Managing Information Technology Compliance Risk By Carlos S. Lobato, CIA, CISA, CISSP
A
s colleges and universities continue to embrace technology to meet their strategic objectives, the need to navigate a complex information technology (IT) regulatory landscape must not be overlooked. Clearly, IT laws and regulations have important intentions and purposes, such as safeguarding users’ data. But ensuring compliance with so many and often overlapping state and federal regulations can become a daunting task. In 2012, New Mexico State University (NMSU) took the first step toward achieving this goal when it created its IT Compliance Function and hired an IT compliance officer. As colleges and universities continue to embrace technology to meet their strategic objectives, the need
The IT compliance officer is charged with performing university-wide IT risk assessments for information security and compliance. Additionally, the IT compliance officer develops, implements and monitors IT policies and procedures. The IT compliance officer works collaboratively with internal audit and IT security, with a common goal of reducing the risks that threaten the availability, confidentiality and integrity of the University’s technologies and data.
Many colleges and universities give the role of managing IT compliance to the Chief Information Security Officer (CISO). And there were discussions at information technology NMSU about who should lead this effort. But because the CISO role had not been created, it was determined that an IT compliance officer would provide a (IT) regulatory landscape solid foundation for NMSU to begin enhancing its information security must not be overlooked. maturity level by focusing on compliance. Additionally, prior to the hiring of the IT compliance officer, previous IT auditors did not feel comfortable guiding staff in the proper remediation steps. The IT compliance officer would not have these perceived audit independence issues.
ABOUT THE AUTHOR
Carlos S. Lobato, CIA, CISA, CISSP is New Mexico State University’s IT compliance officer. He is responsible for ensuring IT activities comply with applicable regulatory requirements. Carlos has extensive private, banking, local government and higher education auditing experience and holds both auditing and technical IT certifications. ACUA Summer 2014, Vol. 56, No. 2
To be successful, an IT compliance officer should have a combination of technical, audit, strategic and communication skills. The NMSU publicized job description required a minimum of eight years of experience in IT audit or other technical work with professional credentialing such as Certified Information Systems Auditor, Certified Information Systems Security Professional or Global Information Assurance Certification being desirable. The IT compliance officer should be able to see the big picture and be savvy about conducting risk assessments that uncover high risks areas. The IT compliance officer should be able to speak with top-level management in a manner that avoids technical jargon about the biggest challenges. Additionally, the work of an IT compliance officer should be documented in order to properly demonstrate compliance. The IT compliance
Compliance
to navigate a complex
officer should be able BENEFITS The following represent some of the benefits to date of having an IT to speak with topcompliance function at NMSU: level management in • Formal identification, comprehension and communication to the a manner that avoids University community of federal, state and industry regulations technical jargon about applicable to the IT activities of NMSU. • University-wide IT risk assessments formally conducted and the biggest challenges. documented, resulting in the identification of high risk areas and the creation of a five-year IT compliance working plan approved by the Chief Information Officer. 26 COLLEGE & UNIVERSITY AUDITOR