|CIO's Corner: Compliance and Service
In information technology, as well as in many parts of the University, we find ourselves facing an ever-increasing set of obligations to achieve compliance. Most compliance obligations are externally mandated, and the mandates almost never include the resources required to make the necessary changes.
Sometimes the new compliance requirements are intended to protect our customers and sometimes to protect the institution. And from inside the trenches, sometimes it just seems like change for no real reason at all.
What kinds of things compete for resources with improving direct services? Here are just a few examples of compliance activities that most end-users would never notice but that we must attend to nonetheless:
- Applying new updates to the Student Financial Aid System to maintain compliance and compatibility with the ever-changing federal financial aid regulations In fact, this requirement drove our aggressive timeframe for our last Banner upgrade, which was required to maintain compliance with the new 2007 federal financial aid regulations.
- Continuing work to eliminate the use of the Social Security Number in all unnecessary places in our applications. This has only become possible since 2004 when we replaced the SSN as the Student ID# with the UH number, which is now also used as our Employee ID#. And where the SSN must be included, it should be hidden as much as possible.
- Separating duties within ITS so that a single individual can't both design a modification to a system (software, configuration or network) and implement it; we are required to separate these responsibilities to reduce the risk of malfeasance. This means that more people must be involved in processing every change, adding work for everyone involved.
- Maintaining logs of changes to systems and networks, monitoring those logs, and maintaining evidence of the monitoring to demonstrate to external auditors that we would be alert to incidents that might compromise our security.
- Active monitoring of all account provisioning to ensure that access is not maintained after an employee leaves UH or changes jobs to a new position that no longer requires the kind of access granted in a previous role.
Necessary as they are, these are not the tasks that bring out new services or the kind of customer delight we love to focus on providing you. But in a world of increasing risks, we have no choice but to apply scarce resources to protect you and the information with which we are entrusted.
Vice President for Information Technology and Chief Information Officer, ITS