• Law, Policy -- and IT?

    Tracy Mitrano explores the intersection where higher education, the Internet and the world meet (and sometimes collide).



A few weeks ago I touted International Standards Organization, or ISO, 27018. I did so largely as an advocate of the appropriate management of institutional information and research data in higher education, in particular regarding privacy management in cloud computing.
June 1, 2015
A few weeks ago I touted International Standards Organization, or ISO, 27018. I did so largely as an advocate of the appropriate management of institutional information and research data in higher education, in particular regarding privacy management in cloud computing.

Since then I have become increasingly aware of a variety of standards in areas in which I work: information technologies generally, information security and privacy and accessibility in particular.  A spate of new standards are coming to my attention. These standards can play an important harmonizing role in a variety of interest areas to CIOs and other information technology personnel as well as institutional attorneys, finance and procurement specialists, web developers and security, privacy and disability advocates. 

New technical security standard 27013 complements 27018. ISO 27013 proffers technical security controls as industry standard security of information systems. ISO purposefully designs these standards to be applicable across a broad spectrum of network systems. Moreover, they are written from the broader risk management framework. Finally, for those organizations and individuals who still wonder about the difference between “security” and “privacy” and how those factors work within the context of operational and administrative policies, these two standards, 27013 and 27018, would be a sound, practical place to start. 

Two accessibility standards are also of note: World Wide Consortium Web Accessibility, known as W3C 2.0. Of note specifically with this standard is the working group being formed to adapt these standards to the newtechnologies, distance education for example. Also, recently the European Commission issued a standard for procurement for accessible technologies: Accessibility Requirements for Public Procurement of Technology Products. A more reader-friendly interpretation of these standards and what they seek to achieve for people with a wide range of disabilities may be found here.

The principal reason why I am attracted to standards stems from having worked on Internet2’s Net+ contract with Box a few years ago. That contract set the bar for higher education’s contracts for cloud services. Pilot institutions and their attorneys, Internet2 staff, outside counsel and Box representatives painstakingly covered critical issues such as security and privacy of data, export control, regulatory obligations such as ADA, FERPA, GLBA, and HIPAA, Copyright, and business continuity procedures associated with termination of the contract, among other provisions. I remain very proud of that effort, so it is with fondness and a little hyperbole that I note the final document rivaled the length of War and Peace. 

A next generation of higher educational cloud computing contracts can readily consolidate so many of the lengthy issues with simple reference to standards. This adjustment not only shortens the document but should reduce anxiety that goes into contract formation to be sure that every single little detail is not forgotten or said in a manner that is unambiguous so as not to lead later to misunderstanding, discontent or even litigation. 

Standards also greatly assist the “one off” drag that higher education suffers with vendors. They assist institutional attorneys especially those not familiar with technical standards in the areas of privacy, security, regulatory controls, and accessibility.  Institutions without resources to create these contracts on their own can now rely comfortably on the standards that higher education can agree upon and set uniformly for its sector in the marketplace.

Recourse to standards should also advantage higher education in negotiating prices with vendors. With foundational issues settled, the parties can focus on specifics tailored to the individual institution’s needs such as cost, plug-in, training and lifecycle assistance.  Finally, I can’t imagine a better means to address issues of compliance and risk management.  

Okay, you might say, standards are good, but why are you recommending European standards? NIST, for example, just came out with some privacy standards that apply to federal agencies, why don’t I refer to those instead?

The answer lies in the fact that international standards favor higher education at least from two perspectives. First, we should be positioning ourselves in a harmonizing direction with the rest of the world. Only a diehard isolationist would fail to recognize global emergence and the benefits of U.S. cooperation in those efforts would make towards international Internet governance. 

Second, our vendors live in a larger world than our individual institutions. On the positive side, that means that to sell their products and services abroad, those vendors will have to conform to international standards. So long as those standards serve to make the lives of people in U.S. higher education easier, why not support those efforts? On the contentious side, those Internet industries that operate orthogonally to higher education’s missions may be set right not by U.S. regulators but by European ones.  

Google, for example, and soon Facebook will face challenges with the European Commission. Those challenges work on our behalf. If the market-driven culture and politics of the United States is such that it is reluctant to investigate trade practices in potential violation of anti-trust or privacy laws, for example, we should be grateful that other entities may help to correct excesses and level the playing field for us. Those adjustments complement higher education’s values for intellectual privacy or enhance competition – and hence choice and costs -- for Internet related products and services we need in support of our work.

Bringing this discussion around full circle, it might be a good idea if our major associations, EDUCAUSE and Internet2 come to mind at the top of the list, formed a cosponsored working group to explore standards that for all of the above-mentioned reasons would be to higher education’s benefit to adopt. It is a big tent effort, one that will help both research institutions and small liberal arts schools, public and private. If we could get our arms around some basic approaches to principal areas of compliance, as I believe embracing standards would have such a salutary effect, we might begin to refocus our efforts on the direct needs of faculty and students.


Back to Top