Policy administration

Organizational policy is written at a high level to assign responsibility and outline the university's philosophies and values on a particular issue.

Standards, guidelines, and procedures are often also developed to clarify the approach to implementing policy and meeting organizational goals.

IU defines policy, standard, guideline, and procedure in the glossary.

Style Guides advise on proper writing style, grammar, punctuation, capitalization, etc. See the Indiana University Style Guide for IU-specific guidance.

Security and privacy policy exists at the university, campus, unit, service and system levels. The policies in this hierarchy must remain consistent with each other as well as with laws and university culture.

An office or position is assigned responsibility by executive management for issuing university-wide information security and privacy policies. Campuses, schools, colleges, departments, and other administrative units issue local policies governing the security and privacy of information and information technology deployed specifically to support that unit's activities. Managers of information technology services and systems issue service-level or system-level polices governing the use of their services and systems.

In order to understand and adhere to all applicable requirements, users of these resources are responsible for consulting with appropriate unit, service, or system staff.

University-wide policies of all types are maintained on the University Policies site.

Responsibility for issuing university-wide information security and privacy policies is assigned to the University Information Policy Office (UIPO).

To learn how university-wide and local information security and privacy policies are implemented, visit: The Policy Hierarchy Explained.

University-wide information security policies are located here. See especially IT-12 Policy: Security of Information Technology Resources.

University-wide information privacy policies are issued and maintained by a number of units at IU. A compiled list of them, regardless of the unit responsible, is located here. See especially IT-07 Policy: Privacy of Electronic Information and Information Technology Resources and ISPP-24 Policy: Web Site Privacy Notices.

Other Information Technology Policies:

• Campus-wide
• Departmental
• Service-specific

In the collegial setting, policy is often (though not always) arrived at through a consensus building process.

Information security and privacy policy should be periodically reviewed and updated as needed to reflect changes in technology, laws, organizational approach, and other factors. A document, sometimes referred to as a "Policy on Policies," outlines this process.

University-wide policies, including information security and information privacy policies, follow the university-wide process.

Policies of all types are available for viewing even when they are currently under review. Use the Policy Feedback Form to provide your comments on these developing policies.

The Policy Administration Process Summary describes the process used to create and maintain university-wide information security and privacy policies at Indiana University.

Policy should be communicated throughout the university in a form that is highly visible, relevant, accessible and understandable to the intended audience.

Internal personnel must confirm, initially and periodically, their understanding of an agreement to comply with the university's security and privacy policies. More about communication to internal personnel can be found in Domain 5: Human Resources Information.

All new employees, students, and affiliates are required to assent to the Acceptable Use Agreement for Access to Technology and Information Resources as part of the process of obtaining their first IU computing accounts.

Information Security and Privacy Program collates policy and other information about security and privacy and makes it easily available to employees. We also provide updates through our social media accounts.