Building a Program involves coordinating many activities. IU's Program establishes a framework that brings together the appropriate people, tools, and guidance needed to structure the University community's efforts. The framework sorts information and activities into domains.
Information Security and Privacy Program
A sound risk assessment strategy must identify, understand, and prioritize risks to information. Risk assessments can be time consuming and costly, so should be performed based on the sensitivity or criticality of the information used in the system or process. Systems that process sensitive information must be assessed much more rigorously than those that do not. The resulting analysis should guide management decisions on which safeguards are needed to address (treat) identified risks. The goal is to minimize harm to the University and its community.
Organizational leadership must set a clear direction for information privacy and security in support of organizational goals and compliance with relevant laws and regulations. Policy Administration is a key tool by which leadership documents, sets, and communicates this direction and expectations to the organization. Through issuing and maintaining policy, leadership demonstrates its support for and commitment to the philosophies and values embodied in policy. In the collegial setting, policy is often (though not always) arrived at through a consensus-building process. Information policy should be periodically reviewed and updated as needed to reflect changes in technology, laws, organizational approach, and other factors.
A management framework allows an organization to sustain and manage its information security and privacy infrastructure. Protecting IU's information assets requires establishing a clear organizational structure and outlining responsibilities. This is especially important considering IU is a large, multi-campus academic institution with many autonomous internal units and external partners. In addition to clearly articulating these responsibilities, this framework should include appropriate safeguards to protect the information assets accessed or managed by external partners on behalf of IU.
To be effective, the University asset management strategy must include information assets as well as IU's software, reputation, people, and services, in addition to its physical information technology equipment. It is important to identify, track, classify, and assign ownership for the most important assets to ensure they are adequately protected.
People play a fundamental role in information protection. An organization's security and privacy safeguards are no better than the people who implement and use them. Therefore, it is important to manage human resource security and privacy risks during all phases of an employee's association with the University: time prior to employment, during employment, at change of University employment, and when employment terminates. Safeguards such as adequate job descriptions and screening, user awareness and training, a disciplinary process, and an orderly exit process are key in guiding employees on operating securely and using information appropriately. They must also ensure that access privileges change when a user's relationship with the university changes.
Physical and environmental safeguards are often overlooked but are very important in protecting information. Buildings and rooms that house information and information technology systems must be afforded appropriate protection to avoid damage or unauthorized access to information and systems. In addition, the equipment housing this information (e.g., filing cabinets, data wiring, laptop computers, portable disk drives) must be physically protected. Equipment theft is of primary concern, but other issues should be considered, such as damage or loss caused by fire, flood, and sensitivity to temperature extremes.
Information technology systems process large quantities of University data. These systems — which include computers, networking equipment, mobile devices, storage media, and other IT components — must be managed so as to protect information. The goal is to provide a robust, reliable, and secure IT infrastructure that lends itself to information protection. Meeting this goal requires implementing safeguards, including policies, standards, and procedures that guide how systems are operated and how the institution processes information.
A robust and flexible identity and access control infrastructure is key to implementing appropriate information security and privacy. Identity controls must exist to establish a level of assurance that the individual using an asset is who she claims to be. Likewise, access controls must exist to provide appropriate access to information and systems, prevent unauthorized access, and enable accountability. User access management includes user registration, management of privileges granted to users, and password management. At the same time, users also need to be made aware of their responsibilities for maintaining effective access controls. These safeguards must apply irrespective of whether the information or systems are stored on or accessed from on- or off-campus locations.
Information systems are at the heart of many University processes. It is therefore important that these systems be acquired, designed, implemented, and maintained with information protection in mind. Information security and privacy must be considered throughout the lifetime of a system, and appropriate and adequate safeguards must be put in place to protect information and information systems.
In spite of the most vigilant efforts to minimize them, events will occur that jeopardize the security and privacy of institutional and personal information. However, the institution's process of preparing for, preventing, detecting, responding to, and tracking these events has a significant impact on their frequency and severity. Appropriate policies and procedures are needed to provide an efficient and effective incident management strategy.
Access to information and information assets can be partially or completely interrupted by natural disasters, accidents, equipment failures, or malicious activities. Appropriate business continuity planning — planning for the unexpected — must be undertaken to protect the availability of critical information resources and continuity of operations. Business continuity planning will promote the rapid recovery of University functions in the face of an adverse event, minimize the impact of such an event, and improve the University's ability to cope with the unexpected. The University's business continuity plans should be based on risk and focus on key information and information technology assets in the context of business needs.
The University has a responsibility to comply with applicable legal, regulatory, and contractual requirements with respect to safeguards over information and information assets. This also protects the University's reputation and minimizes the risk of the negative financial and other consequences associated with noncompliance. Because the University operates in such a complex legal, regulatory, and contractual environment, a formal framework is necessary to promote compliance. Such a framework should address legal compliance; compliance with internal policies, standards, and guidelines; and audit objectives.