Information & IT Policies

University-wide IT Policies

University-wide IT policies apply to all users of Indiana University information technology resources regardless of affiliation, and irrespective of whether those resources are accessed from on-campus or off-campus locations.

PolicyName
IT-01Appropriate Use of IT Resources
IT-02Misuse and Abuse of IT Resources
IT-03Eligibility to Use IT Resources
IT-07Privacy of Electronic Information and Information Technology Resources
IT-07 Frequently Asked Questions
IT-11Excessive Use of IT Resources
IT-12Security of IT Resources
IT-12.1 Mobile Device Security Standard
IT-18Network and Computer Accounts Administration
IT-19Extending the University Data Network
IT-20Wireless Networking
IT-21Use of Electronic Mail
IT-28* Provisioning of Information Technology Services
ISPP-24Web Site Privacy Notices
ISPP-24 Frequently Asked Questions
ISPP-26ISPP-26 Information and Information System Incident Reporting, Management, and Breach Notification
ISPP-27ISPP-27 Privacy Complaints

* Draft in review.

For more information about information and information technology policy administration at IU, see the Policy Administration Process Summary.

Other Policies

PolicySource
Mutual Non-Disclosure StatementUniversity Purchasing/Counsel
Indiana University "Whistleblower" PolicyIndiana University
Sale of Computer EquipmentUniversity Purchasing
Disposal & Redistribution of University Property - for secure disposal of computer mediaUniversity Purchasing
Responsibility for Banking/ACH/Credit Card TransactionsOffice of the Treasurer
Protecting Departmental Computer ResourcesInternal Audit
Anonymous Reporting HotlineInternal Audit
Release of Student InformationStudent Enrollment Services
Risks of Potential Identity Theft in the Use of Stored-Value and Payroll DeductOffice of the VP and Chief Financial Officer

Data Management Policies

Data Management policies are issued by the Committee of Data Stewards.

PolicyName
DM-01Policy for Management of Institutional Data
Standards for Management of Institutional Data

Security & Policy Blog Posts

  • May 17, 2013 at 12:52 PM

    • Critical Linux Kernel Security Update
    A local, unprivileged user can use a Linux kernel flaw to gain escalated privileges, without authentication, on a system running a Linux kernel. Technical details, as well as exploit code, have been publically released.
  • April 10, 2013 at 4:07 PM

    • S/MIME certificates available
    S/MIME certificates are now available to all IU personnel at no cost.
  • March 13, 2013 at 4:00 PM

    • Policy Draft IT-28 Provisioning of IT Services
    IU VP for IT and Chief Information Officer, Brad Wheeler, spoke at a town hall meeting on March 8th on the subject of, “Mitigating Cyber Risks,” including the current risk environment, and the development of IT-28.
  • March 1, 2013 at 5:06 PM

    • Domain 12: Compliance
    As Jacqueline Simmons explains, IU operates in a complex legal, regulatory, & contractual environment, with responsibilities to comply with applicable legal, regulatory, & contractual requirements regarding safeguards over information and information assets. Doing so protects the university's reputation & minimizes the risk of negative financial consequences associated with noncompliance.

    Recent Security Bulletins

  • February 12, 2013 at 11:03 AM

    • Vulnerabilities in Adobe ColdFusion
    This bulletin details four recently published, critical rated, vulnerabillies in Adobe ColdFusion and ways to mitigate the risk of them being exploited including the hotfix for supported versions.
  • January 22, 2013 at 9:02 AM

    • Java Security Recommendations
    As the use of Java applets on websites continues to diminish and in light of the rash of recent vulnerability exploits, the implications of installing Java for use in web browsers should be considered carefully.
  • January 10, 2013 at 1:59 PM

    • Zero Day Java 7 Vulnerability
    On January 10, 2013, security researchers reported a zeroday vulnerability in Oracle Java 1.7u10.
  • November 8, 2012 at 3:50 PM

    • Vulnerability in Symantec Endpoint Protection
    On November 5th, 2012, the United States Computer Emergency Readiness Team (US-CERT) website announced their researcher had discovered a vulnerability in the way some versions of Symantec Endpoint Protections handle CAB files. This vulnerability may allow an unauthenticated remote or local attacker to execute arbitrary code with SYSTEM privileges on a targeted computer.