Towards a framework to guide compliance with IS security policies and regulations in a university

Abstract

Compliance with computer security policies and legislation is critical to educational institutions today. Universities offer Internet services to users, store personal information of learners, staff, conference and attendees. which exposes them to potential risks and legal liabilities. Failure to ensure compliance with information security laws poses significant financial and reputation risk and may invite serious scrutiny of university activities by law enforcement bodies [24]. While universities have sought various measures to achieve compliance (e.g. self-regulations, security policies, staff/student handbooks, public relation campaigns, Web and email reminders and audits.), these have had limited success in influencing user behaviours. The rate of electronic abuse and lack of compliance with policies is simply on the rise. The August 2009 EDUCAUSE Review indicates that security remains one of the top strategic issues facing higher education institutions [2]. [20] claims that half of all personal identity breaches occur in higher education. The recording industry and motion picture associations are increasingly holding institutions liable for illegal downloading of copyright materials [11] and students have also been accused of privacy violations [8]. So, what makes compliance with policies and regulations in universities difficult and how can compliance be measured and achieved effectively? This study examines the factors that influence compliance with security policies and regulations in universities. First, some key regulations governing information security in South Africa are introduced, followed by a review of the security environment and compliance behaviours in universities. A framework aligning regulatory requirements with control standards is developed to guide compliance behaviours in universities.