2015 Internet2 Global Summit

Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Implementing a University Cyber Risk Mitigation Policy: Lessons from IT-28

Time 04/27/15 10:30AM-11:30AM

Room Mount Vernon A

Netcast sponsored by Microsoft

Netcast sponsored by

Microsoft Logo

Session Abstract

Indiana University approved a Cyber Risk Mitigation Policy (IT-28) in May 2013. The policy frames institutional Cyber Risk as similar to Institutional Financial Risk. It applies similar approaches to mitigate and ensure responsibility for Cyber Risks across seven campuses, all academic schools, and administrative departments. The policy seeks to reduce the overall threat surface area by (a) reducing the number of servers outside of secure facilities, (b) reducing the number of servers that need to be secured, and (c) ensuring that all servers have sufficient staff time and security skills to follow IT security policies.

The new policy drew extensive discussion with Deans, faculty, and IT staff, and it was a monumental exercise to roll out. It set in motion 112 self-reviews at Schools and Administrative Departments where each review was ultimately signed off by the Dean and VP for IT. Schools, departments, and faculty could continue to host and maintain their own servers if they documented committed resources for effective Cyber Risk Mitigation. In just over a year, 100 of the 112 plans had been submitted, 55% passed first peer review, others are engaging productive conversations towards approval (Oct 2014). By the end of implementation (Summer 2015), IU will have over 87% of servers in secure Data Centers and far greater use of shared services for common needs, web and print serving, storage, etc.

There are many lessons in rolling out a pioneering risk mitigation plan at a comprehensive research university (including at a large Medical School). The specific wording of the policy included important differences for presumptions about Academic Uses and Administrative Uses. The process for the self-reviews was designed by a broad group of school- and departmental-IT staff and implementation by them was facilitated by central IT. The outcomes in enterprise risk mitigation, better use of space, and improved economics exceeded the expectations when the policy was created.

This session will discuss the motivations for policy IT-28, illustrate the process that was used to educate and communicate with many audiences, and the clear results that it achieved to substantially improve the IT security at a large university.


Speaker Brad Wheeler Indiana University

Speaker Kim Milford Indiana University

Presentation Media

media item thumbnail Implementing a University Cyber Risk Mitigation Policy

Speaker Kim Milford Indiana University

Speaker Brad Wheeler Indiana University

Primary track Cyber Security & Trust & Identity