8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 1/24
IT Required Practices
Description
Authentication
Admin accounts not used for day-to-day activitiesUsers are not allowed to run systems as administrators
Employ strong authentication requirements
Secure management of passwords
All mobile devices require at least a 4-digit PI
Backups
All institutional data are bac!ed-up" tests of bac!ups routinely conducted
#aintain o$-site bac!ups
Documentation
%ata stored or shared with third party is appropriately documented%ata stored or shared with third party is approved by %ata Stewards
Up-to-date ris! mitigation plan
&usiness 'ontinuity Plan up-to-date
%isaster (ecovery Plan formally tested
Inventory of I) assets* with data classi+cations* and data analysis
,ritten incident response procedure
%(P maintained and routinely updated
ormally assign roles of security and privacy
Physical infrastructure/hardware
.$site bac!ups with critical data properly secured
Server room environmental controls are su/cient
Server room physical controls are su/cient
Procedure for equipment decommissioning 0i1e1 hard drive-wiping* shredding2
Scans and log monitoring
(egular 0at least monthly2 vulnerability scans on all servers
System logs regularly reviewed
System logs archived securely* and for the appropriate duration
Identify inder scans routinely occurring on servers
Identify inder scans routinely occurring on wor!stations
Patch management software system !uilds(outine and consistent procedures for patch management
Servers on supported operating systems
(un systems with only necessary software* services and port openings
Identify and patch third-party software on systems
#obile devices on IU3s networ! secured and managed
#aintain updated .S builds for e/cient recovery
"irewall anti#irus encryption network
All servers behind physical +rewall
Admin accounts not shared among individuals - unique adminaccountspasswords for each
Provide access to IU systems and services only to those authori5ed to accesssuch services
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 2/24
Antivirus scans ta!ing place on all systems
'riticalSensitive data encrypted in transmission
'riticalSensitive data encrypted at rest on servers
Encrypt communications to systems accessed through elevated privileges
Avoid whenever possible passing password over the networ! in clear-te6t
Antivirus software installed on all computers and servers
#aintain antivirus de+nitionsAll laptops employ whole dis! encryption
&ac!up media on servers encrypted
All servers on private IPs 0unless documented operational necessity2
All printers on private IPs
%isable or secure remote access
$erti%cations / training / handling of sensiti#e data
7ire technicians with the e6pertise necessary to maintain systems and hardware
Identify types data in your unit
All employees participate in securityprivacy awareness 07IPAAE(PA certs2
P'I %SS compliance training awareness for appropriate personnel
Subscribe to vendor advisory services
Sensitive data managed on secure systems* by appropriate procedures andpersonnel )raining procedures in place for appropriate use and access to electronicinformation
8eep abreast of IU security advisories* policy* and best practice updates throughProtect IUor users* identify appropriate server locations of data e6tracted or derived fromcentral sources
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 3/24
I)-9:* section :19;I)-9:* section :19<
I)-9:* section :19=
I)-9:* section :1:>
I)-9:* section :19?* I)-9:* section :19<
I)-9:* section :1:>
I)-9:19* section :a19
%#->9* section 991b
'.&I) 419 %S41;
%#->:%#->:
I)-:=* section 9c
'.&I) 419 %S4
'.&I) 419 %S4
I)-:=* section 9
I)-9:* section @1:* I)-9:* section @1@
'.&I) 419 %S4
ISPP-66 Standard
I)-9:* section :1=
%#->9-s section 991b
%#->9-s section 991b
I-PU(-941>
I)-9:* section :19:19-4
I)-9:* section :119-4
UIS. (ecommended
%#->9* section ;1e* ;1f
%#->9* section ;1e* ;1f
I)-9:* section :1<* I)-9:* section :19:19-4
I)-9:* section :1:
I)-9:* section :14
I)-9:* section :194
I)-9:19* section :a
I)-9:* section :1@
%#->9* section :1f
&o#erning IT Policy or Standard 'seePolicy Requirements ta! for more info(
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 4/24
I)-9:* section :19@
I)-9:* section :1;
I)-9:* section :1=
I)-9:* section :19>
I)-9:* section :1:9
I)-9:* section :19@
I)-9:* section :194I)-9:19* section :a1:
I)-9:* section :1=
%#->9* section :1f
I)-9:* section :1?
I)-9:* section 91:
%#->9* section 941a
%#->9* section 991dI)-><* I)-9:* section 914
I)-9:* section :194
I)-9:* section :19
%#->9* section ;1f
Educational (ights and Privacy Act
I-)(E-BI-99>
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 5/24
)ho or )hat $an *elp+
UIS. recommended best practicesUIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
)S# &ac!up Service
I) 'ommunity Partnerships
IU (eady
IU (eady
I) 'ommunity Partnerships
Incident (esponse Procedure )emplate
IU (eady
IU Information Security and Privacy Program
)S# &ac!up Service
UIS. recommended best practices
UIS. Scanning )ool
7ECPnet Cog-Alert
UIS. recommended best practices
Identify inder software
Identify inder software
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 6/24
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practicesUIS. recommended best practices
UIS. recommended best practices
IU 8nowledgebase
IU 8nowledgebase
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
./ce of the )reasurer
UIS. recommended best practicesUIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
UIS. recommended best practices
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 7/24
,inks
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1htmlhttpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpDprotect1iu1edutoolsiu-ready
httpDprotect1iu1edutoolsiu-ready
httpDprotect1iu1educybersecurityincidenttemplate
httpDprotect1iu1educybersecuritypoliciesISPP-::19
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpDii1uits1iu1edubac!up1shtml
mailtoDtal!:uitsiu1edu
mailtoDtal!:uitsiu1edu
httpDprotect1iu1edublog:>94>=>departmental-disaster-recovery-planning
httpDii1uits1iu1edubac!up1shtml
httpDhelpnet1iu1edu
httpDiuware1iu1edu
httpDiuware1iu1edu
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 8/24
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1htmlhttpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpDtreasurer1indiana1edupcidssinde61html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1htmlhttpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html
httpD!b1iu1edudataar!v1html
httpD!b1iu1edudataar!v1html
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 9/24
Security Pro-ect PlTotal .um!er of Pro-ects
$ompleted So "ar
#erall Progress
Area0 Authentication1 Done Pro-ect Description
>F Admin accounts not used for day-to-day activities
>FUsers are not allowed to run systems as administrators
>F
>F Employ strong authentication requirements
>F
>F Secure management of passwords
>F All mobile devices require at least a 4-digit PI
Area0 Backups1 Done Pro-ect Description
>F
>F #aintain o$-site bac!ups
Area0 Documentation1 Done Pro-ect Description
>F
>F
>F Up-to-date ris! mitigation plan
>F &usiness continuity plan up-to-date
>F %(P formally tested
>F
>F ,ritten incident response procedure
>F %(P maintained and routinely updated
>F ormally assign roles of security and privacy
Area0 Physical Infrastructure/*ardware1 Done Pro-ect Description
>F .$site bac!ups with critical data properly secured
>F Server room environmental controls are su/cient>F Server room physical controls are su/cient
Admin accounts not shared among individuals - uniqueadmin accountspasswords for each
Provide access to IU systems and services only to
those authori5ed to access such services
All institutional data are bac!ed-up" tests of bac!upsroutinely conducted
%ata stored or shared with third party is appropriatelydocumented
%ata stored or shared with third party is approved by %ataStewards
Inventory of I) assets* with data classi+cations* and dataanalysis
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 10/24
>F
Area0 Scans and ,og 2onitoring1 Done Pro-ect Description
>F
>F System logs regularly reviewed
>F
>F Identify inder scans routinely occurring on servers
>F Identify inder scans routinely occurring on wor!stations
Area0 Patch 2anagement Software System Builds
1 Done Pro-ect Description
>F (outine and consistent procedures for patch management
>F Servers on supported operating systems
>F
>F Identify and patch third-party software on systems
>F #obile devices on IU3s networ! secured and managed
>F #aintain updated .S builds for e/cient recovery
Area0 "irewall Anti#irus 3ncryption .etwork 1 Done Pro-ect Description
>F All servers behind physical +rewall
>F Antivirus scans ta!ing place on all systems
>F 'riticalSensitive data encrypted in transmission
>F 'riticalSensitive data encrypted at rest on servers
>F
>F
>F Antivirus software installed on all computers and servers
>F #aintain antivirus de+nitions
>F All laptops employ whole dis! encryption
>F &ac!up media on servers encrypted
>F>F All printers on private IPs
>F %isable or secure remote access
Procedure for equipment decommissioning 0i1e1 harddrive-wiping* shredding2
(egular 0at least monthly2 vulnerability scans on allservers
System logs archived securely* and for the appropriateduration
(un systems with only necessary software* services andport openings
Encrypt communications to systems accessed through
elevated privilegesAvoid whenever possible passing password over thenetwor! in clear-te6t
All servers on private IPs 0unless documented operational
necessity2
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 11/24
Area0 $erti%cations / Training / *andling of Sensiti#e1 Done Pro-ect Description
>F
>F Identify types data in your unit
>F
>F P'I %SS compliance
>F
>F
>F Subscribe to vendor advisory services
>F
>F
7ire technicians with the e6pertise necessary to maintainsystems and hardware
All employees participate in securityprivacy awareness07IPAAE(PA certs2
Sensitive data managed on secure systems* byappropriate procedures and personnel
)raining procedures in place for appropriate use andaccess to electronic information
8ey abreast of IU security advisories* Policy and best
practice updates through Secure IUor users* identify appropriate server locations of datae6tracted or derived from central sources
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 12/24
nning &uide
>
>F
Due By .otes
Due By .otes
Due By .otes
Due By .otes
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 13/24
Due By .otes
Due By .otes
Due By .otes
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 14/24
ataDue By .otes
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 15/24
Policy IT456 Requirements
IT-07, section 1 The university does not condone censorhip, routine inspection of electronic files, the monitoring of network ac
IT-07, section 2 tored electronic files and voice and data network communications may not !e accessed !y someone o
IT-07, section 2.1 the person to whom the account in which the information has !een stored is assig
IT-07, section 2.2 the person from whom the communication originated, or to whom the communica
IT-07, section 2.$ the person to whom the device containing the stored electronic files has !een ass
IT-07, section $ % technician may access specific information technology resources and electronic information in certain
IT-07, section &
Policy IT478 RequirementsFor a computer system to be managed securely, functional unit management must:
IT-12, section 1.1 'ully understand the sensitivity of the function or operation !eing supported !y the system and the data !eing
IT-12, section 1.2
IT-12, section 1.$
IT-12, section 1.& )rovide necessary initial and refresher training to technicians as hardware or software components are revised
IT-12, section 1.* +nsure that assignments and o! plans account for time reuired for systematic and periodic audit and mainte
For a computer system to be managed securely, functional unit technicians must:
IT-12, section 2.1 'ully understand the sensitivity of the function or operation !eing supported !y the system and the da
IT-12, section 2.2 ot choose operating systems that are known as !eing difficult to maintain and secure.
IT-12, section 2.$ /se technical tools to take an image of any freshly installed operating systems in order to speed recov
IT-12, section 2.& emove or disa!le unneeded services and software, especially those that are network-accessi!le.
IT-12, section 2.* og activities on the system"
IT-12, section 2.*.1
IT-12, section 2.*.2
IT-12, section 2.*.$
IT12.2.*.&
IT-12, section 2. 3isa!le or secure remote access from system-to-system 4e.g., rlogin5.
IT-12, section 2.7
IT-12, section 2.6 +ncrypt stored sensitive data where possi!le to minimie disclosure if the system is compromised.
IT-12, section 2.8 +ncrypt sensitive data !eing transmitted to-and-from the system where possi!le to ensure the data is
IT-12, section 2.10 3eploy encrypted communications methods 4e.g., ecure hell5 for user access to the system and for a
IT-12, section 2.11 Technically limit access to local network addresses where possi!le 4e.g., T:);rappers5 given the functi
IT-12, section 2.12 can computers for security vulnera!ilities using availa!le technical tools"
IT-12, section 2.12.1
IT-12, section 2.12.2
IT-12, section 2.12.$
IT-12, section 2.12.&
IT-12, section 2.1$ Install and maintain anti-virus software on operating systems for which Indiana /niversity has licensed
IT-12, section 2.1& u!scri!e to vendor and other advisory services applica!le to the operating environment !eing mainta
IT-12, section 2.1* )eriodically visit the we! site of the /I< to view current !ulletins or to o!tain recent security guides a
IT-12, section 2.1
IT-12, section 2.17 imit access to needed services to only authoried persons.
The language used here is taken directly from each policy. ot all of the te=t of each policy is included here - only the
The num!ering scheme in the left column is provided to help map items in the previous worksheet to specific parts of organiation and num!ering in the actual policy, and in some cases it does not.
%ll other reuirements and actions outlined in policy IT-07, including notification, preservation of electronic inf
provisions.
?ire technicians with the e=pertise necessary to appropriately maintain the hardware, operating systems, syst
which they are assigned.
+nsure that technicians understand their responsi!ilities and the conseuences of poorly managed systems 4csensitive data, potential legal lia!ility for the department and Indiana /niversity, possi!le loss of 'ederal and o
1.
uccessful user logins, including the location from which the logins originated
2.
/nsuccessful login attempts, including the location from which the attempts o
$. /nsuccessful file access attempts, and
&.
uccessful file accesses for files and data!ases containing sensitive informatio
)roactively seek out and apply vendor-supplied fi=es necessary to repair security vulnera!ilities, withinhigh-risk, with &6 hours for medium-risk, and within 72 hours for low-risk5.
1.
regularly, at least every $0 days to ensure new vulnera!ilities are identified promp
2.
immediately after installation(configuration of a new system is completed,
$.
immediately after introduction of a new operating system or an upgrade to a curre
&.
immediately after installation or upgrade of networking or other system software.
)rovide access to only those persons who are otherwise eligi!le to use Indiana /niversity technology re
is allowed.
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 16/24
IT-12.1, section $
Policy IT48: Requireme
IT-26, section 1
IT-26, section 1a 3etermine what unit-level information technology systems and services are candidates for use
IT-26, section 1! 3evelop a plan for policy compliance with target dates agreed to !y the unit head or delegate
IT-26, section 1c )repare a formal risk assessment and risk mitigation plan to !e discussed and approved ointly
IT-26, section 1d +sta!lish and maintain appropriate capacity and e=pertise for risk mitigation, I/ policy complia
IT-26, section 1e
IT-26, section 2 'ormal reviews will !e updated every two years
Policy Standard D24574S Requ3D-01-, section 2.a
3D-01-, section 2.! %ccess to institutional data that is consistent with the data@s classification will !e granted to all
3D-01-, section 2.c
3D-01-, section 2.d
3D-01-, section 2.e
3D-01-, section 2.f
3D-01-, section 2.g
3D-01-, section 2.h The access privileges of users who change positions or separate from the university must !e u
3D-01-, section 2.i +ach data steward will !e individually responsi!le for documenting data access procedures that
3D-01-, section 8.a
3D-01-, section 8.!
3D-01-, section 8.c 3ata element names, formats, and codes must !e consistent across all applications which use
3D-01-, section 8.d The /niversity Information )olicy <ffice will assist in determining data storage location and arc
3D-01-, section 8.e
3D-01-, section 8.f 3epartments are e=pected to identify, for their users, appropriate server locations for storage
3D-01-, section 8.g
3D-01-, section 8.h
3D-01-, section 8.i
3D-01-, section 11.a Institutional data must !e maintained within professionally administrated systems in complian
3D-01-, section 11.!
/se of mo!ile devices to access, store, or manipulate critical information reuires" ;ritten approv
Goard confirming a critical !usiness need, and +ncrypting the information on the device and in tra
;ithin one year of the adoption of this policy, all I/ administrative and au=iliary units# adminis
information technology environment will perform an initial, comprehensive evaluation of their i
Identify any unit level information technology systems and services within an academic unit fo
are not practica!le for use of /IT services
To the e=tent possi!le, data stewards will work together to define a single set of procedures fodocumenting these common data access reuest procedures.
+=cept as specified elsewhere in this standard, all institutional data will !e classified as universappointees will have access to these data, without restriction or prior authoriation, for use in
4e=. assent to Institutional 3ata %ccepta!le use agreement, etc.5. These data are designated ugeneral pu!lic.
;here appropriate, data stewards may identify institutional data elements or views which have
will !e designated as pu!lic data.
;here necessary, data stewards may specify some data elements as critical or restricted. :ritiindividual authoriation prior to access, or to which only limited access may !e granted. 3ata c
reuire such access. 3esignation of data as critical or restricted will include specific reference t
restriction.
3irect access to university file servers hosting critical or restricted institutional data must !e !these servers from off-campus must connect in a secure manner, such as through the universi
% data view does not necessarily inherit the restriction characteristics of the data elements whdata elements can result in a view which contains otherwise restricted data elements !eing de
The data steward, in consultation with other university offices as appropriate, is responsi!le foofficial data storage location of valid codes and values for each data element. The data stewar
historical data for each data element.
Institutional data may !e stored on any of many diverse computing hardware platforms, provid
system.
:ritical or estricted data must never !e stored on individual user workstations, or mo!ile devwithout prior formal written approval and appropriate technical safeguards 4see IT-12 )olicy, IT
e=ecutive officer of the unit and confirm a critical !usiness need for such storage. :ritical or edepartment or central servers.
:ritical data must not !e collected, or e=tracted from central systems and stored on departmeof the office involved.
o that standards for survey research and '+)% reuirements for non-directory student reco
that responses are not associated with personally identifia!le information 4i.e. names, s, eplaced in different directories and with different naming conventions to o!scure the connection
% student may file a directory e=clusion to prevent disclosure of pu!lic information. 'or this readaily.
If institutional data are stored on any component of the university information system, that sy
assigned to it a system administrator whose responsi!ilities include generally accepted systemauthoriation systems, !ackup, recovery, and system restart procedures, data archiving, capac
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 17/24
3D-02, section $.1.1 completion of a data security uestionnaire provide linkJ
3D-02, section $.1.2 review !y the /niversity Information ecurity <ffice 4/I<5, and other parties as
3D-02, section $.1.$ approval !y the 3ata teward responsi!le for the institutional information involve
3D-02, section $.2
3D-02, section &
COBIT 4.1 Framework, Section DS4
eek advice from the appropriate 3ata teward4s5 and, as appropriate, egal :ounsel" there m
documentation in disclosing information with third parties.
It is recognied that in some cases the university is reuired to share information in compliance with ap
partyEs willingness to address risks raised !y /niversityEs security review, and(or enter into an agreemesituations, the law reuiring disclosing, the security concerns raised, and the response of the third party
:opyright K 2007 !y the IT Fovernance Institute. %ll rights reserved. o part of this pu!lication may !e used, copied, reproduced, modifie
form !y any means 4electronic, mechanical, photocopying, recording or otherwise5, without the prior written authorisation of ITFI. eprodacademic use only, is permitted and must include full attri!ution of the materialEs source. o other right or permission is granted with resp
The full te=t of the :<GIT &.1 framework can !e downloaded from http"((www.isaca.org(Lnowledge-:enter(co!it()ages(3ownloads.asp=
IT Fovernance Institute
$701 %lgonuin oad, uite 1010olling Deadows, I 0006 /%
)hone" M1.6&7.*80.7&81'a=" M1.6&7.2*$.1&&$
+-mail" info>itgi.org
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 18/24
3D-01-, section 2.a a1 )o the e6tent possible* data stewards will wor! together to de+
3D-01-, section 2.! b1 Access to institutional data that is consistent with the dataHs cl
3D-01-, section 2.c c1 E6cept as speci+ed elsewhere in this standard* all institutional
3D-01-, section 2.d d1 ,here appropriate* data stewards may identify institutional da
3D-01-, section 2.e e1 ,here necessary* data stewards may specify some data elem
3D-01-, section 2.f f1 %irect access to university +le servers hosting critical or restric
3D-01-, section 2.g g1 A data view does not necessarily inherit the restriction charact3D-01-, section 2.h h1 )he access privileges of users who change positions or separa
3D-01-, section 2.i i1 Each data steward will be individually responsible for documen
3D-01-, section 8.a a1 )he data steward* in consultation with other university o/ces
3D-01-, section 8.! b1 Institutional data may be stored on any of many diverse comp
3D-01-, section 8.c c1 %ata element names* formats* and codes must be consistent a
3D-01-, section 8.d d1 )he University Information Policy ./ce will assist in determini
3D-01-, section 8.e e1 'ritical or (estricted data must never be stored on individual u
3D-01-, section 8.f f1 %epartments are e6pected to identify* for their users* appropri
3D-01-, section 8.g g1 'ritical data must not be collected* or e6tracted from central s
3D-01-, section 8.h
h1 So that standards for survey research and E(PA requirements3D-01-, section 8.i i1 A student may +le a directory e6clusion to prevent disclosure o
3D-01-, section 11.a a1 Institutional data must be maintained within professionally ad
3D-01-, section 11.! b1 If institutional data are stored on any component of the univer
3D-01-, section 11.c c1 If institutional data are stored on any component of the univer
3D-01-, section 11.d d1 System Administrators shall ensure that adequate administrati
3D-01-, section 1&.a a1 %ata classi+cation information and data handling procedures
3D-01-, section 1&.! b1 )raining to promote understanding and appropriate use of dat
)raining may be based on data classi+cation1
)raining may be required based on role responsibilitie
)raining may be required based on the impact of decis
3D-01-, section 1&.c c1 )raining material should be reviewed and revised as appropria3D-01-, section 1&.d d1 Periodic review and renewal of individual training is strongly re
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 19/24
ne a single set of procedures for requesting permission to access institutional data* an
assi+cation will be granted to all data users for all legitimate university purposes1
data will be classi+ed as university-internal data for use within the university1 Universit
ta elements or views which have few access restrictions and which may be released to
nts as critical or restricted1 'ritical or restricted data would include those data for whic
ed institutional data must be bloc!ed from non-IU networ! addresses1 Individuals requi
eristics of the data elements which comprise it1 0or e6ample* removal of any associatie from the university must be updated in a timely manner as appropriate1
ing data access procedures that are unique to a speci+c information resource or set of
s appropriate* is responsible for identifying an o/cial data storage location for each d
ting hardware platforms* provided such platforms are integrated components of an ov
cross all applications which use the data and consistent with such university standards
ng data storage location and archiving requirements for institutional data1
ser wor!stations* or mobile devices 0i1e1 laptops* smart phones* tablets* personal digita
te server locations for storage of data e6tracted from central sources or derived throu
stems and stored on departmental servers unless doing so is absolutely required to m
for non-directory student records are met* all program evaluation and assessment datpublic information1 or this reason* student public information must not be stored on l
inistrated systems in compliance with university policies and applicable regulations1
ity information system* that system component must have de+ned a formal system ad
ity information system* that system component must comply with speci+c manageme
ve processes and proper security safeguards are in place and enforced1
ust be documented and communicated to all relevant audiences includingD developer
before access to information is provided is strongly recommended1
1
ions made using the data1
e1
commended1
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 20/24
will be Gointly responsible for documenting these common data access request proced
employees and designated appointees will have access to these data* without restric
the general public1 )hese data will be designated as public data1
h data users must obtain individual authori5ation prior to access* or to which only limit
ring access to +les stored on these servers from o$-campus must connect in a secure
n with personally-identifying data elements can result in a view which contains other
data elements1
ta element* as well as an o/cial data storage location of valid codes and values for ea
rall university information system1
as are developed1
l assistants* thumb drives* etc12 without prior formal written approval and appropriate t
h department operations1
aintain the business functions of the o/ce involved1
must be stored in such a way that responses are not associated with personally identical servers unless updated daily1
ministration function and have assigned to it a system administrator whose responsibil
t standards* as outlined in Policy I)-9: as well as any applicable sector-speci+c require
* data managers* local service providers* and users before access to institutional data i
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 21/24
ures1
ion or prior authori5ation* for use in the conduct of university business after complianc
d access may be granted1 %ata classi+ed as critical restricted may only be used by th
anner* such as through the universityHs modem pool or 0preferably2 the university virt
ise restricted data elements being designated as public or university-internal12
ch data element1 )he data steward will also determine archiving requirements and stra
echnical safeguards 0see I)-9: Policy* I)-9:19 Standard* and this document21 )his forma
+able information 0i1e1 names* SSs* etc121 Cin!age +les containing the association of p
ities include generally accepted system administration tas!s including" physical site se
ents 0i1e1 P'I-%SS* 7IPAA* etc121 ,eb and other servers that must be accessible from
s granted1
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 22/24
with appropriate request process 0e61 assent to Institutional %ata Acceptable use agr
se whose positions e6plicitly require such access1 %esignation of data as critical or res
al private networ! 0BP2 service1
tegies for storing and preserving historical data for each data element1
l approval must come from the senior e6ecutive o/cer of the unit and con+rm a critical
otected data to individuals must be placed in di$erent directories and with di$erent na
curity" administration of security and authori5ation systems* bac!up* recovery* and sys
$-campus must be physically or logically separated from servers hosting critical or res
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 23/24
ement* etc121 )hese data are designated university-internal1 )hey are freely available
ricted will include speci+c reference to the policy* legal* ethical* or e6ternally-imposed
business need for such storage1 'ritical or (estricted data must otherwise be stored o
ming conventions to obscure the connection* and must be permanently deleted when
tem restart procedures* data archiving* capacity planning* and performance monitoring
ricted institutional data1
8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)
http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 24/24
ithin the university but not open to the general public1
onstraint which requires this restriction1
properly con+gured and managed* department or central servers1
o longer needed
1