Oversight Subcommittee

Regulation Web Link

UVM Web Link

ISSUE

REGULATED BY

Responsible Individual/Department

ASSESSMENT

INFORMATION TECHNOLOGY

FED

Local

IMPACT
H, M, L

PROBABILITY
H, M, L

RANKING
(impact + prob.)

MITIGATION
(policies, etc.)

OTHER

Updated 22 Nov. 2005, djw

Unauthorized access to information-HIPAA, FERPA, FTC (GLB) 16 CFR Part 314

Federal regulations require that information be secure from unauthorized release and that by May 23, 2003 institutions develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards appropriate to the size and complexity of the institution, the nature and scope of its activities, and the sensitivity of any customer information at issue-HIPAA, FERPA, FTC (GLB).

Job description for Information Technology Security Administrator / Officer prepared by R. Lawson, Sep. 2003. //

K. Kennedy, July 13, 2005, "Information Privacy and Business Continuity - Status and recommendations.": Need full-time security officer, full-time privacy officer.

-HIPAA

Estelle Maartman-Moe of Center or Health and Well Being headed UVM's HIPAA Task Force, 2002-2003

-FERPA

Registrar's Office publishes "COMPREHENSIVE SECURITY POLICIES AND PROCEDURES"

-GLB

Information Security Program Coordinator: C. Jefferis to appoint new position. // Cecilia Dry: Program will describe our policies/practices around information security/privacy. // HR has agreed that they will deliver during new employee orientation a curriculum on information security and privacy, and require new employees to sign a form acknowledging they understand the rules. In addition, existing employees who routinely deal with private information will go through this same training.

GLB: Peter Harrington, Apr 16, 2003, Subject: Graham-Leach-Bliley Fin Info Safeguarding Reqs (privileged): While colleges and universities are exempt from the Privacy Rule due to the pre-existing privacy regulations in FERPA, they are not exempt from the Safeguarding Rule, and in fact need to be in compliance with that rule by the deadline of May 23, 2003. ... It is not clear to me at this point whether any other functions or operations at UVM other than our student loan related operations are affected by this law. ... To very briefly summarize the highlights of the Safeguarding Rule, it appears our obligations include: [six action items] //

Keith Kennedy,May 12, 2003, "Information Security Program:" The FTC regulations stemming from the GLB act
require us to create an Information Security Program.
And the U needs to assign an Information Security Program Coordinator. Chuck Jefferis is getting a new position in his area
to manage our regulatory compliance issues. And he agreed that
new person should act as the Coordinator. Cecilia Dry is going to draft a Program based on samples from other Universities. The Program will describe our policies/practices around information security/privacy.
HR has agreed that they will deliver during new employee orientation
a curriculum on information security and privacy, and require new employees to sign a form acknowledging they understand the rules.
In addition, existing employees who routinely deal with private information will go through this same training. I think we should get all of CIT through it. I'll share drafts as they become available. This is just FYI...

Telephone Operator Consumer Services Improvement Act (TOCSIA) of 1990

Requires that "aggregators" provide consumers (students) access to operator services of long distance carriers of their choice by making 800 numbers available and posting notices on or near equipment.

CIT Telecommunications & Network Services/Randy Spooner

OMB A-21, DHHS, Service Center Rates and Consistency in Charging

Any costs that are chrged from the computer center, Telecommunications or other IT areas that are based on rates, rather than actual costs, must be reviewed to make sure that Federal programs are not double charged.

CIT/Deane Dudley

Computer Store

Issues of sales tax, UBIT, interdepartmental pricing

CIT Microcomputer Services/Andy Gingras, Deane Dudley

College & University Security Information Act [24 P.S. sec. 2502, et seq. (2000)]

Provide every applicant for admission, every new employee and to students and employees annually info re: security policies. See 'Public Safety' section for further information

State law? //
Effective July 1, 1989, the Tennessee General Assembly passed legislation, Public Chapter 317, entitled College and University Security Information Act. // PA has a law with this title, 24 P.S. sec. 2502. // Seems related to Cleary Act (Swarthmore has a policy covering both together). // Superceded by FISMA?

http://www.uvm.edu/talk_to_us/?Page=dmc.html

Prohibits unauthorized reproduction of copyrighted works of authorship, including computer software, books, journals etc. Software licenses required.

Libraries & Learning Resources/Dean of Library and Information Technology Mara Saule (Routine process: CIT Account Services/John St. Louis)

FCC licenses

Licensing requirements for micro wave towers and entenas; wireless communications, radio and TV stations

WRUV/Pat Brown? // 2-way radios/Police Services?

FCC, telecommunications access with disabilities, Title 47, Part 6

Access to Telecommunications services, telecommunications equipment, and customer premises equipment by persons with disabilities

CIT Telecommunications & Network Services/Randy Spooner

FCC, telecommunications access with disabilities, Title 47, Part 7

Title 47, Part 7 - Access to Voicemail and interactive menu services and equipment with people with disabilities.

CIT Telecommunications & Network Services/Randy Spooner

FCC, Wireless communications, Title 47, Part 26 and 27

general rules for wireless communications

CIT Telecommunications & Network Services/Randy Spooner

Hazardous Materials

Disposal of computer and other electrical equipment containing hazardous materials

UVM Recycling Program/
Erica Spiegel, 656-4191
Corey Berman, 656-5731

Rehabilitation Act, section 508

http://www.section508.gov/ http://www.w3.org/WAI/

http://www.uvm.edu/webguide/tools/?Page=accessibility.html

Section 508 - Section 508 of the Rehabilitation Act has detailed guidelines[1] specifically for computer systems, including Web pages, that are based primarily on the Level 1 guidelines[2] developed by the Web Accessibility Initiative of the World Wide Web Consortium. These guidelines were developed to ensure that people with disabilities (visual, motor, auditory, etc.) have "comparable access" to computing resources provided by the Federal government.

Web Team? Departmental web publishers?

Clery Act, 20 USC 1092 (f)

http://www.securityoncampus.org/schools/cleryact/handbook.pdf

The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act, 20 USC 1092(f), requires an explanation of how the University reports, investigates and handles crime and emergency situations on or near University property; it advises the University community of the many University resources that are available to assist it in emergencies and provides tips to mitigate threats to their safety; and it provides other safety and security information to the University community so that informed decisions may be made.

Police Services? Human Resources? Admissions?

The TEACH act of November 2, 2002 (HR 2215)

http://www.dlalaw.com/site/page_1.asp?section=4&subsection=3&seqa=0&seqb=0&seqc=0&PgId=700

http://www.uvm.edu/~ctl/?Page=resources/copyright.html&SM=resources/res_menu.html http://bailey.uvm.edu/ref/sschaffer/teachactenacted.html http://www.med.uvm.edu/cometinfo/TB1+BL.asp?SiteAreaID=566 and others

The Technology, Education and Copyright Harmonization Act redefines the terms and conditions on which accredited, nonprofit educational institutions may use copyright protected materials in distance education including on websites and by other digital means-without permission from copyright owners and without payment of royalties

Learning Resource Group/ Center for Teaching and Learning? Scott Schaffer, Library Assistant Professor?

Federal Wire Tap Act, 18 USC 2511 (1)(a)

http://www.cybercrime.gov/usc2511.htm

http://www.uvm.edu/~uvmppg/ppg/cit/compuse.htm

The Wiretap Act prohibits the intentional “interception” of any wire, oral, or electronic communications. 18 U.S.C. § 2511(1)(a).

Office of the General Counsel

Still in effect? Updated by 1986 Electronic Communication

Homeland Security Act of 2002 inclusive of Federal Information Security Management Act (FISMA) of 2002

http://csrc.nist.gov/sec-cert/ca-background.html http://csrc.nist.gov/sec-cert/

The House bill creates the Department of Homeland Security and contains important provisions that help ensure that information technology will be used most effectively in securing the nation against cyber and physical attacks.
The act requires every government agency to secure the information and information systems that support its operations and assets, including those provided or managed by another agency, contractor, or other source. The FISMA defines three security objectives for information and information systems: Confidentiality, Integrity and Availability.

Applies only to federal agencies

Federal Information Security Management Act (FISMA) is p

Patriot Act

http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.03162:

http://library.uvm.edu/about/privacy/

It gives new powers to the Justice Department in terms of domestic and international surveillance of American citizens and others within its jurisdiction. The Patriot Act seeks primarily to deter and punish terrorist acts in the United States by enhancing law enforcement investigatory tools. The Patriot Act, among other things, amends:

* the Family Education Rights and Privacy Act (FERPA) of 1972
* the Foreign Intelligence Surveillance Act (FISA) of 1978 and
* the Electronic Communications Privacy Act (ECPA) of 1986.

Office of the General Counsel

Miscellaneous Building Codes for telecom and IT wiring and equipment

http://www.uvm.edu/telcom/?Page=network/standardintro.html

AEC or FM or the contractors hired for IT work have the responsibility for applying all permits and obtaining all inspections.

CIT Telecommunications & Network Services/Randy Spooner

Electronic Communications Privacy Act of 1986 (ECPA) (18 USC 2510-2522

http://en.wikipedia.org/wiki/

http://www.uvm.edu/~uvmppg/ppg/cit/compuse.htm

ECPA sets out the provisions for access, use, disclosure, interception and privacy protections of electronic communications

Office of the General Counsel

Weakened by PATRIOT Act.

Computer Security Act of 1987 (Pub. L. 100-235) - superceded by the Federal Information Security Act of 2002

superceded

OMB Circular A-130 Security of Federal Automated Information Systems

http://www.whitehouse.gov/omb/circulars/a130/a130.html

Applies only to US federal information systems

Foreign Intelligence Surveillance Act (FISA) of 1978 -- see PATRIOT Act

http://www.law.cornell.edu/uscode/html/uscode50/usc_sup_01_50_10_36.html http://www.epic.org/privacy/terrorism/fisa/

"The Foreign Intelligence Surveillance Act (FISA) of 1978 prescribes procedures for requesting judicial authorization for electronic surveillance and physical search of persons engaged in espionage or international terrorism against the United States on behalf of a foreign government. The provisions of the act were enhanced by the USA Act of 2001, primarily to include terrorism on behalf of groups that are not specifically backed by a foreign government. The USA Act was quickly incorporated in the more commonly known USA PATRIOT Act, also passed in 2001." http://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Act

Office of the General Counsel

Communications Assistance for Law Enforcement Act (CALEA)

http://www.askcalea.net/
http://www.eff.org/Privacy/Surveillance/CALEA/?f=summary.html

Congress passed the Communications Assistance for Law Enforcement Act (CALEA) in 1994 to make it easier for law enforcement to wiretap digital telephone networks. CALEA forced telephone companies to redesign their network architectures to make wiretapping easier. It expressly did not regulate data traveling over the Internet