About the Cyber Risk Mitigation Responsibilities policy (IT-28) at IU


To view all the content available to you here, use the green Log in button at the top of this page to log into the Knowledge Base.

On this page:

IT-28 basics

  • Standards-based, proactive risk management: New and recurring cyber threats constantly expose Indiana University to risks. To reduce the likelihood and impact of such threats, IU units must proactively manage risk and keep up with evolving industry standards.
  • Scope: Cyber Risk Mitigation Responsibilities (IT-28) applies to all units and organizations on any IU campus that make use of the university's information technology infrastructure.
  • Goals: The goals of IT-28 are:
    • Consolidation of IT assets into secured facilities
    • Reduction of duplicative services
    • Ensuring proper data protections
    • Focus on operational security
  • IT strategies strongly encouraged:
    • Access control
    • Configuration management
    • Iterative risk/security assessment
  • Ongoing and continuous: Although the policy calls for a formal review of cyber risk mitigation efforts every two years, the cyclical process of assessing, documenting, and mitigating risk is ongoing. To learn more about this process, see Infoshare: Cyber Risk Mitigation - Continuous Engagement (recorded May 4, 2021).
  • Balance: The purpose of IT-28 is to ensure that the IU community minimizes, to the greatest extent practicable, the unnecessary creation of cyber risks, while also enabling the productive work of all units. This requires a balanced approach to (a) activities that create cyber risks, and (b) activities that can help mitigate them. Both enabling and mitigating are essential for the diverse IT services required for the university's research, education, and service mission.

Process overview

The risk mitigation process set out below should be conducted quarterly.

  1. Documentation: Submit and/or update IT security documentation in the context of an IT security framework.
  2. Consultation: Attend consultation(s) or otherwise engage with your UISO-assigned security liaison. The UISO may refer to these consultations as "continuous engagement".
  3. Prioritization: Prioritize and plan risk mitigation.
  4. Mitigation: Implement risk mitigations.

The UISO will report on each unit's cyber risk mitigation efforts at the end of the calendar year.

Frameworks help to prioritize controls

  • Units are encouraged to adopt an IT security framework.
  • Frameworks differ from standard controls in that a framework merely helps to conceptualize and prioritize the implementation of standard controls.
  • Recommended IT security frameworks include:
    • Trusted CI Framework
    • NIST Cyber Security Framework (CSF)
      • The 52 control objectives in the IIT were based on the NIST CSF.

Further points for consideration

  • An individual, department, or responsibility center may conclude that the current risk profile of a particular departmental service is acceptable (and gain relevant approval).
  • Each unit also may decide to reduce risks by changing configurations on systems, relocating systems to a UITS-managed secure data facility, or migrating services from departmental servers to one of the array of service options offered by UITS.
  • UITS provides many baseline services at no direct cost to the user(s) of those services. In the case of chargeback services offered to the IU community, IT-28 specifies that UITS will be cost-competitive with comparable commercial offerings. For more, see Enterprise services for units in support of the IT-28 policy.


Get help

If you have questions concerning IT-28 or cyber risk mitigation responsibilities, email uiso@iu.edu.

This is document bdls in the Knowledge Base.
Last modified on 2024-04-15 15:25:35.