Regarding the Leadership, Responsibility, and Security of IU's Information Technology Infrastructure
Approved: May 4, 2001
The appended material is excerpted from Minutes of the Trustees of Indiana University, Indiana University Purdue University Indianapolis, 4-May-2001.
The following comments were subsequently distributed widely by then Vice President for Information Technology and Chief Information Officer Michael McRobbie:
The following resolution was passed unanimously by the Board of Trustees at their meeting [May 4, 2001]. In accordance with this resolution I am authorizing Mark Bruhn [University Chief IT Security and Policy Officer] to exercise the authority conferred by it.
This resolution considerably increases the ability that OVPIT [Office of the Vice President for Information Technology] has, in particular through ITPO [University IT Policy Office] & ITSO [University IT Security Office], to deal with security matters both proactively and reactively. In particular it will allow ITPO and ITSO to take immediate control of any IT security problems that arise where this is necessary. This redoubles the importance of bringing any securityproblems of which you become aware immediately to the attention of ITPO/ITSO.
Michael McRobbie
Vice President for Information Technology and Chief Information Officer
Appended Material
- Report from Trustee Morris
Trustee Morris: Thank you, John and thank you, Pete. We had a very good meeting of the Finance and Audit Committee yesterday. First of all, you know that the Finance Committee is also the Audit Committee and, as such, we had our annual meeting with Michael McRobbie, chief information officer, tohear his assessment of information technology on the campus and related security issues. In light of the security breach in the Bursar's Office in December, we wanted to define who within the university has the leadership role in developing and implementing policies that are necessary to minimize unauthorized access to our information technology system. We also wanted to bring some definition as to who would have the responsibility for assuming leadership in the event of a difficulty within the system comparable to the one we had in December. There can be all sorts of security breaches, intrusions into the technology infrastructure, unauthorized disclosure of electronic information, etc. It is important that we be precise as to how these issues are going tobe addressed when they come about because they potentially have great significance, and we need to be equipped to deal with them promptly. So, our committee endorsed a resolution, which we bring to the full board for consideration. Essentially, it says that the Vice President for Information Technology and CIO is charged with developing and implementing policies necessary to minimize the possibility of unauthorized access. The vice president, working closely with the internal auditor, also has the responsibility for the leadership and control of difficulties in this area when they occur. I move approval of this resolution and ask for your support.
Resolution of the Trustees of Indiana University Regarding the Leadership, Responsibility, and Security of IU'sInformation Technology Infrastructure
WHEREAS, the advent of the Internet has significantly transformed the manner in which information is stored on interconnected servers throughout the world; and
WHEREAS, the Internet is an information technology environment in which it is possible to have inadvertent or intentional unauthorized access to Internet sites and related servers; and
WHEREAS, successful intrusions into Internet sites and servers can lead to the disclosure of sensitive personal and institutional information; and
WHEREAS, it is critical that Indiana University protect its institutional information and information technology infrastructure so as to reduce the possibility of unauthorized access to servers holding sensitive information or running mission-critical applications.
NOW THEREFORE BE IT RESOLVED that the Trustees direct the Office of the Vice President for Information Technology and CIO to develop and implement policies necessary to minimize the possibility of unauthorized access to IndianaUniversity's information technology infrastructure regardless of the Indiana University office involved; and
BE IT FURTHER RESOLVED that the Trustees direct the Office of the Vice President for Information Technology and CIO, which may draw upon the experience and expertise and resources of other University offices (including the Office of Internal Audit), to assume leadership, responsibility, and control of responses to unauthorized access to Indiana University's information technology infrastructure, unauthorized disclosure of electronic information and computer security breaches regardless of the Indiana University office involved.
Unanimously approved on motion duly made and seconded.