ARCHIVED: Completed Project: Compliance Tracking Tool

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

Primary UITS contact: Merri Beth Lavagnino

Completed: February 27, 2012

Description: Compliance is the act of adhering to (and demonstrating adherence to) external laws and regulations, as well as institutional policies and standards. The most efficient and effective management of compliance requires tools that:

Collect information about regulatory, legal, and institutional policies and standards requirements, harmonizing them to reduce duplication.
Help orchestrate compliance activity, typically by having units upload or enter applicable assets or projects, and then answer questions about each asset/project's level of compliance with those requirements, maintaining these answers in a database to be re-used as needed.
Provide feedback to unit administration, typically through a dashboard, so they can identify gaps, formulate risk assessments, and plan to improve compliance.

Facilitating these activities by using an enterprise-wide tool enables powerful statistical reporting and analysis to university executive administration and other appropriate areas such as sector compliance units, security, privacy, legal, and audit. This will foster greater university-wide compliance planning. For example, aggregate statistics that point out the greatest overall gaps enable central offices to more effectively identify where to focus university-wide awareness, education, and resources such as technical assistance and site licenses.

IU issued a request for information (RFI) in fall 2010 to help identify potential solutions for a compliance tracking tool, which is often a module included in what are referred to as enterprise Governance, Risk, and Compliance (GRC) tools. We also wanted to explore additional benefits that such tools may offer. Based on the information we gathered in the RFI process, we convened a group of stakeholders who assisted us in developing an RFP, which was then distributed to 10 vendors in early April 2011.

Scope: The goal of this project is to determine which Compliance Tracking Tool provides us with the best functionality, and has the right technology fit for IU. We added requirements for Risk Management and Policy Management as optional specifications in the RFP. We propose to purchase a compliance tracking tool, which will focus on enterprise information security and privacy requirements, by late summer or early fall 2011. This tool will assist units in becoming aware of current requirements, as well as provide a method for them to identify their gaps and devise a strategy for improving compliance. Coordinating this activity through one enterprise tool will allow the UIPO access to enterprise statistics illustrating where the greatest challenges are and allowing us to better target awareness and training activities, obtain enterprise licenses for tools, and coordinate with UITS to provide technical resources to assist units.

However, GRC products are typically flexible enough to provide compliance tracking for nearly any sector, including financial, environmental health and safety, and health care. In addition, there are typically many companion modules available in an enterprise version of a GRC. These modules leverage data already entered in the compliance management module, such as enterprise risk management, policy management, audit management, and vendor/supplier management.

Outcome: Purchase of a university-wide compliance tracking module

Milestones and status:

RFP distributed to 10 companies in April 2011
University-wide presentations held via videoconferencing in late July and early August 2011 for four of the vendors who responded to the RFP
Product selection is occurring in September-October 2011.
Implementation by UIPO will likely occur spring 2012.

Comment process: A large number of stakeholders throughout the university were notified about the benefits of this tool, and participated in defining the RFP specifications and distribution of the RFP. The stakeholder group also reviewed the RFP responses and rated vendors based on criteria developed by the group, determining that four of the vendors were a good fit, and therefore would be invited to IU to make presentations on their products. Notification of the dates for these presentations was sent to all stakeholders who wished to be involved.

We maintain an Oncourse site for interested stakeholders which includes all supporting documents, for example, final RFP, RFP responses, evaluation criteria, and outlines for vendor presentations.