Crafting and Implementing a Policy to Reduce Cyber Risks
February 16, 2016
This post is filed under: Daily News.
Tagged as: Societal Systems
Key Takeaways
- When Indiana University adopted a policy for cyber risk mitigation responsibilities, it represented a first step toward understanding and better managing the cybersecurity risk profile of the entire university.
- Known as IT Policy 28, or IT-28 for short, the policy states that IT services should operate from secure facilities (university data centers) and, when practicable, use central IT shared services, as this case study explains.
- However, a successful policy needs to be sufficiently flexible to accommodate services that cannot be run centrally, as long as the service administrator understands, mitigates, and ultimately accepts the risks.
- Other universities should not only consider their university’s culture and ability to implement cyber risk policies but also actively prepare for a policy’s success by properly provisioning central IT shared services in a reliable, cost-effective manner.
EDUCAUSE Review