Human resources

Employees

• Reduce risk of theft, fraud, or misuse of information assets by ensuring that employees understand their responsibilities for the roles for which they are being considered
• Address security responsibilities in job descriptions prior to employment
• Adequately screen candidates

Affiliated/partner Organizations

• Reduce risk of theft, fraud, or misuse of information assets by ensuring that affiliated and partner organization users understand their responsibilities for the roles for which they are being considered
• Address security responsibilities in formal documentation of the relationship
• Adequately screen potential affiliates and partner organizations

Third Party Vendors

• Reduce risk of theft, fraud, or misuse of information assets by ensuring that contractors and third party vendor users understand their responsibilities for the roles for which they are being considered
• Address security responsibilities in formal documentation of the relationship
• Adequately screen potential vendor candidates

Employees

Human Resources and Academic Personnel provide Hiring Managers resources and training on creating job descriptions, and on interviewing, screening, and hiring employees.

The IU job application forms are a principal source of information for hiring managers to screen staff candidates.

Human Resources and Academic Personnel Records oversee background checks for new employees and faculty.

There may be special requirements for screening candidates if U.S. Export Control regulations are implicated. Consult with IU Export Control.

Consider whether the employee will be engaged in activities that pose increased risk to IU, and if so, consult with HR on requiring more thorough screening.

Affiliated/partner Organizations

About sponsored computing accounts for IU Affiliates | IU Knowledge Base

Additional safeguards for affiliating or partnering are outlined in the "External Parties" section of Domain 3: Organization.

Third Party Vendors

Additional safeguards for affiliating or partnering are outlined in the "External Parties" section of Domain 3: Organization.

Employees

• Obtain employee assent to agreement on security roles and responsibilities
• Ensure that safeguards are applied throughout an individual's employment with the university by defining management responsibilities
• Minimize security and privacy risks, including the risk of human error, through adequate awareness and training activities which detail appropriate safeguards over and correct use of information assets
• Establish a formal disciplinary process for handling security breaches and breaches of policy

Affiliated/partner Organizations

• Reduce the risk of human error by ensuring that affiliated and partner organization users are aware of information security issues and are equipped to operate securely in the course of their responsibilities
• Obtain user assent to agreement on security roles and responsibilities
• Ensure that safeguards are applied throughout an organization's relationship with the university by defining management responsibilities

Third Party Vendors

• Reduce the risk of human error by ensuring that contractors and third parties are aware of information security issues and are equipped to operate securely in the course of their responsibilities
• Obtain user assent to agreement on security roles and responsibilities

Employees

All new employees, students, and affiliates are required to assent to the Acceptable Use Agreement for Access to Technology and Information Resources as part of the process of obtaining their first IU computing accounts. The agreement tool also allows for verifying that an employee has assented to the Acceptable Use Agreement - Access to Technology and Information Resources - Employees.

Additionally, to gain access to certain information, data managers may require completion of training, such as the FERPA Tutorial. Further information on access to technology and information assets is found in Domain 8: Identity and Access Control.

The University Information Policy Office conducts regular university-wide, general awareness and training activities. An example of such an event is the annual International Data Privacy Day at IU, which began in 2008.

The Office of Research Administration, Research Ethics, Education and Policy provides resources to support the responsible conduct and administration of research at IU.

Policy IT-02: Misuse and Abuse of Information Technology Resources outlines the disciplinary process for security breaches and noncompliance with information and technology policy.

University Human Resource Services provides a Corrective Action Resource Page for supervisors, managers, and staff and hourly employees.

Affiliated/partner Organizations

Affiliated and partner organization users who are provided access to IU computing accounts are required to assent to the Acceptable Use Agreement for Access to Technology and Information Resources as part of the process of obtaining the IU computing accounts. The agreement tool also allows for verifying that an individual has assented to the Acceptable Use Agreement - Access to Technology and Information Resources - Employees.

If the affiliated or partner organization user will not be using IU computing accounts, but will be encountering IU data in the course of their duties - including test, development, and production data - document their understanding using an agreement such as the Data Security Agreement - Terms and Conditions for Access and Use of Indiana University Data (available in EPIC under the Department Resources tab).

Affiliated and partner organization users may be required to take additional training.

Additional safeguards for affiliating or partnering are outlined in the "External Parties" section of Domain 3: Organization.

Third Party Vendors

If the third party vendor will be encountering IU data in the course of their duties - including test, development, and production data - document their understanding using an agreement such as the Data Security Agreement - Terms and Conditions for Access and Use of Indiana University Data (available in EPIC under the Department Resources tab).

Third party vendor users may be required to take additional training.

Additional safeguards for affiliating or partnering are outlined in the "External Parties" section of Domain 3: Organization.

Employees

• Ensure that employees exit the organization or change employment in a managed, orderly manner including return of all institutional information and equipment, and removal or adjustment of all access privileges
• Assign responsibilities to ensure that equipment is returned and access privileges are adjusted or removed as appropriate after an individual's change of employment or termination
• Ensure that changes relating to responsibilities, positions, and/or employments within the organization are managed consistently

Affiliated/partner Organizations

• Ensure that partner organization users exit the organization or change employment in a managed, orderly manner including return of all institutional information and equipment, and removal or adjustment of all access privileges
• Assign responsibilities to ensure that equipment is returned and access privileges are adjusted or removed as appropriate

Third Party Vendors

• Ensure that contractors and third party users exit the organization or change employment in a managed, orderly manner including return of all institutional information and equipment, and removal or adjustment of all access privileges
• Assign responsibilities to ensure that equipment is returned and access privileges are adjusted or removed as appropriate

Employees

The Supervisor Checklist: When a Staff Employee Separates Employment with IU from Human Resources, and the Supervisor's Guide to Information Policy contains information for supervisors on what to do when an employee is leaving the university or changing departments, including return of assets and removal of access rights.

The Employee Checklist: Separating Employment from IU from Human Resources contains information for employees on what to do when leaving the university.

Policy IT-03: Eligibility to Use Information Technology Resources outlines when an employee ceases to be eligible for computing accounts at IU.

The Eligibility for Re-Employment policy outlines when former employees are not eligible for re-employment.

The UHRS Separation Resources page provides further information, including a chart of Termination/Separation Reason Codes to be used when an employee separates from IU. This chart outlines eligibility for rehire by Reason Code.

Domain 8: Identity & Access Management outlines safeguards related to access by individuals to IU information and technology, including change of access with change of relationship, and removal of access upon termination.

Affiliated/partner Organizations

Safeguards for affiliating or partnering are outlined in the "External Parties" section of Domain 3: Organization.

Domain 8: Identity & Access Management outlines safeguards related to access by individuals to IU information and technology, including change of access with change of relationship, and removal of access upon termination.

Third Party Vendors

Safeguards for affiliating or partnering are outlined in the "External Parties" section of Domain 3: Organization.

Domain 8: Identity & Access Management outlines safeguards related to access by individuals to IU information and technology, including change of access with change of relationship, and removal of access upon termination.