About the Cyber Risk Mitigation Responsibilities policy (IT-28) at IU

IT-28 basics

New and recurring cyber threats constantly expose the university to risks. To reduce the likelihood and impact of such threats, IU units must proactively manage risk and keep up with evolving industry standards.

As of May 17, 2013, Indiana University's Cyber Risk Mitigation Responsibilities (IT-28) policy applies to all units and organizations on any IU campus that make use of the university's information technology infrastructure. Comprehensive evaluations were completed in 2014; the policy calls for a formal review of plans every two years.

The goal of IT-28 is to ensure that the IU community minimizes the unnecessary creation of cyber risks, while also enabling the productive work of all units. This requires a balanced approach to (a) limiting circumstances that introduce cyber risks, (b) taking measured actions that can help mitigate remaining risks, and (c) minimizing negative impact to university operations and activities. The policy recognizes this necessary balance, and creates a framework and procedures to formally review and document each unit's cyber risk mitigation approaches and responsibilities.

The IT-28 policy statement is simple and allows for flexibility in its implementation.

Who to involve

All departments and units that maintain any IT services, or make use of IU IT resources, must do a risk assessment and create a plan to mitigate risk. Risk mitigation in alignment with IT-28 requires input, discussion, and analysis by deans, directors, business managers, and IT Pros, who must themselves seek input from faculty, staff, researchers, and other constituencies in their units to gain contextual understanding, and to recognize the inherent risks and potential impacts of various mitigation options.

This process is of particular concern for administrative units that maintain critical or highly sensitive data. However, academic and administrative leaders also must understand and accept responsibility for any cyber risks that exist within their university departments or units.

Further points for consideration

  • IT-28 primarily involves risk assessment and risk mitigation. An individual, department, or responsibility center may conclude that the current risk profile of a particular departmental service is acceptable (and gain relevant approval).
  • Each unit also may decide to reduce risks by changing configurations on systems, relocating systems to a UITS-managed secure data facility, or migrating services from departmental servers to one of the array of service options offered by UITS.
  • UITS provides many baseline services at no direct cost to the user(s) of those services. In the case of chargeback services offered to the IU community, IT-28 specifies that UITS will be cost-competitive with comparable commercial offerings. For more, see Enterprise services for units in support of the IT-28 policy .

How to get started

Any department or unit that has not already done so, must prepare an initial comprehensive evaluation of its IT needs. To prepare an evaluation, a unit should:

  1. Determine what unit-level IT systems and services are candidates for use by UITS or group-level information technology provider(s).
  2. Develop a plan with target dates agreed to by the unit head or delegate.
  3. Prepare a formal risk assessment and risk mitigation plan to be discussed and approved jointly by the unit head (e.g., dean, vice president, or director) and the Chief Information Officer & Vice President for IT. Establish and maintain appropriate capacity and expertise for risk mitigation, IU policy alignment, and quality management of IT services that remain in an organizational unit.


Getting help

For help interpreting university policies, contact the University Information Policy Office.

For help analyzing your unit's IT environment and understanding UITS service offerings, or for consultation on any phase of planning or decision making, contact UITS IT Community Partnerships (ITCP) at talk2uits@iu.edu.

This is document bdls in the Knowledge Base.
Last modified on 2017-04-27 12:35:38.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.