University Policies

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Alburger, Katherine A

Saved on

compared with

New Version 8

changes.mady.by.user Alburger, Katherine A

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Under the President and the Vice President for Information Resources and Chief Information Officer (CIO), the Chief Director of Information Security Officer shall ensure compliance with this policy. The Provost, Executive Vice President for Administration and Strategic Advancement, Vice Presidents, Deans, IR Directors, and individual managers shall implement the policy. 

...

  1. Steward of Information or Data: The Steward is the University employee responsible for the approval of the creation of a collection of information or data or the primary user of that information or data. For example, the Registrar is the Steward for much of the University’s student information. The Vice President for Human Resources is the Steward for much of the University’s employee information.
  2. Custodian of Information or Data: The Custodian is responsible for the processing and storage of information or data on behalf of the Steward of that information or data.
  3. Consumer/User: A Consumer/User is any person authorized to read, enter, copy, query, download, or update information.
  4. User Managers: A User Manager is any University administrator, faculty member, or staff member who supervises Consumer/Users or who handles University business unit administrative responsibilities. User Managers are responsible for overseeing their Consumer/Users’ access to Sensitive Information, including:
    • Reviewing and approving all requests for access authorizations and ensuring it accurately reflect each Consumer/User’s role and required access.
    • Ensuring that the approved procedures are followed for employee ?suspensions, terminations, and transfers, and that appropriate measures are ?taken to revoke access privileges.
    • Revoking access privileges from students, vendors, consultants, and others ?when access is no longer necessary or appropriate.
    • Providing the opportunity for training needed to properly use computer ?systems.
    • Reporting promptly to the Executive Director and Information Security Officer ?and to the Office of University Counsel any potential or actual unauthorized access of University Sensitive Information (security breach) in accordance with the University’s Protocol for Responding to Security Breaches of Certain Identifying Information.
    • Initiating appropriate actions when Information Security Incidents are identified in accordance with the Incident Management Policy.
    • Ensuring that any Information Security requirements are followed for any acquisitions, transfers, and surplus of equipment that processes or stores electronic information, such as computers, servers, smartphones/PDAs, and certain copiers.
  5. Information Security Liaison: Each University business unit that is responsible for maintaining its own information technology services must have a designated Information Security Liaison as well as a designated backup Information Security Liaison. The duties and responsibilities of the Security Liaison are described in detail in the Security Liaison Policy.
    Key responsibilities for the individuals serving in each of the above roles are discussed in the Information Security Procedures and Standards, which are attached. In addition, the University’s Executive Director and Information Security Officer will work with Stewards, Custodians, User Managers, Consumer/Users, and Information Security Liaisons to develop and implement prudent security policies, procedures, and controls, in consultation with the Office of University Counsel.
  6. Chief Director of Information Security Officer: The responsibilities of the Chief Director of Information Security Officer and the staff of the Information Security Office include:
    • Developing an Information Security Strategy approved by the Chief Information Officer and Data Governance Committee.
    • Developing and maintaining a University Information Security Program to provide University services for:
      • Security Governance and Oversight
      • Network Security Protection
      • Endpoint Security Protection
      • Vulnerability Management
      • Incident Management
      • Annual Security Risk Assessments
      • Information Security Consulting
      • Information Security Policies, Procedures, and Standards
      • Information Security Awareness
      • Information Security Design and Architecture
      • Technology Risk Management
      • 3rd Party Security Reviews
    • Serving as the University Security Officer for HIPAA, FERBA, GLBA, and PCI
    • Service as the University Security Liaison to all Local, State, and Federal Government Agencies and Law Enforcement 

...