Statement: These principles of information management apply to all organizations within Purdue Information Technology.

Rationale: Consistent and measurable quality information for decision-makers is achieved only if all organizations abide by these principles.

• These principles should prevent exclusions, favoritism, and inconsistencies that would undermine information management.
• Information management initiatives should comply with these principles.
• Conflicts with a principle will be resolved by changing the initiative's framework.

Statement: Information management decisions should maximize benefits to the enterprise, including all Purdue campuses.

Rationale: Adopting ITIL's "Think and Work Holistically" and "Focus on Value" enterprise-wide decisions provide greater long-term value.

• Planning and managing information will need to change to achieve system-wide benefits.
• Some organizations may need to compromise for the greater good.
• Application development priorities must be set for the entire enterprise.
• Applications should be shared across organizational boundaries.
• Information management initiatives should align with the enterprise plan, which will be adjusted as needed.
• A system-wide forum should make decisions on priority adjustments.

Statement: Software and hardware should conform to industry standards promoting interoperability for data, applications, and technology. ITIL describes this as "Keep it Simple and Practical."

Rationale: Standards ensure consistency, manageability, user satisfaction, and protection of IT investments, maximizing ROI and reducing costs. Deviating from standards creates solutions unique to Purdue that are inefficient to maintain and lead to technical debt.

• Follow interoperability and industry standards unless there is a compelling reason not to.
• Establish a process for setting, reviewing, and revising standards, and granting exceptions.
• Identify and document existing IT platforms (ITIL: "Start Where You Are").
• Technology solutions should be scalable, reliable, and sustainable.

Statement: Data is a valuable asset to the enterprise and should be managed to maximize its accuracy, currency, integrity, and consistency. ITIL reminds us to "Collaborate and Promote Visibility."

Rationale: Timely access to accurate data is essential for improving enterprise decision-making.

• Educate all organizations on the value of shared and accessible data.
• Stewards must have the authority and means to manage their data.
• Develop procedures to prevent and correct errors in data and processes.
• Implement data governance policies to ensure data accuracy, consistency, and compliance.
• Invest in software to migrate legacy data to a shared environment.
• Balance data sharing with data security to avoid compromising confidential data.

Statement: Data definitions are consistent throughout the enterprise, and those definitions are understandable and accessible. ITIL states "Start Where You Are".

Rationale: A common data definition enables data sharing, facilitates communication, and ensures effective system interfacing.

• Commit resources to establishing a common vocabulary.
• Uniformly use established data definitions throughout the enterprise.
• Document new data definitions within an institutional glossary.
• Ensure the institutional glossary is easily accessible and referenced in reporting.

Statement: Applications should be easy to use, with underlying technology being transparent to users. ITIL suggests to "Keep it Simple and Practical."

Rationale: Ease-of-use encourages working within the integrated information environment.

• Applications should have a common look and feel, supporting ergonomic requirements.
• User interfaces should consider factors like location, language, training, and physical capabilities.
• Prioritize Ease of Use for user-facing applications for faculty, staff, and students.

Statement: Applications should be independent of specific technology choices and operate on various platforms. This aligns with ITIL's "Optimize and Automate" and "Think and Work Holistically."

Rationale: Independence from technology provides Purdue IT with options for cost-effective and timely application development, upgrades, and operation.

• Identify opportunities to support portability and interoperability.
• Recognize that Commercial Off-The-Shelf applications may have limited choices due to platform dependencies.
• Develop APIs, Message Brokers, or other integration methods to enable application interoperability.
• Use middleware to decouple applications from specific software solutions.

Statement: Changes to applications and technology are made only with business leaders' approval and partnership.

Rationale: This principle ensures the information environment changes in response to business needs, minimizing unintended effects on business.

• Examine proposed changes thoroughly using the enterprise architecture.
• Obtain business partner approval for technical improvements or system development projects.
• Develop and implement change management processes that align with this principle.
• Focus on business needs rather than technology needs; responsive change is also a business need.

Statement: Security must be enforced consistently across all systems and data, assuming no implicit trust within or outside the organization.

Rationale: Adopting a Zero Trust Security model ensures robust protection against evolving threats by verifying every access request, regardless of its origin.

• Enforce least-privilege access controls, granting users only the minimum necessary permissions.
• Use segmentation to minimize the impact of potential security breaches.
• Regularly update and patch systems to address vulnerabilities promptly.
• Foster a security-first culture and provide ongoing training to all employees.

Statement: Ensure continuous operation of critical business functions during and after a disruption.

Rationale: Maintaining business operations during unforeseen events is essential to minimize impact and ensure resilience.

• Develop and regularly update a comprehensive business continuity plan, including risk factors and impact of outages.
• Implement robust disaster recovery, backup solutions, and redundant infrastructure.
• Ensure redundancy and failover capabilities for critical systems by regularly testing solutions.
• Establish clear communication channels and protocols for crisis management.

Statement: Adhere to all relevant legal, regulatory, and policy requirements.

Rationale: Compliance ensures the organization operates within legal boundaries and maintains trust with stakeholders.

• Regularly review and update policies to reflect current laws and regulations.
• Implement monitoring and auditing mechanisms to ensure adherence to compliance requirements.
• Provide ongoing training to employees on compliance obligations and best practices.
• Ensure documentation and reporting processes meet regulatory standards.