May 1, 2025 Edition of Ask the Assessor: Navigating Policy Hierarchies in Support of Compliance
Submit your ideas and help as a guest writer [Ask the Assessor Form]
This month’s guide dives into the practicality of inheriting institutional policies to meet compliance requirements. Learn how a layered policy approach can streamline efforts, promote standardization, and address critical regulatory obligations like HIPAA and NIST 800-171 for CUI environments.
RRCoP's Question: Academic institutions are subject to existing state, local or institutional policies, procedures and standards to support their operations, including any CUI environments. Is it acceptable to refer to these and inherit them when a control is satisfied by a higher-level of policy?
This edition covers:
Policy inheritance and its benefits
Recommendations for linking policies and procedures
Leveraging GRC tools for compliance
Ensuring enforcement and documentation
The February Edition of Ask the Assessor is available, responding to: Can a single enclave infrastructure securely handle multiple data classification types (e.g., HIPAA, ITAR, DFARS, FERPA) provided the required security controls (NIST 800-171) are followed?
In this premier edition, you’ll learn about managing multiple data classification types (HIPAA, ITAR, DFARS, FERPA). You’ll discover how to approach implementing stringent security controls and effectively handle complex compliance requirements in a single enclave. The guide also covers network segmentation, access management, example use cases, and more! [View Full Question & Response]
Overview
The Regulated Research Community of Practice (RRCoP) has demonstrated the substantial impact that research institutions can achieve when they work together to build capacity for supporting compliance-regulated research. Over the last few years, RRCoP members have identified numerous shared challenges and discovered the power of a collective voice. By leveraging this voice to seek expert guidance and share solutions, RRCoP continues to amplify the impact of compliance efforts across institutions. It is important that RRCoP extend the impact of these benefits far beyond individual organizations.
RRCoP is pleased to partner with Frazier & Deeter (www.frazierdeeter.com), a top 50 CPA / Advisory firm, and their team of assessors with experience with governance, risk, compliance, and a specialty in servicing research universities on a new initiative titled “Ask The Assessor”.
“Ask The Assessor” Overview
To address evolving compliance challenges, RRCoP will collect feedback from its community on specific interests or concerns. These will be developed into small, anonymized use cases that reflect compliance scenarios within regulated research. This approach ensures the questions are grounded in real-world RRCoP needs and provides a relevant basis for Frazier & Deeter's responses. Frazier & Deeter will respond to these use cases by providing feedback on how assessors might approach or evaluate these various implementation strategies. This guidance will offer RRCoP members insights into tried-and-true methods for regulatory alignment, grounded in Frazier & Deeter’s extensive assessment experience. These write-ups will be published approximately six times per year, each tailored to key compliance concerns within the community.
Shared Goals and Outcomes
By combining RRCoP’s integration with the community needs with Frazier & Deeter’s compliance expertise, this partnership will prepare the RRCoP community with a collection of actionable, implementation strategies at no-cost to the individual institution. This collaboration is designed to empower research institutions to proactively address assessment challenges and develop confidence in their compliance practices.
RRCoP has begun assembling the team of volunteers, and we'd like to compose our first one during January 2025. If you have ideas, we'd like to hear from you. Submit your ideas and help as a guest writer [Ask the Assessor Form]
RRCoP 'Ask The Assessor' Team
Erik Deumens, University of Florida
Ryan Duitman, University of Arizona
Carolyn Ellis, Arizona State University
Cal Frye, Case Western Reserve University
Michael Hacker, Arizona State University
Jeremy Hallum, University of Michigan
Jim Kenyon, University of Michigan
Deb McCaffrey, Arizona State University
Sam Porter, University of Maryland
Laura Raderman, Carnegie Mellon University