Each member of the university community has a role in protecting the security and privacy of information and information technology. These Security and Privacy Principles are intended to provide high-level guidance for Indiana University's Security and Privacy Program. These principles must be adopted by, and ingrained into the culture of, the university in order to enhance information security and privacy throughout the institution:
Information Security & Privacy Program
Confidentiality Principle
Only authorized individuals have access to information.
Integrity Principle
Information must be reliable and accurate.
Availability Principle
Information must be available when needed.
Accountability Principle
Accountability and responsibility for the security and privacy of information must be clearly defined and acknowledged.
Awareness Principle
Members of the university community must be aware of principles, standards, conventions, or mechanisms for maintaining the security and privacy of information.
Ethics Principle
Information is to be used, and security and privacy goals are to be executed, ethically.
Multidisciplinary Principle
Security and privacy governance must address the considerations and viewpoints of all interested parties.
Proportionality Principle
Security and privacy safeguards are to be proportionate to the risks.
Integration Principle
Security and privacy design and implementation are to be coordinated and integrated within the system of safeguards and the life of the information asset.
Timeliness Principle
Parties will act in a timely and coordinated manner to prevent or respond to breaches of and threats to security and privacy.
Assessment Principle
Risks to information are to be assessed initially, and reassessed periodically.
Equity Principle
The rights and dignity of individuals are to be respected while carrying out security and privacy goals.
Notice Principle
Informs the individual about privacy policies and procedures and identifies the purposes for which the individual's information is collected, used, disclosed and retained.
Choice & Consent Principle
Obtains implicit or explicit consent from the individual with respect to the collection, use, disclosure, and retention of the individual's information, particularly if that information is to be used for a secondary purpose or disclosed to a third party.
Collection Limitation Principle
Collects only the information needed to achieve the purposes identified by the business unit in support of the university's mission, and as outlined in the notice.
Use & Retention Principle
Uses the individual's information only as outlined in the notice, and keeps the information only as long as necessary to fulfill the stated purposes.
Disclosure Limitation Principle
Discloses the information to third parties only as outlined in the notice and as consented to by the individual, either implicitly or explicitly.
Access Principle
Provides access to the individual to review and update or correct his or her information.
Monitoring & Enforcement Principle
Monitors compliance and has procedures to address complaints and disputes.