Resolution of the Trustees of Indiana University
Regarding the Leadership, Responsibility, and Security of IU's Information Technology Infrastructure
Approved: May 4, 2001
The appended material is excerpted from Minutes of the Trustees of Indiana University, Indiana University Purdue University Indianapolis, 4-May-2001.
The following comments were subsequently distributed widely by then Vice President for Information Technology and Chief Information Officer Michael McRobbie:
The following resolution was passed unanimously by the Board of Trustees at their meeting [May 4, 2001]. In accordance with this resolution I am authorizing Mark Bruhn [University Chief IT Security and Policy Officer] to exercise the authority conferred by it.
This resolution considerably increases the ability that OVPIT [Office of the Vice President for Information Technology] has, in particular through ITPO [University IT Policy Office] & ITSO [University IT Security Office], to deal with security matters both proactively and reactively. In particular it will allow ITPO and ITSO to take immediate control of any IT security problems that arise where this is necessary. This redoubles the importance of bringing any security problems of which you become aware immediately to the attention of ITPO/ITSO.
Vice President for Information Technology and Chief Information Officer
1. Report from Trustee Morris
Trustee Morris: Thank you, John and thank you, Pete. We had a very good meeting of the Finance and Audit Committee yesterday. First of all, you know that the Finance Committee is also the Audit Committee and, as such, we had our annual meeting with Michael McRobbie, chief information officer, to hear his assessment of information technology on the campus and related security issues. In light of the security breach in the Bursar's Office in December, we wanted to define who within the university has the leadership role in developing and implementing policies that are necessary to minimize unauthorized access to our information technology system. We also wanted to bring some definition as to who would have the responsibility for assuming leadership in the event of a difficulty within the system comparable to the one we had in December. There can be all sorts of security breaches, intrusions into the technology infrastructure, unauthorized disclosure of electronic information, etc. It is important that we be precise as to how these issues are going to be addressed when they come about because they potentially have great significance, and we need to be equipped to deal with the