Cyber Risk Mitigation Responsibilities (IT-28) Review

What is the Cyber Risk Mitigation Responsibilities (IT-28) Review?

Cyber Risk Mitigation Responsibilities, IU policy IT-28, ensures that the community works to “vigilantly mitigate cybersecurity risks, maximize physical security for IT systems, and minimize unacceptable risks to IT systems and data from natural disasters (collectively, 'Cyber Risks')". This ongoing vigilance is maintained by a cycle of peer reviews of unit risk mitigation strategies/efforts; a two-year cycle is expected. There are two elements that describe the complexity of implementing IT-28, peer review cycles and policy implementation phases.

Peer review

An IT-28 peer review cycle is expected to begin every two years. The first implementation of IT-28 began in May 2013 with the adoption of the policy. The community was given one year to formulate a risk mitigation plan and submit their efforts for peer review by May 2014. Peer reviews for the first cycle of IT-28 implementation were completed in June 2015. Effectively, the first cycle of IT-28 is documented as covering years 2013-2015. Planning for the second cycle (round) of IT-28 began in the third quarter of 2016 and the second peer review cycle is expected to be completed by the second quarter of 2018. 

Implementation phases

Each cycle is comprised of seven policy implementation phases: Plan, develop, train, execute, review, accept, and improve. Although phases are not mutually exclusive, they generally describe the flow of IT-28 responsibilities for each cycle. The UISO and UITS are responsible for the plan and develop phases. IU IT Community involvement happens in the plan, execute, review, and accept phases; the execute phase covers the tangible IT-28 responsibilities of risk/security assessment, unit strategy, and appropriate documentation. The improve phase has two audiences -- the IU IT Community who reduces Cyber Risks and the UISO and UITS who strategizes for the next cycle.

Second round focus

In this round of IT-28, the IU IT community will build upon the efforts of the initial round to truly embrace the collective role we all play in mitigating cyber risks. The goal of IT-28 remains the same, “to ensure that the IU community minimizes to the greatest extent practicable the unnecessary creation of cyber risks while also enabling the productive work of all units.” The second round of peer review will focus on, like the first round, the adoption of secured facilities, common IT infrastructure, and UITS services, where practicable, to mitigate cyber risks. The policy outlines risks/concerns for servers outside of secured facilities; data protection, critical service interruption, service duplication, and energy efficiencies, and as such, peer review participants will take these into consideration.

Additionally, setting a baseline of operational security will be a requirement in the second round; this effort addresses the fact that not all servers/services can leverage secured facilities/shared services. This new focus will encourage implementing IT strategies that include, but are not limited to, access controls, physical security, configuration management, business process protections, and risk/security assessment. The implementation of policy IT-28 will continue to be an iterative process, with each round of peer review improving community risk mitigation efforts and the overall implementation process.

IT-28 Manual

  • Defines the IT-28 process and factors influencing its implementation
  • Provides detailed documentation and instruction for the process
  • Contains latest updates, review frequently

Download the manual

IT-28 overview and instruction placemat

  • Should be used as a quick-reference guide for the IT-28 review process
  • For those new to the process, use this as a quick-start guide

Download the placemat

IT-28 Inventory Tool instructions

Download the tool instructions

Implementation details

IT-28 and Risk Mitigation InfoShare 1: Cyber Risk Mitigation Responsibilities Policy and Peer Review

IT-28 and Risk Mitigation InfoShare 2: IU Policy

IT-28 and Risk Mitigation InfoShare 3: IT-28 Inventory Tool (IIT) Walkthrough

Policy IT-28 states, “The goal of this policy is to ensure that the IU community minimizes to the greatest extent practicable the unnecessary creation of cyber risks while also enabling the productive work of all units. This requires a balanced approach to activities that (a) create cyber risks and (b) activities that can help mitigate them.” In this second round of IT-28, and supported by the NIST CSF, a focus on unit operational security (OS) will open discussion about five core topics of OS that peer review teams will assess with the help of the CSF: Access control, asset management, configuration management, risk assessment, and security assessment. IT-28 implementation efforts must be an iterative process; leveraging the NIST CSF and focusing on this OS categories are the primary assessment iterations in the second round of peer review.

The UISO strives to provides the highest-quality documentation available to peer review team members. However, there are many elements of peer review that must be addressed dynamically as all variations within IU’s IT environment cannot be calculated. Based on server-specific data provided in the IT-28 inventory tool and unit-specific summaries and strategy in the comprehensive evaluation, peer review team members are able to understand a Unit’s IT environment and fairly assess server strategies, keeping in mind the essence of IT-28, mitigating cyber risks at Indiana University.

The static nature of the IT-28 planner (spreadsheet), in the first round of IT-28 peer review, prevented the documentation instrument to be dynamically updated to reflect the always changing needs of the peer review teams. Selection value deficiencies, data stagnation, and user interface burden were just a few areas that needed to be addressed in round two. With that said, the IT-28 planner (spreadsheet) has been replaced by the IT-28 inventory tool (IIT), a dynamic inventory system for IT-28 scoped assets.

The IIT is built on the ServiceNow platform and will be the primary tool for collecting and maintaining server assets that are within scope of IT-28. This environment will be leveraged for asset tracking and reporting only; all unit specific information (not related to any particular asset) will be collected using the comprehensive evaluation (CE) summary document.

The community will be encouraged to maintain their IIT assets and leverage the tool’s reporting capabilities to gain insight into their environments. The community should be inspired to explore their environments in ways that the spreadsheet could not provide. Guidance, documentation, and tools for this discovery will be provided to the community when the IIT goes into full production.

The IU IT Community is familiar with risk mitigation and assessment, so we expect the second round to progress more efficiently than the first. A high-level timeline is expressed below. Ranges are not rigid; they can be adjusted based on the needs of the IU IT Community.


NIST Cybersecurity Framework Implementation Tiers

Framework Implementation Tiers ("Tiers") provide context on how to view cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize practices over a range, from Partial (Tier 1) to Adaptive (Tier 4).  Review the tier summaries below to better understand how to evaluate your unit.

Tier 1Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner.  Prioritization of cybersecurity activities may not be directly informed by organization risk objectives, the threat environment, or business/mission requirements.
Tier 2Risk management practices are approved by management but may not be established as organizational-wide policy. Prioritization of cybersecurity activities is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3The ogranization's risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated and based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
Tier 4The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner. 
Tier 1There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization.
Tier 2There is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity risk has not been established.  Risk-informed, management-approved processes and procedures are defined and implemented, and staff have adequate resources to perform their cybersecurity duties.  Cybersecurity information is shared within the organization on an informal basis.
Tier 3There is an organization-wide approach to manage cybersecurity risk.  Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed.  Consistent methods are in place to respond effectively to changes in risk.  Personnel possess the knowledge and skills to perform their appointed roles and responsibilites.
Tier 4There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.  Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks.
Tier 1An organization may not have the processes in place to participate in coordination or collaboration with other entities.
Tier 2The organization knows its role in the larger ecosystem, but has not formalized its capabilities to interact and share information externally.
Tier 3The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.
Tier 4The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs. 

These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. Improvement is accomplished by creating Current and Target Profiles in each cycle of IT-28 review (see the IT-28 Handbook for more details). In the context of IT security at Indiana University, and in relation to technology and data policy, the baseline target profile for all unit’s is a Tier 2, across all elements. Depending on your business process and the data classifications used within, in may be necessary to secure your environment at a higher tier. That determination is made by the unit with assistance from IT-28 peer review teams.

Based on collaborative consensus formed in the IT-28 peer review meetings, specific Cybersecurity Framework sub-categories are prioritized for the improvement phase of the IT-28 lifecycle. Although the Target Profile may be set at a Tier 2, units should understand that it is a target that may take more than one iteration of IT-28 review to achieve (i.e. multi-year projects). Creating a Target Profile with a target of Tier 2 shows a commitment to meeting that target in the long-term, not necessarily by the next iteration of IT-28 review.

Help! I have questions

If you have questions concerning IT-28, send an email to