Outreach efforts seek to reduce burdens of cyber risk policy implementation
Policy IT-28 (Cyber Risk Mitigation), enacted in May 2013, is designed to help the IU community reduce cyber risks on campus, in the lab, and wherever vulnerabilities exist. The policy's purpose is to help protect IU's security and reputation by safeguarding its digital information. Comprehensive evaluations are due in May 2014. Following the initial review, the policy calls for a formal review of plans every two years.
Beginning late last summer, UITS IT Community Partnerships (ITCP) began reaching out to departments, offering to visit and answer questions about the comprehensive evaluation, provide information about UITS services, and address compliance concerns. To help departments meet the evaluation deadline, ITCP also provided a plan template.
Compliance plans need to address duplication of UITS services. Departments will make near- or long-term plans to adopt UITS services, but that's not the focus right now. Todd Herring, a manager for ITCP and one of two project leads, is driving the outreach effort. "At this stage," said Herring, "we're measuring success by initial compliance more than by adoption of UITS services."
So far, ITCP has met with more than 90 IT units representing over 100 departmental units. In addition, they have held or scheduled meetings with more than 85% of IT managers. The focus is assembling plans for risk mitigation, then getting into compliance, and later moving physical servers. Given the challenges of working with so many units, Herring and his team are taking things a step at a time.
The policy encourages relocating servers to one of the hardened IU Data Centers on the Bloomington and Indianapolis campuses. Both locations are protected from and monitored for physical and environmental risks, and the Bloomington Data Center is even designed to withstand an F5 tornado. Firewalls and regular backups also reduce the risk of malicious activity.
"Costs are a concern," said Herring. "UITS's hosted service, Intelligent Infrastructure (II), is not going to meet every need." Some departments have physical requirements that exceed II's abilities. If II isn't a good fit, departments may need to locate separate servers in one of the data centers, which can challenge already tight budgets at a cost of over $4,000 per rack per year (in addition to hardware costs).
"Another concern that we need to address on our end is compliance overload," Herring noted. "We found in talking to departments that policies are coming at them from many directions, and in some cases they are being asked for the same or similar information. If we can consolidate requirements into a single place, that will help streamline things for departments at least a little bit."
To that end, ITCP has started using a governance, risk, and compliance tool called Brinqa. The tool builds applications that will reduce compliance burdens by filtering out duplicate questions. ITCP plans to have something available very soon. By developing new services and better documenting existing services, UITS as a whole is also working to help address these challenges.
"As an institution, we can't afford to stifle research and innovation," Herring added. "We're trying to keep a proper balance and not put IU at a disadvantage while we are moving toward this policy. The departments understand the need for the policy -- they ‘get it' -- and they know we are here to help."
For assistance analyzing your IT environments and for more about UITS services for IT-28, contact: email@example.com
For questions about the IT-28 policy, contact UIPO: firstname.lastname@example.org
For an overview of IT-28, see: go.iu.edu/8Fb