A management framework allows a university to sustain and manage its information security and privacy infrastructure. In order to properly protect the information assets of a large, complex, multi-campus academic institution with many internal units and many external collaborators, a clear organizational structure and outlining of responsibilities must be established. This includes both organization for internal security and privacy, and organization for maintaining the security and privacy of information assets Organization that external parties access or manage on behalf of the organization. This organizational model can be referred to as a governance framework.
- Standards-based Expectations for this domain
A model framework for security and privacy governance and control is divided into three levels:
- At the executive management level, business objectives are set, policies are established and decisions are made on how to deploy and manage the resources of the enterprise to execute the university-wide strategy. The overall strategy and approach to governance and control is established by the Board of Trustees and communicated throughout the university. Executive management also defines the university's risk posture. With the strategy and risk posture defined, senior executives can create policy. Also important is the task of regularly reviewing risk management and compliance reports in order to make corrections.
- At the business process level, business function management creates procedural and technical safeguard standards to apply to specific business activities. Safeguards at the business process level are a combination of manual safeguards operated by the business unit, and automated application safeguards. Both are the responsibility of the business unit to define and manage although automated application safeguards require the IT function to support their design and development. These safeguards are then implemented and monitored by line management, which also educates and supervises staff. Staff do the actual work, provide attestation of actions (i.e. I read the policies and I agree to abide by them) and create incident reports when problems arise.
- To support the business processes,technology management and information technology units provide IT services, usually as a shared service to many business processes, as many of the development and operational IT processes are provided to the whole university, and much of the IT infrastructure is provided as a common service (e.g., networks,databases, operating systems and storage). The safeguards applied to all IT service activities are known as IT general controls. The reliable operation of these general controls is necessary for reliance to be placed on automated application safeguards.
Ideally, policy, responsibility, and resources flow downward from executive management; and accountability, status information, assessments, and results flow upward from staff and line managers to business function management and technology management, then ultimately to executive management.
This cycle of policy flowing downward and of results flowing upward allows a university's governance to identify acceptable risks to optimize the business, rather than seeking to simply avoid risks altogether. Risk can be reduced by proactively identifying events carrying negative consequences, then implementing safeguards to reduce the probability of such events or the impact of their resulting consequences.
- IU’s Implementation of Safeguards for this domain
Organization for Information Security and Privacy
Executive management level:
The Board of Trustees operates under Indiana State Code, and their own Bylaws. They also have documented the Delegation of Authority for certain activities to the President, who then has authorized two Vice Presidents to oversee information security and privacy efforts.
- IU President
- Office of the Vice President of Information Technology (OVPIT) - Organizational Charts
- Office of the Executive Vice President for University Regional Affairs, Planning and Policy (EVPURAPP) - Organizational Chart
Executive management has assigned overall coordination of information security and privacy to:
- Public Safety & Institutional Assurance (PSIA) - Organizational Chart
- University Information Policy Office (UIPO)
The authority of the UIPO has been established by a Resolution of the Trustees of Indiana University and confirmed by the Vice President for Information Technology and CIO of Indiana University.
Executive management has assigned information security and privacy compliance oversight to sectors as outlined in Domain 12: Compliance. These offices are responsible for specific legislative, regulatory, or contractual obligations related to information security and privacy.
Governance groups for aspects of information security and privacy include:
- The Information Security and Privacy Risk Council is a standing committee providing broad strategic guidance and oversight to support the university-wide Indiana University Information Security and Privacy Program ("ISPP").
The Council reviewed the entirety of the current Program in 2011 and endorsed the framework and its safeguards as being appropriate and necessary. In April 2012, the VP for Information Technology and the Executive VP for University Regional Affairs, Planning, and Policy issued a memo to the President's Cabinet informing them of the Program and asking them to distribute the information to their organizations.
- Committee of Data Stewards (CDS) - The Committee of Data Stewards, as a group, is responsible for establishing policies, procedures, and guidelines for management of information across Indiana University. Individually, each of the Data Stewards has management and policy-making responsibilities for specific data subject areas.
Business process level:
IU is organized by campus (with Chancellors as leaders) and by Vice Presidents (with university-wide responsibilities for certain business functions):
Technology management level:
University Information Technology Services (UITS) is the central computing organization for all campuses at IU. Schools and departments may also hire IT Professionals; UITS provides support and communication to them through IT Professional Services and Support.
Roles and responsibilities
- ISPP-25.1 Standard: Information Security and Privacy Roles and Responsibilities (in process)
- Indiana University Mission
- The President's Vision and Initiatives
- The President's Principles of Excellence
- Empowering People: Indiana University's Strategic Plan for Information Technology: A plan for the pervasive use of IT to help build excellence in education and research in all disciplines, in administration, in IU's engagement in the life of the State, across all campuses, and in collaboration with IU's key partners such as Clarian Health and institutions of higher education in the State.
Universities face risks associated with providing third-parties with access to data and information. Any access to the university's information or information systems by external parties should be controlled. Prior to the acceptance of the external party's relationship, a risk assessment is critical for identifying security and privacy conflicts and risks. Any safeguards identified for addressing these risks should be defined in a written agreement with the external party.
- IU’s Implementation of Safeguards for this Domain
Roles and Responsibilities
Formal relationship agreements with external parties may be documented with one of the following processes, depending on the type of relationship:
- A contract through the IU Office of Procurement Services
- An External Agency Agreement through the IU Office of the Treasurer
- An agreement through the IU Research & Technology Corporation
- An agreement through the IU Office of the Vice President for Research
- A contract through the University Architect's Office
- A grant through IU Grants and Contracts.
Note that leases for space are not considered formal relationship agreements for the purposes of gaining access to IU technology or information assets.
A third party security and privacy assessment procedure is coordinated by Purchasing, the University Information Security Office, and the Committee of Data Stewards.
Establishes and clarifies policies regarding signature authority and the delegation of signature authority with respect to contracts and agreements between the University and third parties.
Outlines who is authorized to commit university funds for goods and services.
Establishes that the acquisition of goods and services is a cooperative effort between the requesting department and purchasing department.
Describes who is authorized to contract with a third-party administrator to secure international goods and services.
Establishes policy and an operating framework for Indiana University to serve as fiscal agent for certain entities that are external to IU governance.
Data Security Agreement — Guidelines for Access and Use | Used to inform of responsibilities and document when granting access to third parties, such as vendors being provided access to data.
A sample template for tracking a unit's relationships with external parties is available at the top of the page in the "Ready to Start..." box.
- IU’s Implementation of Safeguards: Treating Security and Privacy Risks
Arrangements to share financial aspects of risk using insurance are coordinated by the Office of Insurance, Loss Control & Claims.
Arrangements to share aspects of risk with an outsourced party are coordinated by the Office of Procurement Services.
Summary of Domain Objectives
The primary objectives of this domain are to ensure:
- clear management structure is established to initiate and control the implementation of information security and privacy
- management approves information protection policy
- management assigns security and privacy roles
- management coordinates and reviews implementation of the Information Security and Privacy Program
- management establishes a source for security and privacy advice and makes it available to the university community
- the security of information that is accessed, processed, communicated to, or managed by external parties
- For more on Risk Assessment, see Domain 1: Information Security and Privacy Risk Assessment and Treatment
- Organization of Information Security | EDUCAUSE/Internet2 Information Security Guide