Cyber Risk Mitigation Responsibilities
University Information Policy Office, email@example.com
This policy is applicable to Indiana University’s (IU) academic and administrative subunits, auxiliary units, and any affiliated organizations (collectively referred to as “Units”) on all campuses that make use of IU’s information technology infrastructure.
Cyber Risks to the University are Increasing
By 2013, it is clear that Indiana University faces a rising array of Cyber Risks from an increasingly connected world. Cyber security incidents and documented threats demonstrate a growing technical sophistication and acceleration that have substantially raised the risk profile to essential IU information and technology systems. These risks are particularly significant since cyber attacks are increasingly coming from organized criminal enterprises, corporate businesses, or branches of foreign governments. Escalation of these risks seems likely as networks connect more types of devices that make more desirable targets for malicious activities.
This rise in cyber security risks joins the well-known risks of physical security for systems (protection from theft or misuse), natural disasters, and even building failures (e.g., broken water pipe). Loss of irreplaceable data from these risks or long system recovery times could have highly detrimental consequences to the work of IU.
Every additional physical computing device – particularly servers that are a primary target for cyber attacks – increases Cyber Risk as it adds a potential target and is another device that must be physically secured, powered, cooled, maintained, patched, and monitored for malicious activity. A compromised server in one unit may be used for malicious activity inside the IU network in ways that disrupt the work of other units. Compromised devices can be used as part of maliciously controlled “bot” networks that are used to attack other systems within and beyond IU. Thus, reducing the number of physical computing devices while still achieving unit goals is one important approach for mitigating IU’s collective Cyber Risks.
The goal of this policy is to ensure that the IU community minimizes to the greatest extent practicable the unnecessary creation of Cyber Risks while also enabling the productive work of all units. This requires a balanced approach to activities that (a) create Cyber Risks and (b) activities that can help mitigate them. Both enabling and mitigating are essential for the diverse IT services required for the university’s research, education, and service mission. The policy creates a framework and procedures to formally review and document units’ Cyber Risk mitigation approaches and responsibilities.
Means to Reduce Cyber Risks
Indiana University has made substantial institutional investments in secure physical facilities (IU Data Centers), IT infrastructure, IT services, and professional staff with expertise in cyber security to support the university’s common IT needs. Use of these investments is the primary means to reduce Cyber Risks by having fewer physical devices as targets and fewer devices in less secure facilities.
Thus, whenever practicable, establishing physical security for servers in a highly secure, 24 x 7 monitored, protected facility is an essential first step for risk mitigation. Servers that operate outside of IU’s secure data centers increase reputational, financial, and data loss risks for the University and may also contribute to other risks/concerns for IU:
The policy also recognizes that unique needs for some faculty-led research and teaching (academic uses) or unique administrative uses may not be practicable within the common IT infrastructure and services provisioned by UITS. The use of Group-level and Unit-level IT providers is a secondary means to achieve the goal of this policy.
The policy creates a framework to further IU’s organizational partnerships for vigilant efforts to manage and mitigate Cyber Risks for the entire University. It ensures that IU’s collective risks for information technology are understood, mitigated, and managed. When fully implemented, this policy will ensure that appropriate leaders within the University have reviewed and approved the existing balance between Cyber Risk mitigation and residual risk for every unit of IU.
Failure to comply with IU information technology policies may result in sanctions relating to the individual's use of information technology resources or other appropriate sanctions via IU personnel and student policies.
|Policy interpretation and assisting with related contacts||University Information Policy Officefirstname.lastname@example.org|
|Assistance to units in analyzing their IT environments, and understanding UITS service offerings||UITS IT Community Partnershipsemail@example.com|