Information Security & Privacy Program
Each member of the university community has a role in protecting the security and privacy of information and information technology. Therefore, it is critical that the institution's Security and Privacy Principles be clearly articulated so that they may serve as the basis for information protection decisions made in the conduct of the university's mission. These principles must be adopted by, and ingrained into the culture of, the university in order to enhance information security and privacy throughout the institution.
These Security and Privacy Principles are intended to provide high-level guidance for Indiana University's Security and Privacy Program. Permeating these principles are three traditional core elements of information security — confidentiality, integrity, and availability. These three are often referred to in security parlance as "CIA," from the first initials of the three elements. They form the first three Indiana University Security and Privacy Principles:
- Confidentiality Principle
- Only authorized individuals have access to information.
- Integrity Principle
- Information must be reliable and accurate (sometimes referred to as the Quality Principle).
- Availability Principle
- Information must be available when needed.
Added to these first three, are nine more specific Security and Privacy Principles:
- Accountability Principle
- Accountability and responsibility for the security and privacy of information must be clearly defined and acknowledged (sometimes referred to as the Management, Administrative Requirements, or Responsibility Principle).
- Awareness Principle
- Members of the university community must be aware of principles, standards, conventions or mechanisms for maintaining the security and privacy of information.
- Ethics Principle
- Information is to be used, and security and privacy goals are to be executed, in an ethical manner.
- Multidisciplinary Principle
- Security and privacy governance must address the considerations and viewpoints of all interested parties (sometimes referred to as the Democracy Principle).
- Proportionality Principle
- Security and privacy safeguards are to be proportionate to the risks.
- Integration Principle
- Security and privacy design and implementation are to be coordinated and integrated within the system of safeguards and the life of the information asset (sometimes referred to as the Security Management Principle or the Security for Privacy Principle or the Security Safeguards Principle).
- Timeliness Principle
- Parties will act in a timely and coordinated manner to prevent or respond to breaches of and threats to security and privacy.
- Assessment Principle
- Risks to information are to be assessed initially, and reassessed periodically.
- Equity Principle
- The rights and dignity of individuals are to be respected while carrying out security and privacy goals (sometimes referred to as the Fairness Principle).
And finally, privacy protection requires additional Principles to be established, particularly related to interactions with the individuals whose information is collected, used, disclosed and retained by Indiana University. Indiana University must balance individual freedom and privacy with the need to serve or protect other core values and operations within the university. Therefore, this Program identifies seven additional Principles, specific to privacy:
- Notice Principle
- Informs the individual about privacy policies and procedures and identifies the purposes for which the individual's information is collected, used, disclosed and retained (sometimes referred to as the Purpose Specification or the Openness Principle).
- Choice & Consent Principle
- Obtains implicit or explicit consent from the individual with respect to the collection, use, disclosure and retention of the individual's information, particularly if that information is to be used for a secondary purpose or disclosed to a third party (sometimes referred to as the Objection Principle).
- Collection Limitation Principle
- Collects only the information needed to achieve the purposes identified by the business unit in support of the university's mission, and as outlined in the notice.
- Use & Retention Principle
- Uses the individual's information only as outlined in the notice, and keeps the information only as long as necessary to fulfill the stated purposes.
- Disclosure Limitation Principle
- Discloses the information to third parties only as outlined in the notice and as consented to by the individual either implicitly or explicitly.
- Access Principle
- Provides access to the individual to review and update or correct his or her information (sometimes referred to as the Participation Principle).
- Monitoring & Enforcement Principle
- Monitors compliance and has procedures to address complaints and disputes (sometimes referred to as the Recourse or the Redress Principle).
These nineteen Indiana University Security and Privacy Principles are adapted from the Generally Accepted Information Security Principles 1; security and privacy guidelines created by the Organisation for Economic Co-operation and Development2; the Generally Accepted Privacy Principles3; and the Federal Trade Commission's Fair Information Practice Principles4.
- Information Systems Security Association (ISSA). "Generally Accepted Information Security Principles (GAISP) Version 3.0." 2004.
- Organisation for Economic Co-operation and Development (OECD). "OECD Guidelines for the Security of Information Systems and Networks -- Towards a Culture of Security," and "OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data."
- American Institute of Certified Public Accountants, Inc. (AICPA) and Canadian Institute of Chartered Accountants (CICA). "Generally Accepted Privacy Principles." May, 2006.
- Federal Trade Commission. "Fair Information Practice Principles." Available September 16, 2008.
Sources for Security and Privacy Principles
- OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security
Organisation for Economic Co-operation and Development (OECD): 2002
- Generally Accepted Principles and Practices for Securing Information Technology Systems
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-14: 1996 (PDF)
- Generally Accepted Information Security Principles (GAISP), v3.0 Information Systems Security Association (ISSA): 2004 (PDF)
- Generally Accepted Privac