Crafting and Implementing a Policy to Reduce Cyber Risks

Key Takeaways

• When Indiana University adopted a policy for cyber risk mitigation responsibilities, it represented a first step toward understanding and better managing the cybersecurity risk profile of the entire university.
•  Known as IT Policy 28, or IT-28 for short, the policy states that IT services should operate from secure facilities (university data centers) and, when practicable, use central IT shared services, as this case study explains.
• However, a successful policy needs to be sufficiently flexible to accommodate services that cannot be run centrally, as long as the service administrator understands, mitigates, and ultimately accepts the risks.
• Other universities should not only consider their university’s culture and ability to implement cyber risk policies but also actively prepare for a policy’s success by properly provisioning central IT shared services in a reliable, cost-effective manner.

EDUCAUSE Review