not complying with any of these requirements?
Audits: When is your next internal or external audit scheduled? Will you be able to meet the separation of duties expectations, or will your team be so small that you have one database administrator writing, approving, and posting code into production? Will you be able to conduct a quarterly test of your disaster recovery, business continuity, and pandemic preparedness plans?
Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act): How are you doing in completing the compliance checklist in The Handbook for Campus Crime Reporting? Compliance really comes down to data gathering and dissemination, and these typically involve technology-based solutions.

This list is certainly not meant to be exhaustive, but it should get you thinking about how you handle regulatory responsibilities on your campus.

Costs of Failing to Meet Requirements

Violation of any of these policies, laws, or regulations can bring serious sanctions and, in many cases, hefty fines. Generally speaking, a data breach costs an organization about $202 per disclosed record. This includes costs for the investigation, customer notification, data preservation, attorney fees, consumer credit monitoring service, and fines. HIPAA assesses $25,000 for accidental violation, but knowing misuse or disclosure can carry fines of $50,000 and one year of imprisonment.

PCI fines reportedly run into the hundreds of thousands of dollars, but the more costly sanction is the removal of an institution’s capability to accept credit card payments. Imagine how crippling that could be to a college or university. Will your budget reductions put you in jeopardy of not meeting your regulatory obligations?

Reputation is perhaps the most difficult cost to measure. If a breach or violation occurs, the negative press can be devastating to an institution. While it is not possible to guarantee you will never have a data breach or fall out of compliance with a regulation, you certainly want to take all possible steps to minimize the risk.

Plan Ahead to Minimize Risks

When forced to reduce staff and plan for others to assume their responsibilities, make sure you understand the skills and training required. It could take months of training to get staff up to speed on regulatory requirements. Unfortunately, many departments will have to make budget cuts so quickly that they will not have time for a thorough transition plan.

To make budget reductions strategically, you really need to have a comprehensive inventory of your staff and their skills and current duties. Each budget reduction proposal that purports to decrease administrative bloat and increase efficiency should be examined to ensure that the current personnel or process isn’t there in support of a legal or regulatory requirement. If you still have to make the reduction, look for opportunities where you have a cross-trained team and can spread the duties, then measure the risk. Know which requirements are mandatory and which related threats could be “risk accepted.” What are the consequences of experiencing a data breach, a FERPA claim, a copyright violation, an accreditation follow-up visit, or a PCI violation? You will have to weigh the financial, political, and public relations costs for each possibility. As an IT risk manager, which of those are you willing to chance? Now is the time to proactively work with your colleagues across the institution to ensure that your cuts will not impact their ability to meet regulations and likewise to make sure that their contemplated cuts will not severely impact your ability to keep the institution in compliance.