Information Technology Requirements

IT Requirements for faculty, staff, and graduate students: COLL-IT-01 Statement (version 5.27.21)

GOVERNING POLICIES

The College IT requirements are governed by IU system-wide policies, https://policies.iu.edu/information-it/index.html, including but not limited to:

• IU IT-01 Appropriate Use of Information Technology Resources: https://policies.iu.edu/policies/it-01-appropriate-use-it-resources/index.html
• IU DM-01 Management of Institutional Data: https://policies.iu.edu/policies/dm-01-management-institutional-data/index.html
• IU DM-02 Disclosing Institutional Information to Third Parties: https://policies.iu.edu/policies/dm-02-disclosing-institutional-information/index.html
• IU IT-07 Privacy of Electronic Information and Information Technology Resources: https://policies.iu.edu/policies/it-07-privacy-it-resources/index.html
• IU IT-12 Security of Information Technology Resources: https://policies.iu.edu/policies/it-12-security-it-resources/index.html
• IU IT-12.1 Mobile Device Security Standard: https://informationsecurity.iu.edu/policies/it121.html
• IU IT-28 Cyber Risk Mitigation Responsibilities: https://policies.iu.edu/policies/it-28-cyber-risk-mitigation/index.html
• Acceptable Use Agreement: https://access.iu.edu/UserAgreement/SignAgreement

IT REQUIREMENTS

The following summary of IU policies identifies key points for IT resource management in relation to the work of faculty, staff, and graduate students. We describe these as requirements because they describe practices we must adopt in the College to comply with IU policies already in place. The guidance they provide is therefore not optional but rather a statement of practices required to ensure compliance with institution-level policy.

1. Use of Indiana University technology resources, including workstations and laptop computers, is restricted to purposes related to IU’s research, teaching, and service missions. Incidental personal use is allowed provided that it adheres to all applicable university policies and does not interfere with fulfillment of the university’s mission.
2. All units and IT users that operate technology resources are responsible for ensuring the secure management of those systems.
3. IT leaders are directed to use secure facilities, common information technology infrastructure, and services provided by UITS whenever possible.
4. All IT users should access data stored on IU owned or managed devices or associated with a University function (henceforth ‘data’) only in their conduct of university business, and in ways consistent with furthering the university’s mission of education, research, and public service. See Acceptable Use Agreement listed at the top under Governing Policies. They should respect the confidentiality and privacy of individuals whose records they may access, observe any ethical restrictions that apply to the data to which they have access, and abide by applicable laws, regulations, standards, and policies with respect to access, use, disclosure, retention, and/or disposal of information.
5. For situations involving the purchase or acquisition of goods and services, particularly computer software and hardware, IT users should seek the advice from the appropriate Data Steward(s) and the Purchasing Department on the relevant procedures.

IU policies require that any IT resources that are purchased with university funds be managed by IU IT professionals. For College faculty and graduate students, this means that hardware such as workstations, tablets, laptops, and printers that are purchased with research, departmental, or College funds must be managed by COLL+IT staff. In this context, management of IT resources means that COLL+IT staff will install and update software, and security patches using available tools, including centrally available management tools, to maintain required security measures on all College IT devices. Management of complex and specialized software (e.g., publicly available shared code on open science resources such as GitHub) will be coordinated with the faculty and/or post-docs and graduate students who are its primary users. Management tools for operating systems are available on Windows, Apple and LINUX platforms. They enable IT professionals to patch many devices at the same time. The use of these tools ensures that all College units comply with IU IT policies and promotes awareness of best practices. College IT professionals are also available for consultation and advice about any hardware and software issues.

So that devices can be effectively managed centrally, we strongly encourage departments to coordinate with their IT professionals prior to device purchase. In order to maintain a manageable workload for IT staff, whenever possible, we encourage purchases from established IT vendors on IU’s approved vendor list. COLL+IT units have developed standard security protocols for their devices.

Faculty and staff who have concerns about central management interfering with the execution of their research, teaching, or service missions, should begin by working with their IT professionals on a solution that meets their needs while also complying with IU policy requirements. In the rare cases where a solution cannot be identified, faculty and staff may bring their concerns to the IT Faculty Advisory Council for further consideration. The College Faculty Advisory Council has an established procedure for exemption requests: https://collfitc.sitehost.iu.edu/doc/college-exemption-procedure-final-v2_5.2.2019.pdf. Your IT professional can walk you through the procedure.

All IT users are bound by IU policy IT-07 which concerns the privacy of all electronic files, voice, video and network communications. The policy applies to all authorized users of IU information technology resources, irrespective of whether those resources or data are stored at or accessed from on-campus or off-campus locations. The policy restricts access to electronic files and voice and network communications to account holders except when access is required to serve and protect other core values of the institution. The university does not endorse the routine inspection of electronic files or monitoring of network activities related to individually identifiable use. At times, however, legitimate reasons exist for persons other than the account holder to access computers, electronic files, or data related to use of the University network, including but not limited to:

• Ensuring the continued confidentiality, integrity, and availability of university systems and operations.
• Securing user and system data.
• Ensuring lawful and authorized use of university systems.
• Providing appropriately de-identified data for institutionally approved research projects.
• Responding to valid legal requests or demands for access to university systems and records.

The College empowers its IT professionals to do their jobs to manage systems and devices with an ample level of training and trust as stewards of the systems that use University IT resources. The implementation of controls and auditing mechanisms are part of IU’s mitigation strategy to minimize security risks and identify potentially malicious or harmful activities that could disrupt research, teaching, service, or administrative operations across the university. To ensure that the College operates according to IU IT policy, compliance with these requirements is monitored by the Executive Dean’s office.

TABLE OF DEFINITIONS

Data Stewards: Data Stewards are recommended by the AVP of Information Security and appointed by the Vice President for Information Technology. Data governance is a quality control discipline that includes the categorization, access management, use, maintenance, and protection of organizational information. Each Data Steward is responsible for overseeing strategic and tactical data management for their particular data subject area as specified below and according to the responsibilities specified in data management policies and standards.

Data Management Advisors: Data Management Advisors are ex officio members representing advisory offices or functions such as the Chief Information Security Officer, University Counsel, Internal Audit, among others as listed at: Data Stewards (iu.edu).

Data Steward Delegate: Data Steward Delegates handle day to day activities as assigned by the Data Stewards. Additionally, when the University Data Management Council works on issues related to a specific domain and/or calls together the group of Stewards, the Delegate may represent the Steward if the Steward is unavailable.

For more information about these roles see: https://datamanagement.iu.edu/governance/data-stewards/index.php