Safeguards

Information Security and Privacy Program

Building a Program involves coordinating many activities. IU's Program establishes a framework that brings together the appropriate people, tools, and guidance needed to structure the University community's efforts. The framework sorts information and activities into domains.

Domain 1: Risk assessment and treatment

The systematic process of evaluation should guide management decisions on which safeguards are needed to address identified risks.

Domain 2: Policy administration

Organizational leadership must set a clear direction for information privacy and security in support of goals and compliance with relevant laws and regulations.

Domain 3: Organization

A clear organizational structure with articulated responsibilities should include appropriate safeguards to protect the information assets accessed or managed by external partners on behalf of IU.

Domain 4: Asset management

An asset management strategy must identify, track, classify, and assign ownership for the most important assets to ensure they are adequately protected.

Domain 5: Human resources

Human resource security and privacy risks must be considered during all phases of an employee's association with the University in order to ensure the other safeguards are properly managed.

Domain 6: Physical and environmental

Buildings and rooms that house information and IT systems must be afforded appropriate protection to avoid damage or unauthorized access to information and systems.

Domain 7: Communications and operations management

Providing a robust, reliable, and secure IT infrastructure will lend itself to a more secure information protection.

Domain 8: Identity and access control

Identity and access controls must exist to establish that the correct individuals are accessing the appropriate information to perform their role at the university.

Domain 9: Information systems acquisition, development, and maintenance

It is important that information systems be acquired, designed, implemented, and maintained with information protection in mind.

Domain 10: Incident management

The process of preparing for, preventing, detecting, responding to, and tracking events that jeopardize the security and privacy of information has a significant impact on their frequency and severity.

Domain 11: Business continuity management

Planning for the unexpected must be undertaken to protect the availability of critical information resources and continuity of operations.

Domain 12: Compliance

IU has a responsibility to comply with applicable legal, regulatory, and contractual requirements with respect to safeguards over information and information assets.