Why do we need an explicit information governance structure?
Various Federal and State statutory obligations and contractual terms increasingly require the university to document and employ reasonable safeguards to protect the security and privacy of information. In order to assign responsibility for ensuring this happens, and to provide guidance to the university community on how to respond appropriately to information issues, IU needs a documented structure for ensuring such guidance is issued, communicated, and kept up-to-date.
Why now?
A structure for information governance was first instituted in the early 1990’s. A Committee on Institutional Data was created, Data Stewards were identified, and a Committee of Data Stewards (CDS) was charged with providing a data management infrastructure university-wide. This first CDS identified a university-wide philosophy on access to data, created a classification structure, and issued statements on appropriate data handling.
In 2006, Indiana enacted laws that were the latest in a series of recent federal and state laws that grant special protection to certain types of information. It is now a crime for an individual to disclose certain information in violation of the laws. This significantly increases the risk for IU employees who may come across this information in the course of their duties. It is important that we review and update IU data access and protection policies and procedures as necessary, and ensure employees are informed of their responsibilities.
In 2007, Internal Audit issued a critical finding that employees with access to highly sensitive information were unaware of their responsibilities for protecting the security and privacy of that information. They recommended that the CDS be reinvigorated to address this and other deficiencies.
Who gave the authority for this renewed activity?
President McRobbie, as a result of the Internal Audit finding, requested that Brad Wheeler, Vice President for IT and Chief Information Officer, and Mark Bruhn, AVP for Information and Infrastructure Assurance, develop a set of actions designed to improve the university’s overall data management posture, and reduce overall risk. Two of the main components of that action plan were 1) reinvigorating and re-charging the Committee of Data Stewards, and 2) ensuring awareness among users of data.
Why can’t we just use the documents and policies the CDS developed in the 1990’s?
Generally, the policies and guidance issued by the CDS in the 1990’s still apply today. However, those documents were issued sporadically and were not in a very user-friendly format. It is difficult for an employee of IU to find the answers to particular questions about the proper handling of information. In addition, the focus in the 1990’s was on access, rather than on security and privacy, which have been the focus of recent legislation and regulation.
Part of the renewed activity of the CDS has involved consolidating and reformatting their documentation to be more usable. However, there is a clear need to modernize this guidance, to ensure it addresses recent legislative activity, to match language to current national standards and generally accepted practices, and to use a formal policy process when issuing newly created or revised documents so that the entire university community has input and becomes aware of the existence of this guidance.
Why does the work of the CDS cover information in ALL formats (e.g., electronic, paper, etc.)?
In a nutshell, legislation and regulation of sensitive information covers such information in any format. The same requirements and penalties apply whether, for example, a social security number is on a web site, on a compromised computer, on a piece of paper in the trash, verbally shared via phone or in a public place, or in any other format imaginable including in a published article or book or perhaps even in artwork. The point is that the information element is protected. Remember, the consequences to any one individual for not applying the appropriate protections can include criminal action, fines, and jail time! It is important to think about the data or information element itself, not the format, to ensure it is handled appropriately.
How do the members of the CDS get assigned?
As a governance group, the members are individuals who have system-wide responsibility and/or extensive recognized expertise for a particular information type, business sector, or business function. The intent is that each major functional operation of the university and all major information types be represented by the person within the university that has the most extensive experience and the broadest organizational view for that area. Each CDS member then interacts and communicates with constituents for that operation or information type through their normal communication channels for other aspects of the management of that operation or information type.
The President has assigned oversight of the Committee of Data Stewards to the Vice President for Information Technology and University Chief Information Officer who, in consultation with the President (as needed) and with other stakeholders, will strive for appropriate and broad representation on the committee and account for the changing needs of the university.
What types of things does the Committee of Data Stewards do?
The Information Governance policy assigns four major responsibilities to the CDS:
- establishing and maintaining roles and responsibilities for individuals and groups who are charged with various aspects of managing information throughout its entire life cycle;
- creating and maintaining a program for the classification of information in order to facilitate access, and to establish appropriate confidentiality, integrity, availability, use control, and accountability expectations for information commensurate with each classification level;
- articulating and maintaining coordinated information management standards in order to promote widespread, appropriate, efficient, and effective use of information; and
- developing and maintaining priorities and strategies to educate users of information on their responsibility to adhere to established policies, standards, guidelines and procedures, and supporting documents.
Why isn’t there much detail in this policy?
Policies establish responsibility and outline overarching, high-level statements of philosophies and values. The individuals or groups assigned the responsibility within a policy are to apply the stated philosophies and values as they carry out that work. This policy assigns the Committee of Data Stewards responsibility for the four bullet points outlined above, and they are to apply the philosophy outlined in the first paragraph of the Policy Statement as they carry out that responsibility:
"Members of the Indiana University community must be able to efficiently and effectively execute and enhance their university duties through facilitated access and informed use of information, in accordance with applicable laws and regulations, university policies, and aspects of prudent stewardship."
The assigned group, the CDS, then will strive to fulfill that responsibility within that philosophy, and will issue further documents that provide the details.
Do we get a chance to review subsequent documents issued by the CDS?
Yes. Notice that the "Procedures" section of the Policy obligates the CDS to use a formal review process when issuing documents, so that input is solicited and considered as they work out the details. Watch for announcements to the list of Stakeholders as listed in the policy development process. If your area is not represented in that Stakeholders list, contact the UIPO to ask to be included.
Related Information
- ISPP-25: Information Governance
- List policies or other information that should be cross-referenced here, with hyperlinks if possible
- Related documents can be found in the Information Security and Privacy Program
- Definitions can be found in the Information Security and Privacy Program Glossary
Policy History
- Revised: October 23, 2009
- Drafted: September 8, 2009
