Event Experience

Saint Elizabeth University is a small institution with very limited staff which needed to comply last year with the Gramm-Leach-Bliley Act for vulnerability scanning and third-party risk management, specifically sections 16 CFR § 314.4(d)(2):establishment of continuous monitoring processes for information systems or periodic vulnerability assessments and penetration testing, and 16 CFR § 3 I 4.4(f)(3):creation of procedures to periodically assess service providers.

After an overview of the institution’s third-party hosted sites and vendors, a discussion of how this was accomplished and short demonstration of the applicable parts of the FortifyData system will be offered.

Ron Loneker Jr, Director, IT Special Projects, Saint Elizabeth University

The U.S. Department of Education Privacy Technical Assistance Center (PTAC) provides training on the Family Educational Rights and Privacy Act (FERPA) to thousands of people every year, and the resources we’ve developed reach even more. This session will highlight experience and best practices for developing an engaging cybersecurity and FERPA training program for your faculty, staff, and students. Highlighting postsecondary-specific elements in the law, PTAC staff will illustrate how to create, implement, and assess effective cybersecurity and privacy education programs designed to reduce human risk factors and strengthen the overall security posture of institutions.

Brittani Fairchild, Subject Matter Expert, AEM Corporation

Higher education institutions are caught between complex regulatory mandates and the need to foster an open, innovative academic environment. This challenge is magnified by regulatory whiplash that creates significant risk and confusion. Consider the January 2025 change to Title IX when a federal court decision vacated new 2024 rules. This reversal created uncertainty not just for administrators, but for the cybersecurity protocols protecting the highly sensitive data involved. What policies need to be revised? Do staff need to be retrained? Who needs access to these records, and how do we digitally enforce access? When compliance is just a checkbox, institutions leave critical data vulnerable.

This session bridges the gap between legal mandate and practical implementation. Drawing on our unique blend of experience in legal risk management (Sally Harper, J.M.) and cybersecurity education (Ben Syn, CISSP), we will provide a framework for translating dense legal requirements into engaging, secure, and mission-aligned compliance programs. Using the Title IX rollback as a case study, we will demonstrate how to transform legal analysis into clear cybersecurity controls and actionable guidance for staff. We will share peer-tested strategies for using storytelling and empathy to build a sustainable culture of compliance that protects the institution while supporting its core mission.

Ben Syn, Director, University and Career Education, KnowBe4

Sally Harper, Compliance Content Specialist, KnowBe4

Saint Elizabeth University opened its Speech Language Pathology program in fall 2025. As part of the program, students have the experience of working in the SLP Clinic, which is a free clinic open to the public. As a covered entity under HIPAA, the program needed to stand up a HIPAA compliance program. This short presentation will offer a brief introduction of the steps needed to be put into place and how the program was set up in under three months.

Ron Loneker Jr, Director, IT Special Projects, Saint Elizabeth University

The Regulated Research Community of Practice (RRCoP) is a national network of more than 370 institutions and 1,400 professionals who are all working through the same challenges of regulated research. RRCoP has built and connected to a wealth of trusted resources that help with the entire workflow at an institution, from research administration to IT security to compliance offices. We're not just the glue between roles within an institution, or institutions with peers, we're also the glue between aligned or specialized communities that are also working toward supporting these regulated research efforts.

Since 2021, we’ve created practical, peer-driven outputs: community workshops, monthly webinars sharing lessons learned, and shared resources like example System Security Plans, approaches for sustainable documentation, cost models, and journeys of compliance. These give institutions real models to work from instead of having to invent everything on their own.

This session will introduce RRCoP, show what we’ve produced so far, and share how you can plug in. Attendees will leave with a clear sense of resources available today, how peers approach requirements like NSPM-33 and CMMC, and where to connect if you want to be part of shaping what comes next.

Carolyn Ellis, Director, Research Cybersecurity and Compliance, Arizona State University

Navigating the ever-evolving regulatory landscape in higher education, including frameworks like NIST SP 800-171, CMMC, GLBA, and HIPAA, requires more than reactive compliance. This session explores how one university developed a tailored Information Security Maturity (ISM) program by building on its established Information Security Risk Management framework and aligning with the Cybersecurity Maturity Model Certification (CMMC). To support structured evaluations and targeted improvements, the program incorporates an external assessment platform endorsed by The Cyber AB to help guide the compliance journey. Rather than adopting a one-size-fits-all model, the university designed a roadmap that reflects institutional priorities, operational realities, and regulatory obligations. The ISM program also incentivizes participation through the issuance of microcredentials upon completion of the assessment process to foster engagement and accountability. This presentation will offer a practical look at how maturity modeling can be customized to meet institutional needs while strengthening compliance readiness and promoting continuous improvement.

Wendy Epley, Principal Analyst, Information Security GRC, The University of Arizona

Universities face a mounting maze of cybersecurity and privacy requirements—HIPAA, FERPA, GDPR, CMMC, and state-level laws—that too often pull faculty and IT teams into reactive patching. Yet higher education thrives on innovation, advancing research and academic programs in ways that demand agility.

This session explores how institutions can move beyond patching by embedding compliance into workflows, automating security controls, and securing their software supply chains. Rather than slowing down research, compliance becomes a force multiplier that unlocks secure collaboration, faster grant approvals, and resilient digital services.

Participants will leave with strategies to transform compliance from a drain on resources into an engine of innovation.

Chris Petterson, Sr. Solutions Engineer, Chainguard

With decentralized IT departments, sprawling merchant accounts, and inconsistent payment technologies and practices, higher education environments face unique challenges when it comes to PCI DSS compliance. This session will explore how the Stanford Information Security Office and Merchant Services teams partnered on a dedicated effort to reduce the University’s unnecessary PCI scope and build an ongoing compliance program. Attendees will learn strategies for actively engaging campus merchants, migrating merchants to compliant e-commerce solutions, leveraging third-party providers, and adopting technologies like point-to-point encryption to reduce risk and eliminate expensive network technology costs.

The presentation will review lessons learned, as well as highlight specific milestones and wins along the way. The Stanford team implemented an annual compliance calendar to include required training, merchant surveys, self-assessment questionnaires, vulnerability scanning, incident response testing, and more. Along with their dedicated QSA partner, Stanford will also share strategies to ensure continued compliance with PCI DSS v4.0.1, uncovering hidden risks, updating policy, implementing improved third-party oversight, and consolidating payment methods used across campus.

Participants will walk away with actionable steps to manage their PCI environments and build a sustainable path toward compliance.

Shawn Kim, Director of Cybersecurity Governance, Risk, and Compliance at Stanford University

Katie Johnson, Manager, Operations Support; Product Lead - Online Training at CampusGuard

David Gundrum, Senior Information Security Analyst at Northwestern University

Higher education institutions are tasked with navigating complex and evolving cybersecurity and privacy regulations, which necessitates innovative strategies for compliance, given often limited resources. The higher education sector has historically been "a little slower on the uptake" to adopt new tools that could save time and increase efficiency.

Drawing on Lead CMMC Certified Assessor (LCCA) Derrich Phillips's 20+ years of cybersecurity experience—including hundreds of risk assessments and thousands of policy reviews—this presentation demonstrates how Artificial Intelligence (AI), specifically ChatGPT, can dramatically streamline compliance documentation for frameworks like CMMC and NIST SP 800-171, addressing a critical gap in current methodologies.

Derrich Phillips will show attendees how to move beyond the traditional "checkbox mindset" by using high-quality, conversational prompts to produce accurate, context-specific guidance. The session will treat ChatGPT not as a magic bullet or autopilot, but as a starting point and a tool that can act as a CMMC consultant to reduce the time and consulting costs associated with creating foundational documents such as information security policies and System Security Plans (SSPs).

Crucially, the submission will emphasize responsible use, detailing the limitations and privacy concerns of using ChatGPT. Attendees will be explicitly cautioned against inputting sensitive information, such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), and will learn that expert review is absolutely essential to validate the raw output and ensure accuracy and organizational alignment.

Derrich Phillips, President & Founder, Aspire Cyber

The federal policy environment in general is very complex, and the higher education aspect of the environment is no exception. From a higher education perspective, effectively navigating regulatory compliance in relation to cybersecurity and privacy requires an understanding of how the higher education community organizes and responds at a national level to the development of federal policy. It also helps to know how EDUCAUSE works with its members as part of the larger higher education community to address regulatory issues that directly impact institutional policy and practice regarding cybersecurity and privacy. This session will provide an overview of the federal policy landscape as it relates to cybersecurity and privacy in higher education and invites a deeper dialogue with session participants about the role that EDUCAUSE and its members play in relevant regulatory spaces.

Jarret Cummings, Senior Advisor, Policy and Government Relations, EDUCAUSE

Compliance in higher education research is increasingly complex—balancing open scholarship with evolving regulations like NIST SP 800-171, CMMC, HIPAA, and FERPA. In decentralized academic environments, it’s easy for compliance to be reduced to a “checkbox” exercise. This session offers a practical roadmap for shifting toward a culture where compliance is embedded, understood, and supported across the institution.

Attendees will explore how to assess readiness, integrate compliance into existing processes, and engage key stakeholders—from faculty and students to research administration and IT. Strategies include low-lift implementation techniques, communication approaches tailored for academic audiences, and cross-functional collaboration tactics. A brief case study will illustrate how one institution transitioned a research project into a compliant enclave on a limited budget, building trust and sustainability in the process.

Participants will leave with actionable ideas and a renewed perspective: compliance isn’t just about meeting requirements—it’s about enabling secure, resilient, and innovative research.

Sharon Kelley, Executive Director for Information Security & CISO, New Jersey Institute of Technology
Tran Cheung, Director of IT Risk, Compliance and Governance, New Jersey Institute of Technology