The University Information Policy Office and the University Information Security Office, with the guidance of the Information Security and Privacy Risk Council, are to articulate and assess the principles, policies, and preferences that are to be promulgated at IU, with respect to information security and privacy. This is a strategic activity, which sets the overall direction for implementations. Implementations, however, are a tactical activity, and are not within the scope of the UIPO, UISO, or Council. Individuals and units of the university are charged with implementing the strategic direction.
In a simple organization, a single organization-wide policy can be applied the same – that is, have only one method of implementation – across the entire organization. Everyone implements the policy in the same way.
However, in a complex distributed organization such as IU, a given university-wide policy usually requires multiple implementations. Different campuses, schools, units, business functions, sectors, etc. may have different (even conflicting) requirements while implementing that same university-wide policy.
In order to allow campuses, schools, units, business functions, sectors, etc. the latitude to create local implementations to meet their objectives, Indiana University employs a tiered, or hierarchical, policy model.
A single university-wide policy is issued. Although in some cases a single top-level policy implementation is also required, it is more common at IU for a set of guidelines, recommendations, or best practices for implementation of the policy to be issued. These help guide units in creating their local implementations. Campuses, schools, units, business functions, sectors, etc. evaluate their particular requirements for implementation, and create local implementations of the policy suitable for their needs.
In some cases, the campus, school, unit, business function, sector, etc. needs to compel a more stringent or more prescriptive interpretation of the university-wide policy. Units have considerable latitude in this tiered model to issue local policies. The locally-issued policies must be complementary and consistent with university-wide policies – they may be more restrictive, but may not be more permissive.
In order to truly be a governance process, a tiered policy structure must include a return cycle in which measurement of the effectiveness of both implementations and policy, regardless of their levels, must be collected, rolled-up, and considered as part of regular policy review and revision activities.
At IU, the process for university-wide information and technology policy development and review is outlined here.
Who is responsible for compliance with information security & privacy policies and laws at IU?
Compliance responsibility at IU is explained, and sectors that have assigned compliance oversight individuals or offices for areas affecting information security and privacy are listed, in the Compliance domain of the Information Security and Privacy Program.