A model framework for security and privacy governance and control is divided into three levels:
- At the executive management level, business objectives are set, policies are established and decisions are made on how to deploy and manage the resources of the enterprise to execute the university-wide strategy. The overall strategy and approach to governance and control is established by the Board of Trustees and communicated throughout the university. Executive management also defines the university's risk posture. With the strategy and risk posture defined, senior executives can create policy. Also important is the task of regularly reviewing risk management and compliance reports in order to make corrections.
- At the business process level, business function management creates procedural and technical safeguard standards to apply to specific business activities. Safeguards at the business process level are a combination of manual safeguards operated by the business unit, and automated application safeguards. Both are the responsibility of the business unit to define and manage although automated application safeguards require the IT function to support their design and development. These safeguards are then implemented and monitored by line management, which also educates and supervises staff. Staff do the actual work, provide attestation of actions (i.e. I read the policies and I agree to abide by them) and create incident reports when problems arise.
- To support the business processes,technology management and information technology units provide IT services, usually as a shared service to many business processes, as many of the development and operational IT processes are provided to the whole university, and much of the IT infrastructure is provided as a common service (e.g., networks,databases, operating systems and storage). The safeguards applied to all IT service activities are known as IT general controls. The reliable operation of these general controls is necessary for reliance to be placed on automated application safeguards.
Ideally, policy, responsibility, and resources flow downward from executive management; and accountability, status information, assessments, and results flow upward from staff and line managers to business function management and technology management, then ultimately to executive management.
This cycle of policy flowing downward and of results flowing upward allows a university's governance to identify acceptable risks to optimize the business, rather than seeking to simply avoid risks altogether. Risk can be reduced by proactively identifying events carrying negative consequences, then implementing safeguards to reduce the probability of such events or the impact of their resulting consequences.
Organization for Information Security and Privacy
Executive management level:
The Board of Trustees operates under Indiana State Code, and their own Bylaws. They also have documented the Delegation of Authority for certain activities to the President, who then has authorized two Vice Presidents to oversee information security and privacy efforts.
Executive management has assigned overall coordination of information security and privacy to:
Executive management has assigned information security and privacy compliance oversight to sectors as outlined in Domain 12: Compliance. These offices are responsible for specific legislative, regulatory, or contractual obligations related to information security and privacy.
Governance groups for aspects of information security and privacy include:
The Council reviewed the entirety of the current Program in 2011 and endorsed the framework and its safeguards as being appropriate and necessary. In April 2012, the VP for Information Technology and the Executive VP for University Regional Affairs, Planning, and Policy issued a memo to the President's Cabinet informing them of the Program and asking them to distribute the information to their organizations.
- Committee of Data Stewards (CDS) - The Committee of Data Stewards, as a group, is responsible for establishing policies, procedures, and guidelines for management of information across Indiana University. Individually, each of the Data Stewards has management and policy-making responsibilities for specific data subject areas.
Business process level:
IU is organized by campus (with Chancellors as leaders) and by Vice Presidents (with university-wide responsibilities for certain business functions):
Technology management level:
University Information Technology Services (UITS) is the central computing organization for all campuses at IU. Schools and departments may also hire IT Staff; UITS provides support and communication to them through IT Staff Services and Support.
Roles and responsibilities
- ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities (in process)
Planning Documents