Information and Infrastructure Assurance at Indiana University

• UIPO
• >>IT Policies
• >> University-wide policies
• >> Information Governance

• Policy
  ISPP-25
• Status
  Posted as draft 31-Oct-2009
• Source
  Committee of Data Stewards

Scope

This policy applies to the high-level governance (as detailed in the four bullet points of the policy statement) of all university information, regardless of the location or format of the information. It also applies to all individuals encountering university information, regardless of the user’s role or affiliation. It does not extend to the special governance requirements that may be necessary for certain information types such as research information, intellectual property, health information, etc. It also does not apply to personal data that may reside on university information technology resources as a consequence of incidental personal use of those resources.

Reason for Policy

Information represents a valuable asset that is critical to the operation of the university. The value of information as an institutional resource is increased through its widespread and appropriate use, and its value is diminished through misuse, misinterpretation, or unnecessary restrictions on its access. In addition, various legal, regulatory, and contractual terms require the university to document and employ reasonable safeguards to protect information. Therefore principles of information management must be articulated and applied uniformly to maintain and increase the value and to promote the confidentiality, availability, and integrity of the information while promoting its widespread and appropriate use.

The over-arching goals of Indiana University’s Information Security and Privacy Program and associated policies and standards are to maintain Indiana University’s viability, both reputational and operational, as a premier institution of higher education; to support its mission of education (teaching and learning), research, and engagement (outreach and service); and to guide the conduct of university business.

Policy Statement

Members of the Indiana University community are to be able to efficiently and effectively execute and enhance their university duties through facilitated access and informed use of information, in accordance with applicable laws and regulations, university policies, and aspects of prudent stewardship.

The Committee of Data Stewards, appointed by the Vice President for Information Technology, has overall responsibility for coordinating high-level policies, standards, guidelines, and procedures needed to facilitate use of Indiana University information. Activities of the committee include, but are not limited to:

• establishing and maintaining roles and responsibilities for individuals and groups who are charged with various aspects of managing information throughout its entire life cycle;
• creating and maintaining a program for the classification of information in order to facilitate access, and to establish appropriate confidentiality, integrity, availability, use control, and accountability expectations for information commensurate with each classification level;
• articulating and maintaining coordinated information management standards in order to promote widespread, appropriate, efficient, and effective use of information; and
• developing and maintaining priorities and strategies to educate users of information on their responsibility to adhere to established policies, standards, guidelines and procedures, and supporting documents.

Procedures

The President has assigned oversight of the Committee of Data Stewards to the Vice President for Information Technology and University CIO who, in consultation with the President (as needed) and with other stakeholders, will strive for appropriate and broad representation on the committee and account for the changing needs of the university.

In addition to setting high-level guidance related to the use and management of Indiana University information, the Committee of Data Stewards will collaborate and coordinate with other university groups that have more granular responsibility for certain information types (e.g., research information, intellectual property, health information, etc.) in order to identify common standards for all types of information.

The Committee of Data Stewards will also follow the policy development process of the University Information Policy Office in the development of policy. Other documentation such as standards and guidelines will be available for stakeholder review, comment, and feedback for at least 30 days prior to adoption.

Questions and exception requests can be made to the Committee of Data Stewards, and appeals can be directed to the Vice President for Information Technology through the University Information Policy Office.

Procedures will be detailed in supporting standards documents (when available).

• ISPP 25.1 Standard: Information Security and Privacy Roles & Responsibilities
• ISPP 25.2 Standard: Information Classification
• ISPP 25.3 Standard: Information Collection
• ISPP 25.4 Standard: Information Accuracy
• ISPP 25.5 Standard: Information Access
• ISPP 25.6 Standard: Information Use, Processing and Manipulation
• ISPP 25.7 Standard: Information Transmission
• ISPP 25.8 Standard: Information Storage
• ISPP 25.9 Standard: Information Retention
• ISPP 25.10 Standard: Information Sharing and Disclosure
• ISPP 25.11 Standard: Information Disposal
• ISPP 25.12 Standard: Information Security and Privacy Awareness Training

Sanctions

Indiana University will handle reports of misuse and abuse of information and information technology resources in accordance with existing policies and procedures issued by appropriate authorities. Depending on the individual and circumstances involved this could include the offices of Human Resources, Dean of Faculties (or campus equivalent), Dean of Students (or campus equivalent), Office of the General Counsel, and/or appropriate law enforcement agencies. See policy IT-02, Misuse and Abuse of Information Technology Resources, for more detail.

Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual’s use of information technology resources (such as suspension or termination of access, or removal of online material); the individual’s employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.

Related Information

• List policies or other information that should be cross-referenced here, with hyperlinks if possible
• Related documents can be found in the Information Security and Privacy Program
• Definitions can be found in the Information Security and Privacy Program Glossary

Policy History

• Posted as draft: October 31, 2009

top