Compliance

State regulations related to technology procurement are managed by the Georgia Technology Authority.

Section 11.0, Information Technology (IT), covers all aspects of the University System of Georgia (USG) information technology including general policy, IT project authorization, and information security.

The USG publishes an IT handbook which defines the policies, procedures, and audit standards for all USG institution. Compliance with these standards is subject to audit by State, USG, institutional, and the department.

Introduction

Section 1. Information Technology (IT) Governance 

Georgia Southern’s IT Governance structure draws broadly from six diverse advisory bodies and also includes the CIO’s participation on the President’s Cabinet.

Section 2. Project and Service Administration 

The CIO maintains documentation on all services, programs, and projects for creating new services; to expand, enhance, improve existing services; mitigate various risks; or to retire a service.  IT Services maintains a service catalog which describes the services and service levels it provides to the University.  In addition, service level agreements are established, where prudent, which define specialized services.  To ensure alignment of IT services with the University community needs and business requirements, the CIO and his/her IT Directors monitor and periodically report on service level metrics.  The CIO also oversees incident management and problem management and incorporate performance data into service assessments and continuous improvement activities. The CIO maintains and periodically reviews with the President’s Cabinet an IT Projects Portfolio which tracks both tactical and strategic initiatives.   The CIO also develops and maintains Effectiveness Plans and Key Performance Initiatives which address institutional strategic priorities.  Service levels are re-evaluated, at least annually, to ensure alignment of IT and business objectives and foster continuous improvement life-cycles. The CIO routinely compares IT service performance outcomes to peer and aspirational institutions.  The CIO prepares an annual report which summarizes strategic accomplishments and IT Services effectiveness.

Section 3. IT Management  

The CIO oversees information system user account management and the process by which an individual’s access and permissions within information systems is created, authorized, activated, periodically reviewed, and deactivated

Section 4. Financial and Human Resource Management  

The CIO is responsible for exercising fiscal management and controls over the procurement of technology and services and for the recruitment, development, and retention of human resources.

Section 5. Information Security  

The CIO has broad responsibilities with respect to information security oversight including the development and maintenance of a comprehensive security program, the administration of an information security organization and administration, policy development and management, incident management, risk management, security awareness training and assessment, implementation of various security standards, and reporting and filing of compliance documents.

Section 6. Risk Management

The CIO has responsibilities to maintain a Risk Management Program for identifying, controlling, and managing the impact of uncertain harmful events to the institution’s technology infrastructure and mission critical processing, and with consideration of the value of the protected IT assets that balances the costs associated with risks and the costs of protective measures.

Section 7. Facilities

The CIO has responsibilities for developing and managing the physical environment around IT assets including defining the physical site requirements, selecting the appropriate facilities, and designing effective processes for monitoring environmental factors and managing physical access.

Section 8.0: Bring Your Own Device (BYOD) Standard

The CIO is responsible to uphold standards for the use of personally owned devices by employees for accessing USG and institutional data.

The primary law that governs the privacy of educational information is the Family Education Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g(b).

FERPA is the keystone federal privacy law for educational institutions. FERPA generally imposes a cloak of confidentiality around student educational records, prohibiting institutions from disclosing “personally identifiable education information,” such as grades or financial aid information, without the student’s written permission. FERPA also grants to students the right to request and review their educational records and to make corrections to those records. The law applies with equal force to electronic records as it does to those stored in file drawers.

Generally, institutions must have written permission from the student in order to release any information from a student’s education record. However, FERPA does allow institutions to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):

1. School officials with legitimate educational interest;
2. Other schools to which a student is transferring;
3. Specified officials for audit or evaluation purposes;
4. Appropriate parties in connection with financial aid to a student;
5. Organizations conducting certain studies for or on behalf of the school;
6. Accrediting organizations;
7. To comply with a judicial order or lawfully issued subpoena;
8. Appropriate officials in cases of health and safety emergencies; or,
9. State and local authorities, within a juvenile justice system, pursuant to specific State law.

Institutions may disclose, without consent, “directory” information, such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, institutions must tell students about directory information and allow students a reasonable amount of time to request that the school not disclose directory information about them.

Institutions must notify parents and eligible students annually of their rights under FERPA. The actual means of notification, such as a special letter, student handbook, or newspaper article, is left to the discretion of each institution.

While violations of FERPA do not give rise to private rights of action, the U.S. Secretary of Education has established the Family Policy Compliance Office, which has the power to investigate and adjudicate FERPA violations and to terminate federal funding to any institution that fails to substantially comply with the law.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to protect the rights of patients and participants in certain health plans. In 2000, the federal Department of Health and Human Services adopted copious regulations granting consumers the right to receive written notice of the information practices of entities subject to HIPAA.

Colleges and universities that are affiliated with health care providers are considered covered entities, and participant organizations must provide written notice of their affiliated health care provider’s electronic information practices. Most employer-sponsored health plans also are considered to be “entities” subject to HIPAA. As a result, various compliance obligations are imposed on colleges and universities that sponsor and administer such plans.

HIPAA generally requires covered entities to:

1. Adopt written privacy procedures that describe, among other things, who has access to protected information, how such information will be used, and when the information may be disclosed;
2. Require their business associates to protect the privacy of health information;
3. Train their employees in their privacy policies and procedures;
4. Take steps to protect against unauthorized disclosure of personal health records; and,
5. Designate an individual to be responsible for ensuring the procedures are followed.

The Electronic Communications Privacy Act (ECPA) broadly prohibits the unauthorized use or interception by any person of the contents of any wire, oral or electronic communication. Protection of the “contents” of such communications, however, extends only to information concerning the “substance, purport, or meaning” of the communications.

In other words, the ECPA likely would not protect from disclosure to third parties information such as the existence of the communication itself or the identity of the parties involved. As a result, the monitoring by institutions of students’ network use or of network usage patterns, generally, would not be prohibited by the ECPA, as long as the substance of the communication was not made public.

The ECPA will come into play when an institution is forced to monitor or intercept student, faculty, or employee electronic communications such as e-mail. The effect of the law may depend on the type of person being monitored and the person’s association with the institution, as a student, faculty member, or employee, and whether the communication system is considered a public or private system.

The ECPA also contains specific exceptions allowing disclosures to law enforcement agencies under certain circumstances.

The USA Patriot Act can effect educational institutions in many ways. Probably the most significant effect is that it potentially prohibits institutions from revealing the very existence of a law enforcement investigation. All institutions should ensure that they have worked with their legal staff to produce written procedures on how to deal with law enforcement information requests. Any institution employee faced with a request from law enforcement should follow these procedures.

The Gramm – Leach – Bliley Act (GLBA), enacted in 1999, was largely directed at financial institutions and creates obligations to protect customer financial information. However, it has been determined that colleges and universities are also covered by the act.

The GLBA has two major sections: privacy and security. The Federal Trade Commission’s (FTC) regulations implementing the GLBA specifically provide that colleges and universities will be deemed to be in compliance with the privacy provisions of the GLBA if they are in compliance with FERPA. Therefore, GLBA privacy requirements should not affect educational institutions. They should therefore focus mainly on the security sections of the GLBA.

The information security, or Safeguard, section has five major requirements that a USG participant organization must follow:

1. Designate one or more employees to coordinate the security safeguards;
2. Identify and assess the risks to customer information in each relevant area and evaluate the effectiveness of the current safeguards;
3. Design and implement a safeguards program and regularly monitor and test it;
4. Select appropriate service providers and contract with them to implement safeguards; and,
5. Evaluate and adjust the program in light of relevant circumstances or the results of testing.

The TEACH Act relaxes certain copyright restrictions to make it easier for accredited nonprofit colleges and universities to use technology materials in educational settings. Institutions that want to take advantage of the relaxed copyright restrictions must limit “to the extent technologically feasible” the transmission of such content to students who actually are enrolled in a particular course, and they must use appropriate technological means to prohibit the unauthorized retransmission of such information.

In other words, the TEACH Act may require institutions to implement technical copy protection measures and to authenticate the identity of users of electronic course content.

The Higher Education Opportunity Act (HEOA) was signed into law on August 14, 2008. Several sections of the HEOA deal with unauthorized file sharing on campus networks, imposing three general requirements on all U.S. colleges and universities:

• An annual disclosure to students describing copyright law and campus policies related to violating copyright law.
• A plan to “effectively combat the unauthorized distribution of copyrighted materials” by users of its network, including “the use of one or more technology-based deterrents”.
• A plan to “offer alternatives to illegal downloading”.

The Computer Fraud and Abuse Act (CFAA) criminalizes unauthorized access to a “protected computer” with the intent to obtain information, defraud, obtain anything of value or cause damage to the computer. A “protected computer” is defined as a computer that is used in interstate or foreign commerce or communication or by or for a financial institution or the government of the United States. A participant organization may use this law when there has been a break-in of their computer systems.

Published by the US State Department in its International Traffic in Arms Regulations (ITAR): The ITAR addresses items, software and technologies that are primarily defense-related in application. The list of ITAR controlled technologies is known as the “Munitions Control List”.  Questions concerning ITAR compliance should be first directed to the Office of Research Services and Sponsored Programs who will involve ITS as may be prudent in developing compliance capabilities.

Published by the US Commerce Department in its Export Administration Regulations (EAR). EAR addresses “dual use” items, information and software that are primarily commercial in nature but also have potential military applications.  EAR’s list of controlled technologies is called the Commodity Control List (CCL)   IT Services works with researchers and others within the University to ensure methods and technologies are EAR compliant.   Questions concerning EAR compliance should be first directed to the Office of Research Services and Sponsored Programs who will involve ITS as may be prudent in developing compliance capabilities.

Georgia Southern University operates a cable television system and is required by the FCC to periodically conduct a sweep of signal leakage.  The last sweep was conducted in December, 2013 and the results were within acceptable levels.  

Read full report: FlyOverReport-GEORGIASOUTHERNUNIVERSITY-GA-2013-12-18

Section 508 of the Rehabilitation Act Amendments of 1998 requires that when federal departments and agencies procure, develop, maintain or use electronic and information technology (E&IT), subject to commercial availability, they must ensure that it complies with the Section 508 standards developed by the Architectural and Transportation Barriers Compliance Board (Access Board), unless doing so would pose an undue burden on the federal department or agency. The purpose of the law is to ensure that federal employees and members of the public with disabilities have access to the same information and data as employees and members of the public without disabilities.

Applicability

Section 508 applies to federal departments and agencies. Section 101(e)(3) of the Assistive Technology Act of 1998 (AT Act) requires that States receiving AT Act funds must also comply with Section 508 and the standards. Section 508 does not apply to public or private entities manufacturing and/or selling E&IT.

Impact

Individuals cannot bring civil actions against the private sector. However, companies who intend to sell or lease electronic and information technology to federal departments and agencies should be aware that Section 508 standards have been incorporated into the federal acquisition regulations (FAR). Companies may wish to review their E&IT to confirm compliance with the Section 508 standards.

While manufacturers are not required to modify their products, federal departments and agencies are required to give priority to procuring products which comply with the Section 508 standards. Additionally, depending on the terms of their contract, companies that misrepresent the degree to which the E&IT they sell or lease to the government meets the Section 508 standards may be liable to the government.

E&IT used by a company in the course of its business, but which will not be sold or leased to covered government entities, is not required to comply with Section 508 standards. For example, private web sites, not developed for a covered government entity, do not have to comply with Section 508 standards, but may be required to meet access requirements under Title III of the Americans with Disabilities Act.

Scope

The technical standards of Subpart B of Section 508 provide criteria for various types of technologies:

• Software Applications and Operating Systems (1194.21)
• Web-based Intranet and Internet Information and Applications (1194.22)
• Telecommunications Products (1194.23)
• Video or Multimedia Products (1194.24)
• Self Contained, Closed Products (1194.25)
• Desktop and Portable Computers (1194.26)

Subparts C and D (Functional Performance Criteria (1194.31) and Information, Documentation, and Support (1194.41)) provide additional guidance for these technologies.

The University participates in University System and facilitates campus forums to discuss accessibility, build awareness, and adopt practices for implementation of accessibility compliance. The University engages issues of information accessibility compliance and related issues in various University offices and coordinating council/committees

Web Advisory Council

Participation in the WAC is open to all University web content providers.

Student Accessibility Resource Center

The Student Disability Resource Center is responsible for the coordination of all services for students with disabilities.  The Center provides reasonable academic accommodations and coordinate appropriate services based on the student’s individual needs.

Center for Academic Technology Services (CATS)

The Center for Academic Technology Support provides resources and support for technology systems for the Division of Academic Affairs that address institutional strategies for the application of technology to improve efficiencies, and outcomes related to student, faculty, and administrative success.

Faculty Center

The Faculty Center brings pedagogical and technological issues together to support Georgia Southern faculty and teaching assistants in their roles as educators.

Georgia Southern University participates in USG training and offers campus-based consultations to content providers who are responsible for publishing web content.

Understanding Accessibility

• Georgia Accessibility IT Initiative Video.
• Making Distance Learning Accessible to Everyone Video.
  The University of Washington’s video which conveys what a student with disabilities may experience with components in a course that do not meet Section 508 standards.
• University of Washington’s Web Accessibility 101
• USG Accessibility Information and Tutorial

• USG: Higher Education, the Americans with Disabilities Act, and Section 508
• GSA 508 Tutorials, Guidance, Checklists
• US Patent & Trademark Office’s Section 508 Reference Guide E-Learning and Multimedia
• Jim Thatcher Section 508 Tutorial

Websites

• Georgia Southern’s Web Accessibility Guides
• W3C Web Content Accessibility Guidelines (WCAG) 2.1 
• Web-based Intranet and Internet Information and Applications
• WebAIM Section 508 Checklist
• WebAIM’s WCAG 2.0 Checklist

Documents

• How to Create Accessible Documents

Video Captioning

• How to Caption YouTube videos
• Also See AMAC under software applications.

The University provides resources and tools for assessing accessibility compliance. Georgia Southern University IT Services licenses the Siteimprove tool for monitoring WCAG 2.0/508 compliance. Additionally, the following tools and resources are among many that are available for testing compliance with various standards.

Accessibility Checkers

• Jim Thatcher Checking Your Web Pages for Accessibility (Article with instructions)
• Web Accessibility Toolbar (for Opera and Internet Explorer) available from AccessiBe website
• WebAIM Accessibility Evaluation Tools
• WebAIM WAVE (Web Accessibility Evaluation Tool)
• WebAIM WAVE Toolbar for Firefox

Additional Resources

• Section 508 Refresh
• Annual Section 508 Memo from EOO July 2011
• June 29, 2010 Joint “Dear Colleague” Letter: Electronic Book Readers and Emerging Technologies
• May 26, 2011 FAQ Follow-up to Joint Dear Colleague Letter, with suggestions for providing equally effective alternatives

Georgia Southern University seeks to utilizes technology applications that facilitate accessibility and comply with ADA Section 508 regulations. The University strives to adopt and/or develop web technologies that comply with federal regulations and guidelines for accessibility.  The following information outlines the technology and software used by Georgia Southern University towards that goal.  Please note that the list may not represent all software used or the assistive capabilities as improvements and upgrades are ongoing and continuous.  The Student Disability Resource Center provides resources for students who require special accommodations.

AMAC

The University subscribes to AMAC  technology and services that support accessibility. AMAC Accessibility was incubated out of the University System of Georgia in 2005 to help post-secondary disability services offices provide complete, timely, efficient accommodations to print-disabled students so they can be more independent and productive in their academic environments. Today, as a research and service center of the Georgia Tech College of Architecture, AMAC’s expertise, software tools and technology empower not only college disability service providers, but also K-12 educators, corporations, non-profits, and government institutions throughout the United States, to provide equal access to education, work and life for individuals with disabilities of all kinds.  

See available AMAC Software tools.

Desire2Learn  

“Desire2Learn is committed to reporting our web accessibility compliance openly and transparently. We believe that accessibility standards and laws are more than checklists and work with our client-led Accessibility Interest Group to ensure our Section 508 VPATs and WCAG 2.0 checklists are descriptive and accurate.”

Resources

The Desire2Learn Accessibility Standards Compliance page provides links and documentation about D2L compliance.

• Google
• WebEx
• iClickers
• WordPress
• My.GeorgiaSouthern Portal