A model framework for security and privacy governance and control is divided into three levels:

• At the executive management level, business objectives are set, policies are established and decisions are made on how to deploy and manage the resources of the enterprise to execute the university-wide strategy. The overall strategy and approach to governance and control is established by the Board of Trustees and communicated throughout the university. Executive management also defines the university's risk posture. With the strategy and risk posture defined, senior executives can create policy. Also important is the task of regularly reviewing risk management and compliance reports in order to make corrections.
• At the business process level, business function management creates procedural and technical safeguard standards to apply to specific business activities. Safeguards at the business process level are a combination of manual safeguards operated by the business unit, and automated application safeguards. Both are the responsibility of the business unit to define and manage although automated application safeguards require the IT function to support their design and development. These safeguards are then implemented and monitored by line management, which also educates and supervises staff. Staff do the actual work, provide attestation of actions (i.e. I read the policies and I agree to abide by them) and create incident reports when problems arise.
• To support the business processes,technology management and information technology units provide IT services, usually as a shared service to many business processes, as many of the development and operational IT processes are provided to the whole university, and much of the IT infrastructure is provided as a common service (e.g., networks,databases, operating systems and storage). The safeguards applied to all IT service activities are known as IT general controls. The reliable operation of these general controls is necessary for reliance to be placed on automated application safeguards.

Ideally, policy, responsibility, and resources flow downward from executive management; and accountability, status information, assessments, and results flow upward from staff and line managers to business function management and technology management, then ultimately to executive management.

This cycle of policy flowing downward and of results flowing upward allows a university's governance to identify acceptable risks to optimize the business, rather than seeking to simply avoid risks altogether. Risk can be reduced by proactively identifying events carrying negative consequences, then implementing safeguards to reduce the probability of such events or the impact of their resulting consequences.

Organization for Information Security and Privacy

Executive management level:

• Top-level IU Organizational Chart
• Indiana University Board of Trustees

The Board of Trustees operates under Indiana State Code, and their own Bylaws. They also have documented the Delegation of Authority for certain activities to the President, who then has authorized two Vice Presidents to oversee information security and privacy efforts.

• IU President
• Office of the Vice President of Information Technology (OVPIT) - Organizational Charts
• Office of the Executive Vice President for University Academic Affairs (OEVPUAA) - Organizational Charts

Executive management has assigned overall coordination of information security and privacy to:

• IT Information Security - Organizational Chart
• University Information Policy Office (UIPO)

The authority of the UIPO has been established by a Resolution of the Trustees of Indiana University and confirmed by the Vice President for Information Technology and CIO of Indiana University.

• University Information Security Office (UISO)

Executive management has assigned information security and privacy compliance oversight to sectors as outlined in Domain 12: Compliance. These offices are responsible for specific legislative, regulatory, or contractual obligations related to information security and privacy.

Governance groups for aspects of information security and privacy include:

• The Information Security and Privacy Risk Council is a standing committee providing broad strategic guidance and oversight to support the university-wide Indiana University Information Security and Privacy Program ("ISPP").

The Council reviewed the entirety of the current Program in 2011 and endorsed the framework and its safeguards as being appropriate and necessary. In April 2012, the VP for Information Technology and the Executive VP for University Regional Affairs, Planning, and Policy issued a memo to the President's Cabinet informing them of the Program and asking them to distribute the information to their organizations.

• Committee of Data Stewards (CDS) - The Committee of Data Stewards, as a group, is responsible for establishing policies, procedures, and guidelines for management of information across Indiana University. Individually, each of the Data Stewards has management and policy-making responsibilities for specific data subject areas.

Business process level:

IU is organized by campus (with Chancellors as leaders) and by Vice Presidents (with university-wide responsibilities for certain business functions):

• IU Campuses
• IU Vice Presidents
• IU Research Centers

Technology management level:

University Information Technology Services (UITS) is the central computing organization for all campuses at IU. Schools and departments may also hire IT Professionals; UITS provides support and communication to them through IT Professional Services and Support.

Roles and responsibilities

• ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities (in process)

Planning Documents

• Indiana University Mission
• The President's Vision and Initiatives
• The President's Principles of Excellence
• Empowering People: Indiana University's Strategic Plan for Information Technology: A plan for the pervasive use of IT to help build excellence in education and research in all disciplines, in administration, in IU's engagement in the life of the State, across all campuses, and in collaboration with IU's key partners such as Clarian Health and institutions of higher education in the State.

Roles and Responsibilities

Formal relationship agreements with external parties may be documented with one of the following processes, depending on the type of relationship:

• A contract through the IU Office of Procurement Services
• An External Agency Agreement through the IU Office of the Treasurer
• An agreement through the IU Research & Technology Corporation
• An agreement through the IU Office of the Vice President for Research
• A contract through the University Architect's Office
• A grant through IU Grants and Contracts.

Note that leases for space are not considered formal relationship agreements for the purposes of gaining access to IU technology or information assets.

A third party security and privacy assessment procedure is coordinated by Purchasing, the University Information Security Office, and the Committee of Data Stewards.

Operational Documents

• Policy VI-100 Signature Authority

Establishes and clarifies policies regarding signature authority and the delegation of signature authority with respect to contracts and agreements between the University and third parties.

• Policy P-1.0 Purchasing Authority

Outlines who is authorized to commit university funds for goods and services.

• Policy P-4.0 Responsibilities in Acquisition Process

Establishes that the acquisition of goods and services is a cooperative effort between the requesting department and purchasing department.

• Policy VI-90: External Agency Agreements

Establishes policy and an operating framework for Indiana University to serve as fiscal agent for certain entities that are external to IU governance.

Data Security Agreement — Guidelines for Access and Use | Used to inform of responsibilities and document when granting access to third parties, such as vendors being provided access to data.

A sample template for tracking a unit's relationships with external parties is available at the top of the page in the "Ready to Start..." box.

The safeguards outlined in the other domains of this Information Security and Privacy Program can be applied to reduce risks.

Arrangements to share financial aspects of risk using insurance are coordinated by the Office of Insurance, Loss Control & Claims.

Arrangements to share aspects of risk with an outsourced party are coordinated by the Office of Procurement Services.