The Policy Hierarchy explained

Introduction

The University Information Policy and Security Offices (UIPO and UISO), with the guidance of the Information Security and Privacy Risk Council, are to articulate and assess the principles, policies, and preferences that are to be promulgated at IU, with respect to information security and privacy. This is a strategic activity, which sets the overall direction for implementations. Implementations, however, are a tactical activity, and are not within the scope of the UIPO, UISO, or Council. Individuals and units of the university are charged with implementing the strategic direction.

How university-wide information security & privacy policies are implemented at IU

A simple organization can apply policies uniformly, where everyone implements the policy in the same way.

However, a complex distributed organization such as Indiana University sometimes requires multiple implementations of a given university-wide policy. Different campuses, schools, units, business functions, sectors, etc. may have different (even conflicting) requirements while implementing that same university-wide policy.

In order to allow campuses, schools, units, business functions, sectors, etc. the latitude to create local implementations to meet their objectives, IU employs a tiered, or hierarchical, policy model.

It is more common at IU for a set of guidelines, recommendations, or best practices for implementation of the policy to be issued, although in some cases a single top-level policy implementation is also required. These help guide units in evaluating their particular requirements for local implementations of the policy suitable for their needs.

In some cases, the campus, school, unit, business function, sector, etc. needs to compel a more stringent or more prescriptive interpretation of the university-wide policy. Units have considerable latitude in this tiered model to issue local policies. The locally-issued policies must be complementary and consistent with university-wide policies – they may be more restrictive, but may not be more permissive. 

In order to truly be a governance process, a tiered policy structure must include a feedback loop to measure both implementations and policy, and considered as part of regular policy review and revision activities. 

Policy administration process summary