Each member of the university community has a role in protecting the security and privacy of information and information technology. Therefore, it is critical that the institution's Security and Privacy Principles be clearly articulated so that they may serve as the basis for information protection decisions made in the conduct of the university's mission. These principles must be adopted by, and ingrained into the culture of, the university in order to enhance information security and privacy throughout the institution.
These Security and Privacy Principles are intended to provide high-level guidance for Indiana University's Security and Privacy Program. Permeating these principles are three traditional core elements of information security —confidentiality, integrity, and availability. These three are often referred to in security parlance as "CIA," from the first initials of the three elements. They form the first three Indiana University Security and Privacy Principles:
Only authorized individuals have access to information.
Information must be reliable and accurate (sometimes referred to as the Quality Principle).
Information must be available when needed.
Accountability and responsibility for the security and privacy of information must be clearly defined and acknowledged (sometimes referred to as the Management, Administrative Requirements, or Responsibility Principle).
Members of the university community must be aware of principles, standards, conventions or mechanisms for maintaining the security and privacy of information.
Information is to be used, and security and privacy goals are to be executed, in an ethical manner.
Security and privacy governance must address the considerations and viewpoints of all interested parties (sometimes referred to as the Democracy Principle).
Security and privacy safeguards are to be proportionate to the risks.
Security and privacy design and implementation are to be coordinated and integrated within the system of safeguards and the life of the information asset (sometimes referred to as the Security Management Principle or the Security for Privacy Principle or the Security Safeguards Principle).
Parties will act in a timely and coordinated manner to prevent or respond to breaches of and threats to security and privacy.
Risks to information are to be assessed initially, and reassessed periodically.
The rights and dignity of individuals are to be respected while carrying out security and privacy goals (sometimes referred to as the Fairness Principle).
Informs the individual about privacy policies and procedures and identifies the purposes for which the individual's information is collected, used, disclosed and retained (sometimes referred to as the Purpose Specification or the Openness Principle).
Obtains implicit or explicit consent from the individual with respect to the collection, use, disclosure and retention of the individual's information, particularly if that information is to be used for a secondary purpose or disclosed to a third party (sometimes referred to as the Objection Principle).
Collects only the information needed to achieve the purposes identified by the business unit in support of the university's mission, and as outlined in the notice.
Uses the individual's information only as outlined in the notice, and keeps the information only as long as necessary to fulfill the stated purposes.
Discloses the information to third parties only as outlined in the notice and as consented to by the individual either implicitly or explicitly.
Provides access to the individual to review and update or correct his or her information (sometimes referred to as the Participation Principle).
Monitors compliance and has procedures to address complaints and disputes (sometimes referred to as the Recourse or the Redress Principle).
These nineteen Indiana University Security and Privacy Principles are adapted from: