University leadership must set a clear direction for information privacy and security in support of organizational goals and compliance with relevant laws and regulations. Policy is a key tool by which leadership documents, sets, and communicates this direction and expectations to the university. Through the issuance and maintenance of policy, leadership demonstrates its support for and commitment to the philosophies and values embodied in policy.
Safeguards for Domain 2 Information Security & Privacy Program
Policy vs. standards, guidelines, and procedures
Organizational policy is written at a high level to assign responsibility and outline the university's philosophies and values on a particular issue.
Standards, guidelines, and procedures are often also developed to clarify the approach to implementing policy and meeting organizational goals.
An office or position is assigned responsibility by executive management for issuing university-wide information security and privacy policies. Campuses, schools, colleges, departments, and other administrative units issue local policies governing the security and privacy of information and information technology deployed specifically to support that unit's activities. Managers of information technology services and systems issue service-level or system-level polices governing the use of their services and systems.
In order to understand and adhere to all applicable requirements, users of these resources are responsible for consulting with appropriate unit, service, or system staff.
University-wide policies of all types are maintained on the University Policies site.
Responsibility for issuing university-wide information security and privacy policies is assigned to the University Information Policy Office (UIPO).
To learn how university-wide and local information security and privacy policies are implemented, visit: The Policy Hierarchy Explained.
University-wide information security policies are located here. See especially IT-12 Policy: Security of Information Technology Resources.
University-wide information privacy policies are issued and maintained by a number of units at IU. A compiled list of them, regardless of the unit responsible, is located here. See especially IT-07 Policy: Privacy of Electronic Information and Information Technology Resources and ISPP-24 Policy: Web Site Privacy Notices.
Other Information Technology Policies:
In the collegial setting, policy is often (though not always) arrived at through a consensus building process.
University-wide policies, including information security and information privacy policies, follow the university-wide process.
The Policy Administration Process Summary describes the process used to create and maintain university-wide information security and privacy policies at Indiana University.
Communication to internal personnel
Policy should be communicated throughout the university in a form that is highly visible, relevant, accessible and understandable to the intended audience.
Internal personnel must confirm, initially and periodically, their understanding of an agreement to comply with the university's security and privacy policies. More about communication to internal personnel can be found in Domain 5: Human Resources Information.
All new employees, students, and affiliates are required to assent to the Acceptable Use Agreement for Access to Technology and Information Resources as part of the process of obtaining their first IU computing accounts.
Information Security and Privacy Program collates policy and other information about security and privacy and makes it easily available to employees. We also provide updates through our social media accounts.
Summary of domain objectives
The primary objectives of this domain are to ensure:
- information security and privacy policies are documented
- policies are approved by management
- policies are published and communicated to all employees and external parties
- policies are reviewed at planned intervals
- Computing policies at IU | UITS Knowledge Base
- EDUCAUSE/Internet2 Information Security Guide: Security Policy