Information Security and Privacy Program

Information Assets and Information Technology (IT) Resources are valuable and essential to furthering the mission of Purdue University. Administrative, technological, and physical safeguards are required to protect these assets to support our mission, to meet our legal and regulatory obligations, and to preserve privacy.

This Information Security and Privacy Program, administered through the Office of the Vice President for Information Technology under the leadership of the Chief Information Security Officer, IT Security and Policy, is established in support of the Information Security and Privacy Policy (VII.B.8). This program promotes, through standards, procedures, guidelines, and information sharing, an internal controls environment designed to maintain, facilitate, and promote protection of Information Technology (IT) Resources and Information Assets.


Support Purdue’s mission by protecting the confidentiality, integrity and availability of Information Assets and Information Technology (IT) Resources.


• Align the information security organization’s efforts to advance the University mission of discovery, learning and engagement while supporting privacy, legal and regulatory obligations
• Partner with stakeholders as trusted advisors and enablers in the acquisition or development and configuration of technologies to further protect the security and resilience of IT Resources and Information Assets consistent with related policies, procedures, and guidelines
• Approach security from a risk management perspective
• Promote organizational awareness of information security responsibilities and affect behavior through awareness and training
• Collaborate with community organizations and other educational institutions to increase awareness of the threat landscape and protections with increased insight, outreach, and sharing of cybersecurity information
• Promote proactive and adaptive processes with a commitment to continuous improvement
• Evolve security strategies, standards and procedures to maintain relevance to changes in business processes, technologies, laws and regulations, or identified risks

The Information Security and Privacy Program Components

The Information Security and Privacy Program components are based upon safeguards provided by the National Institute of Standards and Technology (NIST) Cybersecurity Framework and are aligned with strategies to advance Purdue University’s mission and support privacy, legal and regulatory obligations. The Framework guides Purdue’s information security program through incorporating the Framework’s core functions of Identify, Protect, Detect, Respond and Recover to address current strategic priorities with the understanding there is room to mature those and strengthen others as risks evolve.

What You Need to Know

All individuals who use or have access to University Information Assets and IT Resources have responsibilities maintaining the confidentiality, integrity, and availability of these assets. The Secure Purdue website provides you the following information and resources to help you:

• understand your responsibilities as a data user in supporting security through Purdue IT Policies and Standards;
• understand University compliance programs such as HIPAA, GLBA, copyright laws, SSN handling;
• know security tips and best practices to protect your computer, data and personal information;
• appropriately handle University data based on classification;
• protect University IT Resources and Information Assets with vulnerability management services and software downloads;
report a security incident;
• set up authentication services, Purdue Career Account, two-factor authentication through BoilerKey, or InCommon Federation services;
• request a security risk review of new IT solutions or services prior to purchase or upon a renewal of an existing solution;
• request a security policy exception only when complying with policy affects business objectives and the cost to comply offsets the risk of non-compliance.