IT Requirements for faculty, staff, and graduate students: COLL-IT-01 Statement (version 06.01.24)
GOVERNING POLICIES
The College IT requirements are governed by IU system-wide policies and procedures, including but are not limited to:
- IU IT-01 Appropriate Use of Information Technology Resources: https://policies.iu.edu/policies/it-01-appropriate-use-it-resources/index.html
- IU DM-01 Management of Institutional Data: https://policies.iu.edu/policies/dm-01-management-institutional-data/index.html
- IU DM-02 Disclosing Institutional Information to Third Parties: https://policies.iu.edu/policies/dm-02-disclosing-institutional-information/index.html
- IU IT-07 Privacy of Electronic Information and Information Technology Resources: https://policies.iu.edu/policies/it-07-privacy-it-resources/index.html
- IU IT-12 Security of Information Technology Resources: https://policies.iu.edu/policies/it-12-security-it-resources/index.html
- IU IT-12.1 Mobile Device Security Standard: https://informationsecurity.iu.edu/policies/it121.html
- IU IT-28 Cyber Risk Mitigation Responsibilities: https://policies.iu.edu/policies/it-28-cyber-risk-mitigation/index.html
- Acceptable Use Agreement: https://access.iu.edu/UserAgreement/SignAgreement
For more information, please see https://policies.iu.edu/information-it/index.html
IT REQUIREMENTS
The following summary of IU policies outlines requirements for managing IT resources within the College; they apply to all faculty, staff, and graduate students. We refer to these as requirements rather than as guidance because they delineate practices that must be followed to align with existing IU policies.
- Use of Indiana University technology resources, including workstations and laptop computers, is restricted to purposes related to IU's research, teaching, and service missions. Incidental personal use is allowed provided it adheres to all applicable university policies and does not interfere with fulfilling the university's mission.
- All units and IT users that operate technology resources are responsible for ensuring the secure management of those systems.
- College IT personnel are directed to use secure facilities, common information technology infrastructure, and services provided by UITS whenever possible.
- All IT users are expected to access data stored on IU-owned or managed devices or associated with a university function (henceforth 'data') only in their conduct of university business, and in ways consistent with furthering the university's mission of education, research, and public service. See the Acceptable Use Agreement listed at the top under Governing Policies. Users must respect the confidentiality and privacy of individuals whose records they access, observe any ethical restrictions that apply to the data to which they have access, and abide by applicable laws, regulations, standards, and policies concerning access, use, disclosure, retention, and/or disposal of information.
- For situations involving purchasing or acquiring goods and services, particularly computer software and hardware, IT users are expected to seek advice from the appropriate Data Steward(s) and the Purchasing Department on the relevant procedures.
IU policies and university procedures require that any IT resources that are purchased with university funds be managed by IU IT technologists. For College staff, faculty, and graduate students, this implies that hardware and software —such as workstations, tablets, laptops, and printers—purchased using research, departmental, or College funds must be managed by the College IT Research, Infrastructure, and Support (CITRIS) staff.
Management of IT resources means that CITRIS staff will install and update software and security patches using available tools, including centrally available management tools, to maintain required security measures on all College IT devices. Management tools for operating systems are available on Windows, Apple, and LINUX platforms. They enable IT technologists to patch many devices at the same time. These tools ensure that all College units comply with IU IT policies and procedures while also promoting awareness of best practices. Management of complex and specialized software (e.g., publicly available shared code on open science resources such as GitHub) will be coordinated with the faculty and/or post-docs and graduate students who are its primary users. The IT technologists are available for consultation and advice concerning hardware and software issues.
So that devices can be effectively managed centrally, departments are required to coordinate with their CITRIS IT technologists before device purchase. IT products/services must be procured from established IT vendors on IU's approved vendor list. All software and hardware purchases that are not on the university's approved vendor list must be submitted to the university's Software and Services Selection Process team. Please refer to https://kb.iu.edu/d/aoyl for the types of products/services that require an SSSP (3SP) submission as well as types of requests that do not require completion of the SSSP form.
If faculty and staff encounter situations where central management disrupts their research, teaching, or service activities, they should collaborate with their IT technologists to find a solution that aligns with IU policy. In exceptional cases where no resolution is possible, faculty and staff can escalate their concerns to the Executive Associate Dean of the College, along with the Director of Academic Technology Support (UITS ATS), for further review.
All IT users are bound by IU policy IT-07 which concerns the privacy of all electronic files, voice, video, and network communications. The policy applies to all authorized users of IU information technology resources, irrespective of whether those resources or data are stored at or accessed from on-campus or off-campus locations. The policy restricts access to electronic files and voice and network communications to account holders except when access is required to serve and protect other core values of the institution. The university does not support the regular scrutiny of electronic documents, or the surveillance of network activities tied to individual usage. However, there are instances where valid grounds may necessitate individuals other than the account owner to gain access to computers, electronic documents, or data associated with the University's network usage. This includes but is not limited to:
- Ensuring the continued confidentiality, integrity, and availability of university systems and operations.
- Securing user and system data.
- Ensuring lawful and authorized use of university systems.
- Providing appropriately de-identified data for institutionally approved research projects.
- Responding to valid legal requests or demands for university systems and records access.
The College empowers IT technologists to manage systems and devices, backed by comprehensive training and trust. Auditing mechanisms and controls are established as a component of IU's security strategy to minimize risks and detect potentially harmful activities. The Executive Dean's office, the College Information Security & Policy Office (CISPO), and the College IT Research, Infrastructure, and Support (CITRIS) oversee compliance with IU IT policy.
DATA STEWARDSHIP AND RESPONSIBILITIES
Indiana University has official standards for managing institutional data that apply to all users and administrators of university information technology resources. These standards include rules for controlling access, maintaining data integrity and security, manipulating and extracting data for reports, and choosing appropriate locations and methods for storing and transmitting various institutional data elements.
Working with institutional data at IU, you are responsible for meeting the university's official data management standards to prevent inappropriate disclosures of personal or confidential information. Always follow best practices and procedures when storing sensitive institutional data.
Especially stringent standards apply to work involving sensitive institutional data (data elements classified as Restricted or Critical). For details, see Management of Institutional Data (DM-01) - https://policies.iu.edu/policies/dm-01-management-institutional-data
The IU Data Stewards, together with their IU Data Managers and IU Steward Delegates, oversee all data policies, procedures, and practices at IU. The University Data Stewards are recommended by the AVP of Information Security and appointed by the Vice President for Information Technology. Data governance is a quality control discipline that includes the categorization, access management, use, maintenance, and protection of organizational information. Each Data Steward is responsible for overseeing strategic and tactical data management for their particular data subject area as specified below and according to the responsibilities specified in data management policies and standards.
The University Data Management Advisors are ex officio members representing advisory offices or functions such as the Chief Information Security Officer, University Counsel, and Internal Audit, among others. You can find a comprehensive list of these advisors on the Data Stewards: Data Management (iu.edu).
University Data Steward Delegates handle day-to-day activities as assigned by the Data Stewards. Additionally, when the University Data Management Council works on issues related to a specific domain and/or calls together the group of Stewards, the Delegate may represent the Steward if the Steward is unavailable.
For more information about these roles see: https://datamanagement.iu.edu/governance/data-stewards/index.php