About the Cyber Risk Mitigation Responsibilities policy (IT-28) at IU

Cycle 2 assessments begun prior to 2021 will be conducted according to the archived version of this page, viewable at ARCHIVED: About the Cyber Risk Mitigation Responsibilities policy (IT-28) at IU, Cycle 2.
To view all the content available to you here, be sure you are logged into the Knowledge Base; use the green Log in button at the top of this page.

On this page:

IT-28 basics

  • Standards-based, proactive risk management: New and recurring cyber threats constantly expose Indiana University to risks. To reduce the likelihood and impact of such threats, IU units must proactively manage risk and keep up with evolving industry standards.
  • Scope: Cyber Risk Mitigation Responsibilities policy (IT-28) applies to all units and organizations on any IU campus that make use of the university's information technology infrastructure.
  • Goals: The goals of IT-28 are:
    • Consolidation of IT assets into secured facilities
    • Reduction of duplicative services
    • Ensuring proper data protections
    • Focus on operational security
  • IT strategies strongly encouraged:
    • Access control
    • Configuration management
    • Iterative risk/security assessment
  • Ongoing and continuous: Although the policy calls for a formal review of cyber risk mitigation efforts every two years, the cyclical process of assessing, documenting, and mitigating risk should be ongoing. To learn more about this process, see Infoshare: Cyber Risk Mitigation - Continuous Engagement (recorded May 4, 2021).
  • Balance: The purpose of IT-28 is to ensure that the IU community minimizes, to the greatest extent practicable, the unnecessary creation of cyber risks, while also enabling the productive work of all units. This requires a balanced approach to (a) activities that create cyber risks, and (b) activities that can help mitigate them. Both enabling and mitigating are essential for the diverse IT services required for the university's research, education, and service mission.

Process overview

The risk mitigation process set out below should be conducted quarterly.

  1. Documentation: Submit and/or update documentation.
  2. Consultation: Attend consultation with your UISO-assigned security liaison.
  3. Prioritization: Prioritize and plan risk mitigation.
  4. Mitigation: Implement risk mitigations.

Units will receive an annual risk report at the end of the calendar year.

Process improvement

In keeping with the iterative nature of IT-28, the IU IT community will build upon the efforts of previous rounds of formal reviews.

  • The UISO will develop an IU Benchmark for CIS-CAT Assessor to aid departments in hardening their builds. Units should run this on their systems to determine risk mitigation steps.
  • Analysts will assist units with using Qualys for vulnerability scanning. Qualys scans will need to be reviewd at regular intervals to determine risk mitigation steps.
  • Foundational elements of operation security will continue to be introduced to the community.
  • Updating the IT-28 Inventory Tool (IIT) may be done more easily by requesting a prepopulated IT-28 server upload template.
  • The comprehensive evaluation (CE) form will likely evolve so it is more applicable to "fully supported" units.
  • Subject matter experts will be consulted more efficiently; the peer-review team approach will be abandoned in favor of single-analyst assessments.
  • Consultations will be used to help identify risks and prioritize mitigations.
  • The assessment and mitigation process may be conducted with a more targeted scope in multiple iterations so that mitigations may be implemented more quickly and the process is more consumable by units.

Control objectives

  • NIST-based: The IIT includes 52 control objectives from the NIST Cyber Security Framework (CSF).
  • Action: Each unit should use the IIT to document its current and target tier for each control objective. Collectively, this documentation for a unit may be referred to as the "current profile" or "target profile", respectively.
  • Tiers: Tiers describe the degree to which a unit's cybersecurity risk management practices exhibit the characteristics defined in the Framework.
    • Partial (tier 1)
    • Risk-informed (tier 2)
    • Repeatable (tier 3)
    • Adaptive (tier 4)
  • Determining tiers: The control objectives tier selections should be made based on the unit as a whole, not just scoped for IT-28 assets (servers). Although some subcategories are primarily addressed at an enterprise level, units will have some level of responsibility.
  • Baseline goal: At IU, the baseline target profile for all units is a tier 2, across all controls; however, it may be necessary to secure your unit's environment at a higher tier, depending on its business process and the classification of data involved.
Although the target profile may be set at a tier 2, units should understand that it is a target that may take more than one iteration of risk assessment and mitigation to achieve (for example, multiyear projects). Creating a target profile with a target of tier 2 shows a commitment to meeting that target in the long term, not necessarily by a unit's next iteration of assessment.

For more about these control objectives, see page 49 of the handbook and the IIT videos.

Further points for consideration

  • IT-28 primarily involves risk assessment and risk mitigation. An individual, department, or responsibility center may conclude that the current risk profile of a particular departmental service is acceptable (and gain relevant approval).
  • Each unit also may decide to reduce risks by changing configurations on systems, relocating systems to a UITS-managed secure data facility, or migrating services from departmental servers to one of the array of service options offered by UITS.
  • UITS provides many baseline services at no direct cost to the user(s) of those services. In the case of chargeback services offered to the IU community, IT-28 specifies that UITS will be cost-competitive with comparable commercial offerings. For more, see Enterprise services for units in support of the IT-28 policy.
  • If your unit is fully supported (in other words, it does not manage its own information technology resources), you can complete an alternative IT-28 Participation Form (likely to be merged with the Comprehensive Evaluation in 2021). See About the IT-28 Participation Form.


Get help

For help interpreting university policies, contact the University Information Policy Office.

If you have questions concerning IT-28, send email to it28help@iu.edu.

This is document bdls in the Knowledge Base.
Last modified on 2021-05-05 14:08:27.