Preparing for an IT Compliance Review
A Guide for Administrative and Support Teams
Introduction
Welcome to the IT Compliance Review Preparation Guide for Administrative and Support Teams. This page provides essential information to help you prepare for an upcoming IT compliance review, specifically for those requesting review for operational uses, including both software and hardware.
Required Information
Software and Services
- List Software and Hardware: Provide a detailed list of all software and hardware you plan to purchase for operational purposes.
- Licensing Information: Include details about licenses for software, including expiration dates and compliance with licensing agreements (e.g. can non-educational operations apply to an education license or if an enterprise license is required).
- Use Case: Provide your intended use case for the software at a level anyone could understand.
IT-Related Hardware
- Dedicated Systems: Identify any dedicated systems that do not align with campus standards, including their purpose and configuration.
- Storage Devices: List all storage devices associated with your operations, such as external hard drives and network-attached storage (NAS).
- Cloud Services: If applicable, list any cloud services used, including the type of data stored and the security measures in place.
Vendor Information
- Vendor List: Provide a list of all vendors supplying your software and hardware, including contact information and the services/products they provide.
- Contracts and Agreements: Include copies of contracts and service level agreements (SLAs) with each vendor.
- Compliance Certifications: Ensure vendors provide necessary compliance certifications (e.g., SOC 2, ISO 27001, HECVAT). These are especially important if any of the vendors you are working with will be offering cloud services for storage, applications, etc.
Regulatory Compliance
- HIPAA: Be aware of requirements related to the Health Insurance Portability and Accountability Act (HIPAA) if your software or service will work with health information.
- FERPA: Be aware of requirements related to the Family Education Rights and Privacy Act (FERPA) if your software or service will work with student information.
- PCI: Be aware of requirements related to Payment Card Industry (PCI) Data Security Standards if your software or service will take financial payments.
- GLBA: Be aware of requirements related to the Gramm-Leach-Bliley Act (GLBA) that might affect your usage of the software or service.
- Accessibility: Be aware of requirements related to digital accessibility with your software or service when it's used in a classroom setting.
Deadlines and Timelines
- Submission Deadlines: Clearly state the deadlines for submitting all required information.