Skip to main contentReport an accessibility problemASU HomeMy ASUColleges and Schools
Sign In
Arizona State UniversityArizona State University
Get Protected
  • Home
  • Services
    • Overview
    • Vendor IT Risk Assessments
    • Vulnerability Management
    • CMDB for Web Applications
    • Incident Response
    • IT Risk Assessment
    • Phishing Response
  • Compliance & Regulations
    • Overview
    • CMMC
  • Training
    • ASU Information Security Training
    • ASU and FERPA
    • ASU and HIPAA
    • Cybersecurity Awareness Month
  • Policy & Practices
    • Overview
    • Effective Practices
    • Identity Theft Protection
    • Physical Security
    • Policies & Standards
    • Security Tips

      Data

    • Device & Data Encryption
    • Data Storage
    • Logging Best Practices
    • Data Classification Tool

      Remote

    • Telecommuting, Mobile and Travel Safety
  • Communities
    • Privacy Champions
    • External Groups
    • Student Technology Advisory Board
    • ET Community of Practice
  • About Us
  • Contact Us
Enclosed office space

Compliance & Regulations

Overview Federal State Industry Global
Previous Next

Triangle-shaped diagram related to a policies and regulations process

Why Compliance Matters: Protecting Our Institution, Data, and Reputation

Data is one of our most valuable assets in today's digital landscape. As a leading institution handling a vast array of sensitive information—from financial and health records to research and student data—we must adhere to strict security and regulatory frameworks. Compliance with these frameworks is not just a legal obligation; it is a fundamental responsibility that ensures our data's integrity, confidentiality, and availability while safeguarding the trust placed in us by students, employees, partners, and the broader community.

The Importance of Compliance

1. Protecting Sensitive Data

We manage Controlled Unclassified Information (CUI), financial records (GLBA, PCI), health information (HIPAA), student records (FERPA), and global data (GDPR). Failure to comply with these regulations can result in unauthorized access, identity theft, financial fraud, or data breaches, putting individuals and the institution at risk.

2. Avoiding Legal and Financial Consequences

Non-compliance can lead to severe penalties, lawsuits, and regulatory fines. CMMC Level 2, HIPAA, and PCI impose stringent security requirements, and violations could result in:

  • Fines and legal actions that may cost millions of dollars.
  • Loss of federal funding and contracts, directly impacting research and operational budgets.
  • Damage to partnerships and reputation, making it harder to collaborate with industry leaders and government entities.

3. Maintaining Institutional Trust and Reputation

Trust is at the core of our institution’s success. A data breach or regulatory failure can erode the confidence of students, parents, faculty, and stakeholders. Compliance ensures we maintain ethical standards, transparency, and accountability in managing sensitive data.

4. Enabling Business Continuity and Operational Efficiency

A structured compliance framework fosters proactive risk management, preventing incidents before they disrupt operations. By integrating security best practices, we enhance resilience against cyber threats, ensuring that critical services remain uninterrupted.

5. Meeting Federal and Industry Standards

As a research institution and an organization engaged in federal contracts, we are required to meet CMMC Level 2 standards for handling Controlled Unclassified Information (CUI). Compliance with frameworks like HIPAA, GLBA, and PCI ensures that we meet federal and industry mandates, allowing us to continue working with government agencies and commercial partners.

Compliance Is a Shared Responsibility

Faculty, staff, and students play a role in ensuring compliance. We collectively strengthen our institution's security posture by following security policies, completing mandatory training, and adhering to data handling best practices.

What You Can Do

  • Follow data security policies and best practices.
  • Use secure systems for storing and transmitting sensitive information.
  • Report security concerns or potential compliance issues.
  • Stay informed through mandatory training and institutional guidelines.

By prioritizing compliance, we protect our data, maintain regulatory approval, and uphold the trust of our community and partners. Compliance is not just about following rules but safeguarding our future.

Ensuring Compliance in Contracts

Every contract we sign must align with our security, privacy, and regulatory obligations to protect institutional and stakeholder data. Vendors handling CUI (CMMC Level 2), health data (HIPAA), financial records (GLBA, PCI), student records (FERPA), and global personal data (GDPR) must meet our security standards. To mitigate risk, contracts should include data protection terms, breach notification requirements, liability clauses, and audit rights. Ensuring vendor compliance is a key part of our Third-Party Risk Management strategy, helping us safeguard sensitive data, reduce legal exposure, and maintain trust in our partnerships. Always consult Procurement or Legal teams before signing agreements.

Contracts for Open Source and Free Software

Even when using open-source or free software, contracts, and agreements remain essential to ensure security, compliance, and proper usage rights. Open-source licenses vary widely; some may include data usage clauses, security vulnerabilities, or legal obligations that could pose risks to our institution. By reviewing terms and establishing clear agreements, we can protect sensitive data, ensure regulatory compliance (CMMC, HIPAA, GLBA, GDPR), and mitigate legal exposure. Always consult Legal and Compliance teams before integrating open-source tools into our environment.

 

Many regulations apply to data handled by ASU. To determine the regulations that apply to your data, use our Data Classification Tool. If you already know which regulations apply, see which Enterprise Technology systems can be used to store regulated data with the Data Storage Selector Tool. Below you will find additional resources on some of these regulations:

Family Education Rights and Privacy Act (FERPA)

The federal Family Educational Rights and Privacy Act (FERPA,  also called the Buckley Amendment) affords students certain privacy rights regarding their education records. The full text of FERPA is available at (20 U.S.C. § 1232g; 34 CFR Part 99)

ASU defines FERPA Education Records as “Any record(s) directly related to a student and maintained by ASU or by a party acting for the university. Education records include any information or data recorded in any medium, including but not limited to handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche.”

ASU Data Handling Tip: FERPA Education Records should not be used, viewed, or processed without a “Legitimate Educational Interest” as defined by FERPA. 

Other than disclosure to the student, disclosure to any other parties requires either written consent of the student, or the application of a FERPA exception.

For additional details, please see the following ASU resources:

  • ASU’s FERPA disclosure statement
  • ASU policy SSM 107-01: Release of Student Information
  • ASU policy SSM 107-02: Lost, Stolen, or Inappropriately Disclosed Student Records Information
  • Required FERPA training for staff
Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA), coupled with the Red Flags Rule, is a federal law that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (called Non-Public Information or NPI), ensuring the confidentiality and security of personal financial information. The full text of GLBA is available at (15 U.S.C. § 6801 et seq.)

ASU Data Handling Tip: The GLBA applies to FASFA application data and data gathered for and used in the delivery of a financial service, specifically federal financial aid.

Health Information Portability and Accountability Act (HIPAA)

Protected Health Information (PHI) is individually identifiable health information, including demographic information, that is created or received by a HIPAA Covered Entity and that relates to the past, present, or future physical or mental health of an individual, provision of healthcare to an individual, or past, present, or future payment for the provision of healthcare to an individual. PHI is protected by HIPAA, the Health Insurance Portability and Accountability Act. The full text of HIPAA is available at (42 U.S.C. § 1320d et al., 45 C.F.R. Parts 160 and 164)

To learn more about PHI at ASU, please visit ASU’s Get Protected page. 

ASU Data Handling Tip: There are 8 units/departments that are included in the ASU Covered Entity under HIPAA regulations. For a list of those covered entities, please click here.

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is a category of information in the United States federal government that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, but is not classified under Executive Order or the Atomic Energy Act. To learn more about CUI, please visit the National Archive’s information page for CUI.

ASU Data Handling Tip: If you are handling CUI, your ASU-managed device must be encrypted by your IT Support Unit, and you must follow stringent security controls.
 

For more about compliance in Highed Education please click Higher Education Compliance Matrix

ABOR Policies

ABOR Policy 9-202F states that, "Each university shall establish an Information Security Committee.  The Committee will review and recommend information security policies and standards, and provide guidance and support to the Information Security Officer or Information Security Director for the implementation and maintenance of the Program."

ABOR Policy Manual

ABOR Policy on Information Security

  • 9-201
  • 9-202

A.R.S. 18-552 - Arizona Data Breach Notification Statute

The following is the Arizona State Statute regarding notification requirements in the event of a data breach involving personal information.  Please note that any breach, suspected breach, or suspected loss of data should be reported through the Information Security Incident Response process

18-552 Arizona Breach Statute
18-551 Definitions

A.R.S. 38-448 - State employees; access to internet pornography prohibited; cause for dismissal

Arizona law allows for the dismissal or discipline of state employees who use state-owned equipment to view material or services that depict nudity or sexual activity, unless the employee has the authorization of the agency head. The statute governs all ASU employees, including student employees.   

More Information regarding computer use at ASU

A.R.S. 13-2316 - Computer Tampering

Arizona law considers the tampering with of state computer systems to be a class 3 felony. This includes "[a]ccessing, altering, damaging or destroying any computer, computer system or network" with malicious intent or using state networks or computer systems "recklessly."

More information regarding the state Computer Tampering statute

California Consumer Privacy Act (CCPA)

The CCPA grants California residents (ASU has resident students in California) significant control over their personal information. It lets consumers know what data businesses collect about them, request deletion, and opt out of data sales. The CCPA applies to for-profit businesses meeting specific criteria, such as annual revenues over $25 million or handling data of 100,000 or more California residents. Non-compliance can result in fines of up to $7,500 per violation, and consumers can sue if their data is exposed due to inadequate security.

New York SHIELD Act

The SHIELD Act strengthens New York's data breach notification requirements and mandates appropriate security measures to protect personal information. It expands the definition of private information to include biometric records and login credentials. Businesses must adopt administrative, technical, and physical safeguards, such as employee training and intrusion detection systems. Non-compliance may lead to civil penalties and legal action from the state attorney general.

Non-Arizona State Privacy Laws 


Many US states have passed comprehensive privacy laws. These state laws are generally one of two main types: Those that contain organizational exemptions for public-sector organizations or higher education institutions like ASU, and those that exempt specific types of data that are governed by other regulations such as FERPA, HIPAA, and GLBA. Other data collected by ASU from data subjects in these states may be subject to these laws. 


Most of these laws require common privacy best practices, including:
 

Ensuring rights for data subjects (individuals):Mandating organizational responsibilities, such as:
  • Right to access
  • Right to correct/amend
  • Right to delete / right to be forgotten
  • Right to data portability
  • Right to opt out of certain uses, such as:
    • Sale of personal data
    • Targeted advertising
    • Some types of profiling
  • Provide a transparent privacy policy
  • Collect consent for the use of sensitive data
  • Limit data use to the purpose for which it was collected
  • Limit data collection to what is reasonably necessary for that purpose
  • Delete or anonymize data when no longer needed for that purpose
  • Secure personal data
  • Conduct data privacy impact assessments for any high-risk uses of personal data
     
PCI Compliance (payment card industry)

ASU Cybersecurity requires that all departments with a business requirement to process cards are in compliance with the current PCI DSS Data Security Standards. 

Workstation/device hardening standards - ASU has adopted the Center for Internet Security (CIS) standards for hardening servers, workstations and mobile devices.

Please visit the ASU PCI compliance merchant services site for more information.

Defense Industry: DFARS (Defense Federal Acquisition Regulation Supplement)

DFARS includes cybersecurity requirements for defense contractors working with the Department of Defense (DoD). Contractors must implement NIST SP 800-171 controls to protect Controlled Unclassified Information (CUI) and report cybersecurity incidents to the DoD. Compliance is critical for securing defense contracts; failure can result in disqualification from defense projects.

The Cybersecurity Maturity Model Certification (CMMC) adds accountability by requiring contractors to meet specific cybersecurity maturity levels based on the sensitivity of the information handled. With the necessary certification level, businesses can bid on defense contracts.

ASU's CMMC specific pages can be found here

The International Traffic in Arms Regulations (ITAR)

The US Department of State is responsible for the export and temporary import of defense articles and services governed by 22 U.S.C. 2778 of the Arms Export Control Act ("AECA"; see the AECA Web page) and Executive Order 13637. The International Traffic in Arms Regulations ("ITAR," 22 CFR 120-130) implements the AECA. Arizona State University is required to observe all ITAR regulations in dealing with research articles, that pertains to defense.  

More information about ITAR is available here: US State Department ITAR Information

Many countries have passed comprehensive privacy laws, some of which may apply to data handled by ASU, even when the handling occurs within the United States. Foreign privacy laws include:
 

  • General Data Protection Regulation (GDPR) from the European Union / European Economic Area
  • General Data Protection Regulation (GDPR UK) from the United Kingdom
  • Personal Information Protection Law (PIPL) from the Peoples Republic of China
  • Lei Geral de Proteçao de Dados (LGPD) from Brazil
  • Digital Personal Data Protection Act (DPDP Act) from India
  • Personal Information Protection Act (PIPA) from South Korea

  • And many more

     

Most of these laws require common privacy best practices, including:

Ensuring rights for data subjects (individuals):Mandating organizational responsibilities, such as:
  • Right to access
  • Right to correct/amend
  • Right to delete / right to be forgotten
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Right to not be subject to decisions based solely on automated processing
  • Right to opt out of certain uses, such as:
    • Sale of personal data
    • Targeted advertising
    • Some types of profiling
       
  • Provide a transparent privacy policy
  • Only collect or use data under a specified legal basis
  • Collect consent for the use of sensitive data
  • Limit data use to the purpose for which it was collected
  • Limit data collection to what is reasonably necessary for that purpose
  • Delete or anonymize data when no longer needed for that purpose
  • Secure personal data
  • Conduct data privacy impact assessments for any high-risk uses of personal data
     
Get Protected | Arizona State University

Contact Us

About
About Us Inaccessible
Resources
Policies & Standards Remote Work Security Training
Services
Inaccessible Inaccessible Incidence Response Vulnerability Management
Maps and Locations Jobs Directory Contact ASU My ASU
Repeatedly ranked #1 on 20+ lists in the last 3 years
Copyright and Trademark Accessibility Privacy Terms of Use Emergency