Implementing a University Cyberisk Mitigation Policy: Lessons from IT-28

In May 2013, Indiana University approved a new policy to reduce overall threat surface by decreasing the number of servers outside secure facilities and the number of total servers, ensuring all servers are sufficiently maintained, and following IT security policies. The policy, which drew extensive discussion with deans, faculty, and IT staff, was a monumental exercise to implement at a comprehensive research university (including a large medical school). This session will cover the process used to communicate with many audiences about the policy, the lessons learned in implementation, and the resulting improvements to IT security.

OUTCOMES: Learn from the successes and challenges of this policy * Get a feel for the possibility of such a policy at your institution * Discuss honing the process for future iterations