Call to Order and Approval of Minutes (5 Minutes)
Minutes from April meeting approved as received.
Old Business and New Business
- CDS update (Eric C.) – CDS has developed an institutional data standards checklist to be completed by system owners to assist in approving systems for use with institutional data. CDS also reviewed CRM (customer relationship management system) policies and processes to ensure that information management practices are consistent.
- Incident update (Eric C.) – Nothing to report.
- Program Update (Tom) - no updates/changes since the last meeting.
- University Policy Web Site and/or Policy Advisory Council (PAC) update (Eric C.) – Two new policies were highlighted, UA-08 Establishing University Policies, and IT-28 Cyber Risk Mitigation Responsibilities. UA-08 establishes procedures for drafting, approving, revising, distributing, maintaining, and withdrawing university policies. IT-28 establishes UITS' responsibility for maintaining secure IT infrastructure and services, and unit responsibility for leveraging these common resources to the greatest extent practicable.
University Assurance Council (UAC) (Mark Bruhn)
Council is made up of “assurance positions” such as Chief Security Officer, Chief Risk Officer, Chief Privacy Officer, Chief Compliance Officer, Assistant VP& Exec Director Internal Audit, Office of General Counsel, and Director of University Policies. These people work within their spheres to promote compliance, assess risk, etc. Formerly, these efforts were more independent. The UAC brings these roles together to work through shared issues/challenges. Discussed examples.
Policy IT-28 Implementation Planning Efforts (Mark Bruhn)
Goal of IT-28 is to help IU further reduce its threat surface (number of network devices), and therefore risk. Asks units to review their IT services and leverage central services as much as practicable. Migration plans should be developed within a year, and reviewed every two years. Examples were discussed. Also requires UITS to provide a comprehensive, evolving set of services at reasonable cost. Departments often do not fully load the cost of providing services. Discussed various aspects/implications of the policy.
Internal Audit Annual Risk Assessment and Audit Planning (Michael Gardner)
At earlier Risk Council meeting it was suggested that it may be useful for Internal Audit to seek feedback from the council for its risk assessment. However, as it turns out, everyone on the council already has an avenue to provide input to the process. Nonetheless, Mike sent out a risk assessment template for feedback from the group on items of concern and offered an opportunity to provide feedback during the meeting. A few issues were discussed. Mike invited other input via email after the meeting.
Reflection and Upcoming Activities (Tom Davis)
Tom reviewed how the council has reviewed the program, identified top gaps, provided feedback on various policies & standards, etc. Asked the council for their opinion of whether the council is doing the right things, the right way, etc? Gardner – what’s the lifecycle of the council? Once our initial work is done, do we move to a more ad hoc meeting basis? Wasitis – if we’ve accomplished our initial goals, maybe we move to a less frequent/more ad hoc format? Bruhn – believes the group has an ongoing role. Although future meetings may be less frequent, governance is a continuing need. Group consensus was that initial goals have been largely achieved, and that future meetings should be issue-driven. Davis – Does the council’s makeup still make sense? Should others be added, or some rotated off? Conclusion was to block time off on the calendar every 4 months, and cancel meetings if no business exists. We can also communicate issues as they arise via listserv and Oncourse.
Wrap-up and Next Steps
Reference:
http://policies.iu.edu/policies/categories/administration-operations/policy-admin/establishing-university-policies.shtml
http://policies.iu.edu/policies/categories/information-it/it/IT-28.shtml
Next Meeting: November 20, 2013
Meeting Information
Date
July 24, 2013
Time
1:00pm
Location
Poplars 017, Video Bridge 223739
Attendees
In Person
Julie Aders (for Jim Kennedy)
Mark Bruhn
Eric Cosens
Tom Davis (ch)
Michael Gardner
Jeff Lambright
Dan Rives
Chris Swafford
Doug Wasitis
Via Video
None
Via Audio/phone
Phil Cochran
Joseph Scodro
Absent
Stew Cobine
Marcia Gonzales
Joan Hagen
Jim Kennedy
Kim Milford
Eric Swank
Chris Viers