2017 Technology Exchange

Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

IT-28 Risk Mitigation Policy and Peer Review Process

Time 10/17/17 01:30PM-02:20PM

Room Seacliff A

Session Abstract

Indiana University began the IT-28 Risk Mitigation and Peer Review Process initiative three years ago. Now, we are prepared to kick off our next round of IT-28 peer reviews. Indiana University saw the overwhelming task of our security office reviewing each department individually and providing mitigation plans to all of our 100 plus schools, institutes and organizations. There simply isn’t enough time to do these effectively and timely with the IT security staff we have. Sound Familiar? Our solution? Form teams of peers (academic staff and faculty), train them using the Factor Analysis of Information Risk (FAIR) methodology to identify risk and work with departments to create risk mitigation plans that are signed and accepted by Deans and Executive Directors.

The first round of IT-28 was focused on reducing threat surfaces by working with departments to relocate systems to the IU Data Center. This effort to help departments transition, where “practicable”, and provide recommendations for appropriate safeguards when systems weren’t able to be moved, required a deep understanding of the academic mission of each of unit, the sensitivity of their data and the mentality and perceptions of their faculty and staff. Using a process whereby units are reviewed by a team of peers helped to create many circles of trust and it time created a community of trust.

Today we have changed our focus from the centralization of systems and hardware to the adoption of practices within departments to improve operational security. IU wants to promote a deeper understanding of risk vs. threat and align knowledge, resources and services in ways that make them more accessible and easier to implement for departments. Our areas of focus within the realm of Operational Security will be, Access Control, Change Management and Risk Assessment. Given the top findings from our audit staff, the industry reports of common vulnerabilities and increasing vectors of attack we feel these three areas of focus will provide units with lenses through which they can accurately identify, plan, mitigate and document risk.


Speaker Ian Washburn Indiana University

Speaker Charles Escue Indiana University

Presentation Media

media item thumbnail IT-28 Risk Mitigation Policy and Peer Review Process

Speaker Charles Escue Indiana University

Speaker Ian Washburn Indiana University

Primary track Information Security

Secondary tracks Information Security

gold Sponsors

bronze Sponsors