Contact Vanderbilt Cybersecurity
Compliance is the act of adhering to established rules, guidelines, or specifications to align with industry and/or government expectations. This may include adherence to laws and regulations, sponsor-imposed contract requirements, or internal policy and procedure.
A compliance assessment will help determine the gap between existing controls in your current IT environment and what is required.
This service will:
- Review and interpret requirements
- Identify steps for meeting obligations
- Automate the implementation of necessary controls where possible and provide instruction on how to implement controls that are not automatable
- Compliance with Law or Regulation:
- In this scenario, Vanderbilt is required to comply with federal or statutory laws and must secure data according to regulatory requirements. Example data that may have compliance obligations may include, but is not limited to:
- Personally Identifiable Information (PII), (e.g., SSN, driver's licence #, passport #)
- Family Educational Rights and Privacy Act (FERPA) information (e.g., student education records)
- Protected Health Information (PHI), (e.g., HIPAA)
- General Data Protection Regulation (GDPR) information (e.g., PII for EU citizens)
- Controlled Unclassified Information (CUI), (e.g., export controlled information, ITAR, EAR)
- In this scenario, Vanderbilt is required to comply with federal or statutory laws and must secure data according to regulatory requirements. Example data that may have compliance obligations may include, but is not limited to:
- Compliance with a Contract:
- Here there may not be regulated data; however, Vanderbilt is receiving or sending sensitive data and there is a legal agreement or contract between the two parties to govern how that data is transferred, used, and secured. Example data may include, but is not limited to:
- De-identified human subject data from a clinical trial or a Limited Data Set as defined in HIPAA
- Company proprietary information that cannot be released to the public for competitive advantage purposes
- These contracts may be called a Data Use Agreement (DUA), Data Transfer and Use Agreement (DTUA), a Nondisclosure Agreement (NDA) or Confidentiality Agreement (CDA), or Sponsored Research Agreement (SRA).
- Here there may not be regulated data; however, Vanderbilt is receiving or sending sensitive data and there is a legal agreement or contract between the two parties to govern how that data is transferred, used, and secured. Example data may include, but is not limited to:
Only Sponsored Programs Administration (SPA) has the authority to sign agreements and contracts on behalf of VU. Submit a request to SPA in VERA (Agreement Type: Data Use Agreement). You must include a copy of the draft agreement and a copy of the Compliance Intake Form. Visit the SPA website for more instruction.
Once initiated with SPA, cybersecurity will contact the requestor about implementing the necessary IT security controls to protect data. Process complexity and lengthiness is dependent on the terms of the agreement, IT systems used, and the PI/research team responsiveness.
Depending on the data involved, IRB protocol approval may also be necessary. Consult your department/unit administrator for details on the IRB process.
Not sure how to start?
Get in touch if you don’t know where to begin, you can’t find the guidance needed on the website, or if you just want to learn more. The Office of Cybersecurity has subject matter expertise and is here for Vanderbilt community to discuss security questions or concerns.