Information Security & Privacy Program
The use of information is woven into the fabric of the university, and information technology (IT) has dramatically changed the way information is processed. Given the importance of information and information technology to Indiana University ("IU" or "University" hereafter), it is essential to protect both, while at the same time facilitating their widespread and appropriate use. The loss, corruption, inappropriate disclosure, or exposure of information can interfere with executing IU's mission, cause business disruption, damage IU's reputation, or result in financial penalties. This information must be protected during all stages of its life: when it is created, collected, stored, manipulated, and transmitted; and when it is no longer useful.
An appropriate protection strategy - or Information Security and Privacy Program - must exist to promote safeguards1 that adequately protect information but do not impede its appropriate widespread use. The Program must respect the privacy of individuals and hold all individuals accountable to high ethical standards. It must also incorporate a sound risk assessment methodology, and provide for taking actions to address identified risks where necessary.
An Information Security Program is a "methodical, programmatic approach to implementing and managing security within an organization." 2 IU's Information Security and Privacy Program ("Program" hereafter) outlines a University-wide approach to implementing and managing information and information technology security and privacy. It describes the University's philosophies, values, and approach to safeguarding information and information technology.
IU's Program applies to all information assets created, collected, stored, manipulated, transmitted or otherwise used in the pursuit of Indiana University's mission, regardless of the ownership, location or format of the information. It also applies to all individuals encountering those information assets, regardless of the user's role or affiliation.
Goals and Objectives
The goals of IU's Program are to facilitate information security and privacy approaches in order to:
- Maintain the University's viability, both reputational and operational, as a premier institution of higher education
- Support the University's mission of education (teaching and learning), research, and engagement (outreach and service)
- Guide the conduct of University business
To accomplish these goals, the University must: improve overall information security and privacy practices; ensure compliance with state and federal laws, regulations, industry standards, and contractual requirements; increase the value of information while appropriately managing risk; and promote a culture in which individuals are aware of and vigilant concerning the privacy, confidentiality, integrity, and availability of the information encountered in their duties.
These goals cannot be achieved by technology alone. Governance, awareness and training, and other non-technology components are arguably more important than technology in improving the University's security and privacy posture. Likewise, the University must not focus solely on electronic information; much institutional data resides in printed form. It is important to remember that all members of the University community, regardless of affiliation of campus, school, unit, or area of expertise, use or encounter information.
Building a Program involves coordinating many activities. IU's Program establishes a framework that will bring together the appropriate people, tools, and guidance needed to structure the University community's efforts.
IU's Program is designed to achieve the following information security and privacy objectives:
- Establish institutional security and privacy principles that guide behavior and decision-making at IU
- Marshal the existing people, processes, and tools available to assist in achieving these security and privacy objectives, regardless of the unit responsible for providing or using them
- Determine the security and privacy risks facing IU
- Provide tools for assessing progress on addressing risks and meeting security and privacy goals
- Identify the gaps & areas where IU does not adequately address risks or meet security and privacy goals
- Create plans for addressing the gaps
- Facilitate collaboration to identify effective and efficient solutions
- Document the University's compliance with applicable laws, regulations, standards, and contractual requirements
The role of governance in an organization is to set policy, establish authority and responsibility, and implement accountability. The IT Governance Institute defines security governance as:
"...the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly." 3
Privacy governance can be achieved the same way, but privacy objectives will often expand upon, or need to be balanced with objectives defined by security. Privacy is defined as the rights and obligations of individuals and organizations with respect to the collection, use, retention, and disclosure of personal information.4 In particular, privacy objectives will take into account not only regulatory and legal compliance, but must also consider the moral and ethical values of the community.
Information and information technology security and privacy governance consists of all of the tools, personnel, and business processes that ensure safeguards are implemented to meet an organization's specific needs, while balancing privacy objectives, loss reduction, liability limitation, identification of opportunities, and cost of protection. 5 It requires organizational structure, roles and responsibilities, performance measurement, and defined tasks and oversight mechanisms. 6
IU's Program is governed by the Information Security and Privacy Risk Council.
Each member of the University community has a role in protecting the security and privacy of information and information technology. Therefore, it is critical that the institution's security and privacy principles be clearly articulated so they can serve as the basis for information-protection decisions made in conducting the University's mission. These principles must be adopted by, and ingrained into the culture of the University to enhance information security and privacy throughout the institution.
Safeguards, organized by domain
The CIO Strategy Center states:
"Building an institution's enterprise information security program around a standard framework should permit common solutions in varying regulatory areas, should be more efficient, and should help convey the credibility of the program to the various auditors and examiners who may come calling."7
IU's Program is based on widely accepted information security and privacy principles and standards. Common areas of information security and privacy activities are grouped into twelve specific domains. This domain grouping allows the use of common vocabulary and structure to identify and track projects, actions, policies, tools, and other safeguards.
The Indiana University Security and Privacy Domains are adapted from the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) international standard ISO/IEC 27002:2005 on Information Security Management. 8
- Safeguards are the administrative (e.g., policies, procedures), technical, and physical measures put in place to protect information.
- Robert B. Kvavik and John Voloudakis, Safeguarding the Tower: IT Security in Higher Education 2006 (Boulder, CO: EDUCAUSE Center for Applied Research, 2006), 94
- Board Briefing on IT Governance, 2nd ed. (Rolling Meadows, IL: IT Governance Institute, 2003), 6
- Generally Accepted Privacy Principles: A Global Privacy Framework ([Durham, NC?]: American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants, 2006), 4
- Bob Blakley, Governance, Risk, and Compliance (Midvale, UT: Burton Group, 2008)
- Shon Harris, "Information Security Governance Guide," SearchSecurity.com (August 17, 2006)
- CIO Executive Council, "Deliver Value While Delivering Compliance", available December 30, 2008
An EDUCAUSE Research study states that the goal of an Information Security Program is to "embed security into the organizational fabric, making it an accepted, ongoing part of everyday activities." 9 IU's Information Security and Privacy Program was developed with this goal in mind. It also seeks to enable appropriate widespread use of IU's information assets, respect the privacy of individuals, and hold all individuals encountering information or information technology assets accountable to high ethical standards.top