The development and administration of Information and IT policies at IU follows a process based on a combination of best practices issued by the Association of College and University Policy Administrators and university policy UA-08 Establishing University Policies.
Policy administration process summary
In 2001, the Trustees directed the Office of the Vice President for Information Technology and CIO:
- To develop and implement policies necessary to minimize the possibility of unauthorized access to Indiana University's information technology infrastructure regardless of the Indiana University office involved; and
- To assume leadership, responsibility, and control of responses to unauthorized access to Indiana University's information technology infrastructure, unauthorized disclosure of electronic information and computer security breaches regardless of the Indiana University office involved.
Vice President McRobbie delegated responsibility for these tasks to the University Information Security Office (UISO) and the University Information Policy Office (UIPO). These offices are charged with:
- information technology policy development, dissemination, and education
- information usage/management policy development and education (in conjunction with data management committees)
- review and analysis of existing policies for continued applicability and effectiveness
- interpretation of current policy related to specific issues, situations and incidents
- coordinating response to incidents of abuse, misuse, or inappropriate use of Indiana University information technology resources
- computer accounts management (for central accounts)
- information technology security assessment and reporting
- information technology security standards development, dissemination, and education
- providing technical security and information resource
- developing and administering security education and awareness programs
- security consulting
Institutional policies are operational statements or directions that outline the philosophies, attitudes, and values of an organization related to a specific issue. They are concise statements of what the policy is intended to accomplish, not how to accomplish it. Policies are stated in sufficiently general terms to provide flexibility as technology changes.
Campuses, schools, colleges, departments, and other administrative units have considerable latitude in developing complementary technology use policies and procedures, as long as they are consistent with the university-wide policy and any other applicable technology use policies of the university. Such policies may be more restrictive than university policy, but must not be more permissive.
When developing information and information technology policies, the University Information Policy Office (UIPO) follows Policy UA-08 Establishing University Policies(see, "Approval Process") and a process based on the Policy Development Process With Best Practices issued by the Association of College and University Policy Administrators (ACUPA). It consists of the following major steps:
- Identification of policy needs (primarily through monitoring legislative and technology developments, institutional experience, and evaluation of policy suggestions from the university community).
- Drafting of initial policy language using the standard IU policy template. (See, UA-08.)
- Submitting the draft to the Policy Advisory Council (PAC).
- Distribution to small group of stakeholders for initial review and input.
- Editing based on input from step 4.
- NOTICE and REVIEW: Presentation to large group of stakeholders for review and input. (See, Policies Under Review.)
- Editing based on input from step 6.
- Presentation to Vice President for Information Technology for approval, and as determined by the Vice President, to the President and/or Trustees.
- Publishing and Announcing. (See, New & Recently Revised Policies.)
- Educational activities.
- Maintenance, typically involving review every three years.
The University Information Policy Office (UIPO) and the University Information Security Office (UISO) maintain a list of potential stakeholders for information & IT policies. This list is used for contacts in steps four and six of the Policy Process for those who are involved in direct review and input, and for communication purposes with those who do not participate in direct review and input. These roles are identified depending on the nature of the policy in process and its potential relevance to the stakeholder:
- Incident Response (within the UIPO and UISO)
- UITS Senior Management
- Vice President for Information Technology & Chief Information Officer
- University Counsel
- Internal Audit
- Policy Advisory Council (PAC)
- IT Pros (aka: Local Support Providers)(Bloomington and IUPUI)
- Regional CIO
- Deans (Bloomington and IUPUI)
- Faculty Council Technology Committee (IUPUI)
- Faculty Council Technology Policies Committee (Bloomington)
- Faculty Council (IUPUI)
- Faculty Council (Bloomington)
- University Faculty Council (University-wide)
- Information Security & Privacy Risk Council
- Staff Council (Bloomington and IUPUI)
- University Data Management Council (UDMC) (for applicable policies)
- IU Research & Technology Corp. (IURTC)
- IU Alumni Association
- IU Foundation
- Student associations (Bloomington and IUPUI)
- Residential Programs and Services (Bloomington and IUPUI)
- Vice Provost for Student Affairs and Dean of Students (Bloomington)
- Vice Chancellor for Student Affairs (IUPUI)
- Vice Provost for Faculty and Academic Affairs (Bloomington)
- Executive Vice Chancellor of Academic Affairs (IUPUI)
- University Human Resource Services/Employee Relations (Bloomington and IUPUI)
- Campus Chancellors
- Executive VP & IU Bloomington Provost
- Executive VP & IUPUI Chancellor
- Vice President for Capital Projects and Facilities
- Vice President & Chief Financial Officer
- Vice President & Director for Intercollegiate Athletics
- Vice President for Diversity, Equity, & Multicultural Affairs
- Vice President for Engagement
- Vice President & General Counsel
- Vice President for International Affairs
- Vice President for Public Affairs and Government Relations
- Vice President for Research
- Executive Vice President for University Regional Affairs, Planning, and Policy
- Office of the President
- Board of Trustees
(Note: Regional CIOs are responsible for coordination with all appropriate offices and committees for their campuses.)