First,we wanted to explore the relationship between internal audit and information security in a “typical” industry rather than one most likely to employ cutting-edge best practices. Therefore, we ruled out industries where information security is a dominant concern, such as defense contractors and financial services firms. Second, educational institutions have a
diverse user basewhere both employees (faculty and staff) and customers (students)make substantial use of
the entity's user applications. Thus, educational institutions must address the complex set of information
security challenges that arisewhen access to the corporate network is provided to non-employees.Moreover,
one set of employees (faculty) represent a particularly interesting user group because of their high degree of
autonomy and independence (Hawkey et al., 2008; Schaffhauser, 2010). Third, educational institutionsmust
comply with a number of different regulatory requirements. All are subject to the privacy-related issues
delineated in the Family Educational Rights and Privacy Act (FERPA).