About the Cyber Risk Mitigation Responsibilities policy (IT-28) at IU

IT-28 basics

New and recurring cyber threats constantly expose Indiana University to risks. To reduce the likelihood and impact of such threats, IU units must proactively manage risk and keep up with evolving industry standards.

Indiana University's Cyber Risk Mitigation Responsibilities (IT-28) policy applies to all units and organizations on any IU campus that make use of the university's information technology infrastructure. The policy calls for a formal review of plans every two years.

The goal of IT-28 is to ensure that the IU community minimizes, to the greatest extent practicable, the unnecessary creation of cyber risks, while also enabling the productive work of all units. This requires a balanced approach to (a) activities that create cyber risks, and (b) activities that can help mitigate them. Both enabling and mitigating are essential for the diverse IT services required for the university's research, education, and service mission. The policy creates a framework and procedures to formally review and document units' cyber risk mitigation approaches and responsibilities.

Process overview

The IU IT community will build upon the efforts of previous rounds of review to embrace the collective role we all play in mitigating cyber risks. The goals of IT-28 remain the same: consolidation of IT assets into secured facilities, reduction of duplicative services, and ensuring proper data protections, with an addition focus on operational security.

This new focus will encourage implementing IT strategies such as access control, configuration management, and risk/security assessment. The implementation of IT-28 will continue to be an iterative process, with each round of peer review improving community risk mitigation efforts and the overall implementation process.

Process improvement

In keeping with the iterative nature of IT-28's implementation, foundational elements of operation security will be introduced to the community, units will perform an operation security exercise, and peer review teams will assess this initial baseline for operation security categories in relation to IT-28. Additionally, the old IT-28 Planner (Excel spreadsheet) has been replaced with an online IT-28 Inventory Tool (IIT). The comprehensive evaluation will still be collected using the Comprehensive Evaluation (CE) summary document.

Timeline for second round

Since the IU IT community is familiar with risk mitigation and assessment, expectations are that the second round will progress more efficiently than the first.

The ranges for this high-level timeline are not rigid, and can be adjusted based on the needs of the community.


Further points for consideration

  • IT-28 primarily involves risk assessment and risk mitigation. An individual, department, or responsibility center may conclude that the current risk profile of a particular departmental service is acceptable (and gain relevant approval).
  • Each unit also may decide to reduce risks by changing configurations on systems, relocating systems to a UITS-managed secure data facility, or migrating services from departmental servers to one of the array of service options offered by UITS.
  • UITS provides many baseline services at no direct cost to the user(s) of those services. In the case of chargeback services offered to the IU community, IT-28 specifies that UITS will be cost-competitive with comparable commercial offerings. For more, see Enterprise services for units in support of the IT-28 policy.


Get help

For help interpreting university policies, contact the University Information Policy Office.

If you have questions concerning IT-28, send email to it28help@iu.edu.

This is document bdls in the Knowledge Base.
Last modified on 2018-11-12 11:17:08.

Contact us

For help or to comment, email the UITS Support Center.