Principles

Information Security & Privacy Program

Each member of the university community has a role in protecting the security and privacy of information and information technology. Therefore, it is critical that the institution's Security and Privacy Principles be clearly articulated so that they may serve as the basis for information protection decisions made in the conduct of the university's mission. These principles must be adopted by, and ingrained into the culture of, the university in order to enhance information security and privacy throughout the institution.

These Security and Privacy Principles are intended to provide high-level guidance for Indiana University's Security and Privacy Program. Permeating these principles are three traditional core elements of information security — confidentiality, integrity, and availability. These three are often referred to in security parlance as "CIA," from the first initials of the three elements. They form the first three Indiana University Security and Privacy Principles:

Confidentiality Principle
Only authorized individuals have access to information.
Integrity Principle
Information must be reliable and accurate (sometimes referred to as the Quality Principle).
Availability Principle
Information must be available when needed.

Added to these first three, are nine more specific Security and Privacy Principles:

Accountability Principle
Accountability and responsibility for the security and privacy of information must be clearly defined and acknowledged (sometimes referred to as the Management, Administrative Requirements, or Responsibility Principle).
Awareness Principle
Members of the university community must be aware of principles, standards, conventions or mechanisms for maintaining the security and privacy of information.
Ethics Principle
Information is to be used, and security and privacy goals are to be executed, in an ethical manner.
Multidisciplinary Principle
Security and privacy governance must address the considerations and viewpoints of all interested parties (sometimes referred to as the Democracy Principle).
Proportionality Principle
Security and privacy safeguards are to be proportionate to the risks.
Integration Principle
Security and privacy design and implementation are to be coordinated and integrated within the system of safeguards and the life of the information asset (sometimes referred to as the Security Management Principle or the Security for Privacy Principle or the  Security Safeguards Principle).
Timeliness Principle
Parties will act in a timely and coordinated manner to prevent or respond to breaches of and threats to security and privacy.
Assessment Principle
Risks to information are to be assessed initially, and reassessed periodically.
Equity Principle
The rights and dignity of individuals are to be respected while carrying out security and privacy goals (sometimes referred to as the  Fairness Principle).

And finally, privacy protection requires additional Principles to be established, particularly related to interactions with the individuals whose information is collected, used, disclosed and retained by Indiana University. Indiana University must balance individual freedom and privacy with the need to serve or protect other core values and operations within the university. Therefore, this Program identifies seven additional Principles, specific to privacy:

Notice Principle
Informs the individual about privacy policies and procedures and identifies the purposes for which the individual's information is collected, used, disclosed and retained (sometimes referred to as the Purpose Specification or the Openness Principle).
Choice & Consent Principle
Obtains implicit or explicit consent from the individual with respect to the collection, use, disclosure and retention of the individual's information, particularly if that information is to be used for a secondary purpose or disclosed to a third party (sometimes referred to as the Objection Principle).
Collection Limitation Principle
Collects only the information needed to achieve the purposes identified by the business unit in support of the university's mission, and as outlined in the notice.
Use & Retention Principle
Uses the individual's information only as outlined in the notice, and keeps the information only as long as necessary to fulfill the  stated purposes.
Disclosure Limitation Principle
Discloses the information to third parties only as outlined in the notice and as consented to by the individual either implicitly or explicitly.
Access Principle
Provides access to the individual to review and update or correct his or her information (sometimes referred to as the Participation Principle).
Monitoring & Enforcement Principle
Monitors compliance and has procedures to address complaints and disputes (sometimes referred to as the Recourse or the Redress Principle).

These nineteen Indiana University Security and Privacy Principles are adapted from the Generally Accepted Information Security Principles 1; security and privacy guidelines created by the Organisation for Economic Co-operation and Development2; the Generally Accepted Privacy Principles3; and the Federal Trade Commission's Fair Information Practice Principles4.

Footnotes

  1. Information Systems Security Association (ISSA). "Generally Accepted Information Security Principles (GAISP) Version 3.0." 2004.
  2. Organisation for Economic Co-operation and Development (OECD). "OECD Guidelines for the Security of Information Systems and Networks -- Towards a Culture of Security," and "OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data."
  3. American Institute of Certified Public Accountants, Inc. (AICPA) and Canadian Institute of Chartered Accountants (CICA). "Generally Accepted Privacy Principles." May, 2006.
  4. Federal T