ARCHIVED: About the Cyber Risk Mitigation Responsibilities policy (IT-28) at IU, Cycle 2
- IT-28 basics
- Process overview
- Process improvement
- Control objectives
- Further points for consideration
- Resources
- Get help
IT-28 basics
New and recurring cyber threats constantly expose Indiana University to risks. To reduce the likelihood and impact of such threats, IU units must proactively manage risk and keep up with evolving industry standards.
Cyber Risk Mitigation Responsibilities (IT-28) applies to all units and organizations on any IU campus that make use of the university's information technology infrastructure. The policy calls for a formal review of plans every two years.
The goal of IT-28 is to ensure that the IU community minimizes, to the greatest extent practicable, the unnecessary creation of cyber risks, while also enabling the productive work of all units. This requires a balanced approach to (a) activities that create cyber risks, and (b) activities that can help mitigate them. Both enabling and mitigating are essential for the diverse IT services required for the university's research, education, and service mission. The policy creates a framework and procedures to formally review and document units' cyber risk mitigation approaches and responsibilities.
Process overview
The IU IT community will build upon the efforts of previous rounds of review to embrace the collective role we all play in mitigating cyber risks. The goals of IT-28 remain the same: consolidation of IT assets into secured facilities, reduction of duplicative services, and ensuring proper data protections, with an additional focus on operational security.
This new focus will encourage implementing IT strategies such as access control, configuration management, and risk/security assessment. The implementation of IT-28 will continue to be an iterative process, with each round of peer review improving community risk mitigation efforts and the overall implementation process.
Process improvement
In keeping with the iterative nature of IT-28's implementation, foundational elements of operation security will be introduced to the community, units will perform an operation security exercise, and peer review teams will assess this initial baseline for operation security categories in relation to IT-28. Additionally, the old IT-28 Planner (Excel spreadsheet) has been replaced with an online IT-28 Inventory Tool (IIT). The comprehensive evaluation will still be collected using the Comprehensive Evaluation (CE) summary document.
Since the IU IT community is familiar with risk mitigation and assessment, expectations are that the second round will progress more efficiently than the first.
Control objectives
The IIT includes 52 control objectives from the NIST Cyber Security Framework (CSF).
The control objectives tier selections should be made based on the unit as a whole, not just scoped for IT-28 assets (servers). Although some subcategories are primarily addressed at an enterprise level, units will have some level of responsibility.
Tiers describe the degree to which cybersecurity risk management practices exhibit the characteristics defined in the Framework (that is, risk and threat aware, repeatable, and adaptive).
The tiers characterize practices over a range, from partial (tier 1) to adaptive (tier 4).
In the context of IT security at IU, and in relation to technology and data policy, the baseline target profile for all units is a tier 2, across all elements.
Depending on your business process and the data classifications used within, it may be necessary to secure your environment at a higher tier. That determination is made by the unit with assistance from IT-28 peer review teams.
For more about these control objectives, see page 49 of the handbook and the IIT videos.
Further points for consideration
- IT-28 primarily involves risk assessment and risk mitigation. An individual, department, or responsibility center may conclude that the current risk profile of a particular departmental service is acceptable (and gain relevant approval).
- Each unit also may decide to reduce risks by changing configurations on systems, relocating systems to a UITS-managed secure data facility, or migrating services from departmental servers to one of the array of service options offered by UITS.
- UITS provides many baseline services at no direct cost to the user(s) of those services. In the case of chargeback services offered to the IU community, IT-28 specifies that UITS will be cost-competitive with comparable commercial offerings. For more, see Enterprise services for units in support of the IT-28 policy.
- If your unit does not manage its own information technology resources (fully supported), you can complete an alternative IT-28 Participation Form. See ARCHIVED: About the IT-28 Participation Form
Resources
- Tools and documentation:
- Cyber Risk Mitigation Responsibilities (IT-28) Review
- Resources for IT Professionals
- IT-28 Inventory Tool
- Comprehensive Evaluation
- IT-28 Server Upload Template
- Enterprise services for units in support of the IT-28 policy
- UITS services directory
- NIST Cybersecurity Framework overview video
- Help with data management and types of data
- Data Sharing and Handling (DSH) tool
- Kaltura video walkthroughs:
- About the Item tab in the IT-28 reporting tool
- About the Control Objectives tab in the IT-28 reporting tool
- About the Locations tab in the IT-28 reporting tool
- The procedure to create an IT-28 Submission
- The procedure to generate reports within the IT-28 reporting tool
- The procedure to complete the IT-28 Comprehensive Evaluation
Get help
For help interpreting university policies, contact the University Information Policy Office.
If you have questions concerning IT-28, send email to it28help@iu.edu.
This is document bgrc in the Knowledge Base.
Last modified on 2021-01-11 11:05:45.