| Oversight Subcommittee | COMPLIANCE AREA | Regulation Web Link | UVM Web Link | ISSUE | REGULATED BY | Responsible Individual/Department | ASSESSMENT | |||||||
| INFORMATION TECHNOLOGY | |
FED | ST | Local | IMPACT H, M, L |
PROBABILITY H, M, L |
RANKING (impact + prob.) |
MITIGATION (policies, etc.) |
OTHER--------------------------------------------- | |||||
| Updated 22 Nov. 2005, djw | |
|||||||||||||
| Unauthorized access to information-HIPAA, FERPA, FTC (GLB) 16 CFR Part 314 | Federal regulations require that information be secure from unauthorized release and that by May 23, 2003 institutions develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards appropriate to the size and complexity of the institution, the nature and scope of its activities, and the sensitivity of any customer information at issue-HIPAA, FERPA, FTC (GLB). | x | Job description for
Information Technology Security Administrator / Officer prepared by R.
Lawson, Sep. 2003. // K. Kennedy, July 13, 2005, "Information Privacy and Business Continuity - Status and recommendations.": Need full-time security officer, full-time privacy officer. |
|||||||||||
| -HIPAA | Estelle Maartman-Moe of Center or Health and Well Being headed UVM's HIPAA Task Force, 2002-2003 | |||||||||||||
| -FERPA | Registrar's Office publishes "COMPREHENSIVE SECURITY POLICIES AND PROCEDURES" | |||||||||||||
| -GLB | Information Security Program Coordinator: C. Jefferis to appoint new position. // Cecilia Dry: Program will describe our policies/practices around information security/privacy. // HR has agreed that they will deliver during new employee orientation a curriculum on information security and privacy, and require new employees to sign a form acknowledging they understand the rules. In addition, existing employees who routinely deal with private information will go through this same training. | GLB: Peter Harrington, Apr
16, 2003, Subject: Graham-Leach-Bliley Fin Info Safeguarding Reqs
(privileged): While colleges and universities are exempt from the
Privacy Rule due to the pre-existing privacy regulations in FERPA, they
are not exempt from the Safeguarding Rule, and in fact need to be in
compliance with that rule by the deadline of May 23, 2003. ... It is
not clear to me at this point whether any other functions or operations
at UVM other than our student loan related operations are affected by
this law. ... To very briefly summarize the highlights of the
Safeguarding Rule, it appears our obligations include: [six action
items] // Keith Kennedy,May 12, 2003, "Information Security Program:" The FTC regulations stemming from the GLB act require us to create an Information Security Program. And the U needs to assign an Information Security Program Coordinator. Chuck Jefferis is getting a new position in his area to manage our regulatory compliance issues. And he agreed that new person should act as the Coordinator. Cecilia Dry is going to draft a Program based on samples from other Universities. The Program will describe our policies/practices around information security/privacy. HR has agreed that they will deliver during new employee orientation a curriculum on information security and privacy, and require new employees to sign a form acknowledging they understand the rules. In addition, existing employees who routinely deal with private information will go through this same training. I think we should get all of CIT through it. I'll share drafts as they become available. This is just FYI... |
||||||||||||
| Telephone Operator Consumer Services Improvement Act (TOCSIA) of 1990 | Requires that "aggregators" provide consumers (students) access to operator services of long distance carriers of their choice by making 800 numbers available and posting notices on or near equipment. | x | CIT Telecommunications & Network Services/Randy Spooner | |||||||||||
| OMB A-21, DHHS, Service Center Rates and Consistency in Charging | Any costs that are chrged from the computer center, Telecommunications or other IT areas that are based on rates, rather than actual costs, must be reviewed to make sure that Federal programs are not double charged. | x | CIT/Deane Dudley | |||||||||||
| Computer Store | Issues of sales tax, UBIT, interdepartmental pricing | x | x | CIT Microcomputer Services/Andy Gingras, Deane Dudley | ||||||||||
| |
College & University Security Information Act [24 P.S. sec. 2502, et seq. (2000)] | Provide every applicant for admission, every new employee and to students and employees annually info re: security policies. See 'Public Safety' section for further information | x? | ? | State law? // Effective July 1, 1989, the Tennessee General Assembly passed legislation, Public Chapter 317, entitled College and University Security Information Act. // PA has a law with this title, 24 P.S. sec. 2502. // Seems related to Cleary Act (Swarthmore has a policy covering both together). // Superceded by FISMA? |
|||||||||
| |
||||||||||||||
| Copyright Law and Software
Licensing Digital Millenium Copyright Act Pub.L. No. 105-304, 112 Stat. 2860 (Oct. 28, 1998) |
http://www.uvm.edu/talk_to_us/?Page=dmc.html | Prohibits unauthorized reproduction of copyrighted works of authorship, including computer software, books, journals etc. Software licenses required. | x | Libraries & Learning Resources/Dean of Library and Information Technology Mara Saule (Routine process: CIT Account Services/John St. Louis) | ||||||||||
| FCC licenses | Licensing requirements for micro wave towers and entenas; wireless communications, radio and TV stations | x | WRUV/Pat Brown? // 2-way radios/Police Services? | |||||||||||
| FCC, telecommunications access with disabilities, Title 47, Part 6 | Access to Telecommunications services, telecommunications equipment, and customer premises equipment by persons with disabilities | x | CIT Telecommunications & Network Services/Randy Spooner | |||||||||||
| FCC, telecommunications access with disabilities, Title 47, Part 7 | Title 47, Part 7 - Access to Voicemail and interactive menu services and equipment with people with disabilities. | x | CIT Telecommunications & Network Services/Randy Spooner | |||||||||||
| FCC, Wireless communications, Title 47, Part 26 and 27 | general rules for wireless communications | x | CIT Telecommunications & Network Services/Randy Spooner | |||||||||||
| |
||||||||||||||
| |
||||||||||||||
| Hazardous Materials | Disposal of computer and other electrical equipment containing hazardous materials | x | UVM Recycling Program/ Erica Spiegel, 656-4191 Corey Berman, 656-5731 |
|||||||||||
| Rehabilitation Act, section 508 | http://www.section508.gov/ http://www.w3.org/WAI/ | http://www.uvm.edu/webguide/tools/?Page=accessibility.html | Section 508 - Section 508 of the Rehabilitation Act has detailed guidelines[1] specifically for computer systems, including Web pages, that are based primarily on the Level 1 guidelines[2] developed by the Web Accessibility Initiative of the World Wide Web Consortium. These guidelines were developed to ensure that people with disabilities (visual, motor, auditory, etc.) have "comparable access" to computing resources provided by the Federal government. | x | Web Team? Departmental web publishers? | |||||||||
| Clery Act, 20 USC 1092 (f) | http://www.securityoncampus.org/schools/cleryact/handbook.pdf | The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act, 20 USC 1092(f), requires an explanation of how the University reports, investigates and handles crime and emergency situations on or near University property; it advises the University community of the many University resources that are available to assist it in emergencies and provides tips to mitigate threats to their safety; and it provides other safety and security information to the University community so that informed decisions may be made. | x | Police Services? Human Resources? Admissions? | ||||||||||
| The TEACH act of November 2, 2002 (HR 2215) | http://www.dlalaw.com/site/page_1.asp?section=4&subsection=3&seqa=0&seqb=0&seqc=0&PgId=700 | http://www.uvm.edu/~ctl/?Page=resources/copyright.html&SM=resources/res_menu.html http://bailey.uvm.edu/ref/sschaffer/teachactenacted.html http://www.med.uvm.edu/cometinfo/TB1+BL.asp?SiteAreaID=566 and others | The Technology, Education and Copyright Harmonization Act redefines the terms and conditions on which accredited, nonprofit educational institutions may use copyright protected materials in distance education including on websites and by other digital means-without permission from copyright owners and without payment of royalties | x | Learning Resource Group/ Center for Teaching and Learning? Scott Schaffer, Library Assistant Professor? | |||||||||
| Federal Wire Tap Act, 18 USC 2511 (1)(a) | http://www.cybercrime.gov/usc2511.htm | http://www.uvm.edu/~uvmppg/ppg/cit/compuse.htm | The Wiretap Act prohibits the intentional ìinterceptionî of any wire, oral, or electronic communications. 18 U.S.C. § 2511(1)(a). | x | Office of the General Counsel | Still in effect? Updated by 1986 Electronic Communication | ||||||||
| Homeland Security Act of 2002 inclusive of Federal Information Security Management Act (FISMA) of 2002 | http://csrc.nist.gov/sec-cert/ca-background.html http://csrc.nist.gov/sec-cert/ | The House bill creates
the Department of Homeland Security and contains important provisions
that help ensure that information technology will be used most
effectively in securing the nation against cyber and physical attacks. The act requires every government agency to secure the information and information systems that support its operations and assets, including those provided or managed by another agency, contractor, or other source. The FISMA defines three security objectives for information and information systems: Confidentiality, Integrity and Availability. |
x | Applies only to federal agencies | Federal Information Security Management Act (FISMA) is p | |||||||||
| Patriot Act | http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.03162: | http://library.uvm.edu/about/privacy/ | It gives new powers to
the Justice Department in terms of domestic and international
surveillance of American citizens and others within its jurisdiction.
The Patriot Act seeks primarily to deter and punish terrorist acts in
the United States by enhancing law enforcement investigatory tools. The
Patriot Act, among other things, amends: * the Family Education Rights and Privacy Act (FERPA) of 1972 * the Foreign Intelligence Surveillance Act (FISA) of 1978 and * the Electronic Communications Privacy Act (ECPA) of 1986. |
x | Office of the General Counsel | |||||||||
| Miscellaneous Building Codes for telecom and IT wiring and equipment | http://www.uvm.edu/telcom/?Page=network/standardintro.html | AEC or FM or the contractors hired for IT work have the responsibility for applying all permits and obtaining all inspections. | x | x | CIT Telecommunications & Network Services/Randy Spooner | |||||||||
| Electronic Communications Privacy Act of 1986 (ECPA) (18 USC 2510-2522 | http://en.wikipedia.org/wiki/ | http://www.uvm.edu/~uvmppg/ppg/cit/compuse.htm | ECPA sets out the provisions for access, use, disclosure, interception and privacy protections of electronic communications | x | Office of the General Counsel | Weakened by PATRIOT Act. | ||||||||
| Computer Security Act of 1987
(Pub. L. 100-235) - superceded by the Federal Information Security Act
of 2002 |
superceded | x | ||||||||||||
| OMB Circular A-130 Security of Federal Automated Information Systems | http://www.whitehouse.gov/omb/circulars/a130/a130.html | x | Applies only to US federal information systems | |||||||||||
| Foreign Intelligence Surveillance Act (FISA) of 1978 -- see PATRIOT Act | http://www.law.cornell.edu/uscode/html/uscode50/usc_sup_01_50_10_36.html http://www.epic.org/privacy/terrorism/fisa/ | "The Foreign Intelligence Surveillance Act (FISA) of 1978 prescribes procedures for requesting judicial authorization for electronic surveillance and physical search of persons engaged in espionage or international terrorism against the United States on behalf of a foreign government. The provisions of the act were enhanced by the USA Act of 2001, primarily to include terrorism on behalf of groups that are not specifically backed by a foreign government. The USA Act was quickly incorporated in the more commonly known USA PATRIOT Act, also passed in 2001." http://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Act | Office of the General Counsel | |||||||||||
| Communications Assistance for
Law Enforcement Act (CALEA) |
http://www.askcalea.net/ http://www.eff.org/Privacy/Surveillance/CALEA/?f=summary.html |
Congress passed the
Communications Assistance for Law Enforcement Act (CALEA) in 1994 to
make it easier for law enforcement to wiretap digital telephone
networks. CALEA forced telephone companies to redesign their network
architectures to make wiretapping easier. It expressly did not regulate
data traveling over the Internet |
x |
Under litigation |
||||||||||