Data Management & Protection: Roles & Responsibilities

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Data Management & Protection: Roles & Responsibilities"

Transcription

1 Data Management & Protection: Roles & Responsibilities Document Version: 1.0 Effective Date: December, 2008 Original Issue Date: December, 2008 Most Recent Revision Date: November 29, 2011 Approval Authority: Laura Patterson, AVP Contact: Information and Infrastructure Assurance Table of Contents Purpose... 2 Data Management and Protection Roles and Responsibilities... 2 University Level Roles and Responsibilities... 2 Data Steward... 2 Delegated Data Steward... 2 Data Manager... 3 Data Management Integration Coordinator...3 Compliance Officer... 3 IT Security Executive Sponsors... 4 IT Security Council... 4 University Chief Information Technology Security Officer... 4 Office of University Audits... 5 Privacy Oversight Committee... 5 Unit Level Roles and Responsibilities... 5 Deans and Directors... 5 Business Owner... 5 Information Security Unit Liaison... 6 Information Security Coordinator... 6 Information Security Administrator... 7 Information Security Communications Coordinator... 7 IT Service Provider...7 IT Resource User... 8 Data User... 8 Updates... 8 References... 8

2 2 Data Management & Protection: Roles & Responsibilities Purpose This document defines University roles and responsibilities associated with managing and protecting the University information resources. It supplements applicable University policies and guidelines and is also intended as a reference for University personnel who will either fill these roles or assign others to fill them. The roles are organized into two categories: University level roles which apply across the University Unit level roles which apply across an individual unit school, college, or central office For additional information about responsibilities of central offices that are specifically related to mitigating serious security incidents please refer to the Information Security Incident Management Operating Level Agreement (OLA), which lists relevant responsibilities of the Department of Public Safety, Office of General Counsel, Risk Management, Office of the Vice President for Communications, and others. Data Management and Protection Roles and Responsibilities University Level Roles and Responsibilities Data Steward The Data Stewards are the University Executive Officers having policy level responsibility for managing a segment of the University s information resources as designated by the Regental by laws. Communicating applicable policies and procedures to staff, faculty, and students and promoting data management and security training, education, and awareness; Establishing goals, objectives, and action plans to implement relevant policies and programs; Incorporating information security risk considerations into business planning and budgeting; Identifying delegated data stewards for segments of the University s information resource as appropriate; Ensuring the accurate, valid and timely collection of data; Classifying data relative to their sensitivity and criticality to the institution; Setting policies regarding the storage, protection, manipulation, access to and sharing of data; Ensuring disaster recovery and business continuity contingency plans and processes are developed and implemented; In conjunction with the Chief Information Technology Security Officer, determining appropriate response to serious security incidents that impact information protected under the regulation. The University Data Stewards/Data Managers list is available at Delegated Data Steward The Delegated Data Stewards are senior University officials who have policy level responsibility for managing a segment of the University s information resource who have been designated to serve as the data steward for that segment of the information resource. Carrying out data steward responsibilities for specific segments of the information resource upon delegation.

3 3 The University Data Stewards/Data Managers list is available at Data Manager The Data Managers are University officials and their staff who have operational level responsibility for data capture, maintenance, and dissemination of a segment of the University s information resource. Carrying out data steward responsibilities for specific segments of the information resource upon delegation; Developing operational level procedures to ensure the accurate, valid and timely collection of data; Responding to questions regarding data validity; Implementing operational level procedures regarding the storage, protection, manipulation, and sharing of data; Implementing procedures to grant and maintain access to data and appointing individuals to authorize data access; Providing appropriate user support in the use of data upon delegation. The University Data Stewards/Data Managers list is available at Data Management Integration Coordinator The Data Management Integration Coordinators are University officials and their staff who are responsible for facilitating and resolving shared data management issues among central offices, schools and colleges, and the health system. Working with data stewards and their delegates to facilitate policy, process and practice discussions about the institutional data; Driving resolution of shared data management issues to best support the entire University by working with the data stewards and their delegates; Providing appropriate user support in the use of data (e.g., collection and maintenance, validation and correction, storage and replication, backup and recovery, understanding, reporting and access, proper use) in partnership with the data stewards and their delegates. The University Data Stewards/Data Managers list is available at Compliance Officer The Compliance Officers are appointed by the Executive Officers to bring the University into compliance with specific regulations and are the University focal points for communication on given regulations. The responsibilities listed in this document apply to regulations that relate to information security, including, but not limited to: Health Insurance Portability and Accountability Act (HIPAA) Gramm Leach Bliley Act (GLBA) Family Educational Rights and Privacy Act (FERPA) Sarbanes Oxley Act (SOX)/Internal Controls Freedom of Information Act (FOIA) Cardholder Information Security Program/Payment Card Industry (CISP/PCI) Carrying out data steward responsibilities for the scope of data specified by the applicable regulation; Establishing goals, objectives, and action plans to implement relevant regulations and collaborate with IIA on their implementation; In conjunction with the Chief Information Technology Security Officer, determining appropriate response to serious security incidents that impact information protected under the regulation.

4 4 IT Security Executive Sponsors The Executive Sponsors are the University Executive Officers having high level responsibility for championing and guiding the University IT Security Program. They include: Executive Vice President and Chief Financial Officer Executive Vice President and Provost Executive Vice President for Medical Affairs Vice President for Research Providing strategic direction to the IT Security Program; Approving University wide security policies; Endorsing security related communications to the University Community; Seeking the involvement of IIA where appropriate; Publicizing their sponsorship of the IT Security Program to the University Community. IIA Council The IIA Council (http://safecomputing.umich.edu/about/iiac.html) is composed of appointed representatives of schools, colleges, and central offices who guide the development of IT security policies and standards. Advising UM executive officers about issues related to the security of information systems or data used by UM students, faculty, and staff; Ensuring that UM policies, practices, and standards provide safeguards to secure the IT systems and data at the UM; Serving as a governance board for IIA. University Chief Information Technology Security Officer The University Chief Information Technology Security Officer directs the IIA office, and is the appointed University focal point for information security issues, including security training, awareness, information security incident management and response, risk management and data resource protection. Directing and coordinating the University wide IT Security Program; Determining unit level compliance with the Information Security Policy, SPG ; Providing a focal point for oversight of serious security incidents as indicated in SPG , Information Security Incident Reporting Policy; Establishing security metrics, tracking the progress of the IT Security Program, and providing a Universitywide risk profile; Assisting units in fulfilling their unit level information security requirements; Overseeing development of information security training courses and materials; Coordinating training and awareness programs; providing educational materials and tool kits for dissemination and training across the University; Providing additional information security services (such as forensics), tools, and expert knowledge to assist units in detecting and resolving incidents; Acting as the delegated data steward for information security information in accordance with SPG and the Data Administration Guidelines for Institutional Data Resources.

5 5 Office of University Audits The Office of University Audits (www.umich.edu/~uaudits) provides audit services throughout the University Community. Incorporating information security risk considerations into audit planning; Coordinating information security efforts with the University Chief Information Technology Security Officer; Working with Data Stewards (or designees) and IT Resource Providers in the development or implementation of proper controls in essential administrative systems. Providing periodic examination of and reporting on information security issues in a audit context; Communicating applicable policies and procedures to staff, faculty, and students and promoting data management and security training, education, and awareness. Privacy Oversight Committee The Privacy Oversight Committee advises the President and the Associate Provost for Academic, Information and Instructional Technology Affairs about issues that may affect the privacy of students, faculty, and staff. Ensuring that UM policies and practices provide safeguards to individuals rights and expectations of privacy; Reviewing enterprise resource planning (ERP) and administrative policy and design decisions; Implementing applicable policies. Unit Level Roles and Responsibilities Deans and Directors The University Deans and Directors are responsible for implementing and ensuring compliance with University policies, guidelines and procedures relevant to data management and protection as applicable to their areas. Communicating applicable policies and procedures to staff, faculty, and students and promoting data management and security training, education, and awareness; Establishing goals, objectives, and action plans to implement relevant policies and programs; Incorporating information security risk considerations into business planning and budgeting; Designating unit staff to information security roles (including information security unit liaisons and information security coordinators) to collaborate with central offices on the implementation of policies and programs; Making necessary arrangements with vendors, consultants, and external researchers to ensure their compliance with information security policies and procedures; Carrying out data steward responsibilities for data unique to their school/college. Business Owner The Business Owners are University officials having policy level and operational responsibilities for a set of business processes and are major stakeholders of applications and services that support their areas.

6 6 In collaboration with University units, providing requirements and priorities to IT service providers for the development or acquisition of applications and services; Sponsoring applications and services through budget acquisition and funding; Accepting and approving the functionality of applications and services; Ensuring that technical access controls and other security measures are appropriately prioritized among other application or service features; Ensuring security requirements for applications and services are appropriate to the sensitivity and criticality of the information they access; Determining and enforcing acceptable use policies for applications and services. Information Security Unit Liaison The Information Security Unit Liaison is appointed by the dean or director to serve as the focal point for coordinating security activities within the unit and with IIA. This role may be performed by the unit information security coordinator. Alternatively, units may assign some of the unit liaison responsibilities to the information security coordinator, or may designate two individuals to jointly serve as the Information Security Unit Liaisons. The Information Security Unit Liaison may hold the title of Information Security Officer, Information Security Manager, IT Director/Manager, or Business Manager (responsible for IT and security), as appropriate. Serving as the main interface to IIA and participating in IIA sponsored activities; Regularly communicating with unit leadership on security related issues including appraising them of relevant security risks and of the unit s progress in implementing the security program; Identifying the general security needs of the unit including unit security roles, training needs, and resource requirements; Ensuring unit security roles are assigned, understood, maintained, and communicated within the unit and to IIA; Ensuring that individuals who are assigned to security roles are appropriately trained; Coordinating the preparation of the information security plan, annual plan updates, self assessments, risk assessments, and other unit level security documents and providing them to IIA; Ensuring unit has established appropriate unit level security procedures that are consistent with University policies and guidelines; Collaborating with IIA on the implementation of the unit s information security plan; Coordinating information security education and awareness for the unit; Providing feedback to IIA of special security needs, priorities, and concerns. Information Security Coordinator The Information Security Coordinator is the senior information security professional in a given unit, who may hold the title of Information Security Officer or Information Security Manager for the unit. The Information Security Coordinator may also be the appointed information security unit liaison for the unit. Managing the daily information security activities of the unit; Establishing unit plans for conducting periodic risk assessments, coordinating risk assessment activities, developing unit risk mitigation plans and coordinating their execution; Acting as the focal point for information security incident management in the unit; informing IIA and unit management of serious incidents and coordinating incident response in conjunction with IIA; Maintaining inventory of sensitive and critical information resources; Ensuring unit has established appropriate unit level security procedures that are consistent with University policies and guidelines; Collaborating with IIA on the implementation of the unit s information security plan;

7 7 Coordinating information security education and awareness for the unit; Providing feedback to IIA of special security needs, priorities, and concerns. Information Security Administrator The Information Security Administrators are security professionals who have gone through the IIA security administrator training (or equivalent) and are assigned to handle the security needs for a unit. Depending on the size and complexity of the unit, several security administrators may be needed to perform this function. Individuals in this role will typically have the University job title of Data Security Analyst Intermediate. In cases where the unit has not yet acquired or developed a trained information security administrator, the unit may make arrangements to delegate this role to IIA. Participating in IIA sponsored security coordination meetings and technical interchanges; Obtaining security training and maintaining an appropriate level of expertise and awareness; Responding to information security incidents according to University and unit policies and procedures; Providing expert technical advice and guidance to their constituency; Conducting security risk assessments; Providing core security services as required, such as intrusion detection, vulnerability scanning and firewall administration. Information Security Communications Coordinator The Information Security Communications Coordinator acts as a focal point for the unit s communications relative to information security. This role may be carried out by the existing unit communications staff, the Information Security Unit Liaison or the Information Security Coordinator. Preparing and implementing communication plans; Assessing the communication methods used in the unit and how best to use them; Identifying key audiences and sponsors in the unit and determining how to provide information to them; Preparing and distributing security related messages, presentation materials, reference materials, Web information, promotion and awareness documents; Disseminating relevant e mail messages, security awareness and communication materials from IIA and other sources to appropriate audiences; Monitoring the effectiveness of security communications and awareness activities and improving communication processes as necessary. IT Service Provider The IT Service Providers are organizations, departments, managers, or staff members responsible for the acquisition, development and operation of IT assets and services. Information security administrators as defined in this document typically reside within an IT service provider organization. SPG , and the IT Security Program; Promoting awareness and education of security policies and guidelines within their areas and in communications with business owners; Ensuring information security administrators within their areas are properly trained and regularly participate in IIA sponsored interchanges; Acquiring, developing and operating IT assets including networks, servers, workstations, applications, and databases; Maintaining operational service levels to meet availability requirements of business owners; Ensuring the development and implementation of unit level security policies and procedures; Appropriately securing information systems based on University policies and guidelines and industry

8 8 best practices. IT Resource User The IT Resource Users are members of the University community who access University information technology resources and services. They may include faculty, staff, students, vendors, consultants, external researchers, and any other users of University information technology resources. Promptly reporting all information security incidents (including computer loss or theft) to their unit information security coordinators or to IIA, as specified in SPG ; Maintaining awareness of University policies relating to IT resource use; Learning, understanding and following acceptable use policies and guidelines applicable to the system to which they have access; Fulfilling data user responsibilities as applicable. Data User The Data Users are any authorized user of University data. University employees will have access to data only as necessary in the performance of their official University duties. Accessing and using data in accordance with institutional policies and applicable federal and state laws; Utilizing and sharing data appropriately based on University role, and data documentation provided by the data steward. Reporting data validity issues to the proper data manager, providing as much information as possible to help understand and diagnose the problem, and supporting other efforts to correct the data; Notifying data stewards if there is a need to review the restrictions to or lack of restrictions to data. References Standard Practice Guide Proper Use of Information Resources, Information Technology, and Networks at the University of Michigan Standard Practice Guide Privacy and the Need to Monitor and Access Records Standard Practice Guide Institutional Data Resource Management Policy Standard Practice Guide Information Security Incident Reporting Policy Standard Practice Guide Information Security Policy Information Security Incident Management Guideline (https://www.safecomputing.umich.edu/umonly/im_guidelines.pdf) Information Security Incident Management Operating Level Agreement (please contact to obtain a copy.) Data Management and Protection Common Definitions (https://www.safecomputing.umich.edu/umonly/policiesguidelines.php) Data Steward/Data Manager List (http://www.mais.umich.edu/access/policies.html) Data Administration Guidelines for Institutional Data Resources (http://www.mais.umich.edu/access/policies.html)

Data Management & Protection: Common Definitions

Data Management & Protection: Common Definitions Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Rowan University Data Governance Policy

Rowan University Data Governance Policy Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data

More information

Institutional Data Governance Policy

Institutional Data Governance Policy Institutional Data Governance Policy Policy Statement Institutional Data is a strategic asset of the University. As such, it is important that it be managed according to sound data governance procedures.

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES 1. INTRODUCTION If you are responsible for maintaining or using

More information

Security Awareness Training Policy

Security Awareness Training Policy Security Awareness Training Policy I. PURPOSE This policy is intended to set the training standard for several key audiences in Salem State University, including, but not limited to: University executives,

More information

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors Page 1 of 5 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: October 19, 2006 Contact for More Information: Chief Privacy Officer 1303 A West Campus

More information

R345, Information Technology Resource Security 1

R345, Information Technology Resource Security 1 R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,

More information

Information Security Incident Management Guidelines

Information Security Incident Management Guidelines Information Security Incident Management Guidelines INFORMATION TECHNOLOGY SECURITY SERVICES http://safecomputing.umich.edu Version #1.0, June 21, 2006 Copyright 2006 by The Regents of The University of

More information

Business & Finance Information Security Incident Response Policy

Business & Finance Information Security Incident Response Policy Business & Finance Information Security Incident Response Policy University of Michigan http://www.umich.edu/~busfin/ Document Version: 10 Effective Date: 6/1/2006 Review Date: 7/31/2009 Responsible: Approval

More information

Data Management Standard

Data Management Standard Data Management Standard Revision: Version 1.0 Date: 11/2015 Status: Approved by ISAC, Reviewed by Chancellor s Cabinet 1. Objectives Page 1 2. Scope Statement. Page 1 3. Requirements..Page 1 4. Definitions

More information

Harmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology

Harmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology Harmonizing Your Compliance and Security Objectives Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology Make sure efforts serve multiple purposes Use standards to guide effort Repeatable

More information

Data Governance Policy

Data Governance Policy Data Governance Policy Table of Contents STATEMENT OF PURPOSE... 2 ENTITIES AFFECTED BY THIS POLICY... 3 WHO SHOULD READ THIS POLICY... 3 POLICY STRUCTURE... 3 POLICY... 3 1. Data Governance Structure...

More information

SCHOOL OF NURSING POLICY ON STAFF CONFLICTS OF INTEREST AND CONFLICTS OF COMMITMENT November 2007. Introduction

SCHOOL OF NURSING POLICY ON STAFF CONFLICTS OF INTEREST AND CONFLICTS OF COMMITMENT November 2007. Introduction SCHOOL OF NURSING POLICY ON STAFF CONFLICTS OF INTEREST AND CONFLICTS OF COMMITMENT November 2007 Introduction The University of Michigan Standard Practice Guide (SPG) 201.65-1 requires the deans of the

More information

Prepared by the Office of the Executive Vice President for Academic Affairs/Provost This is a NEW Executive Policy UNIVERSITY OF HAWAI I

Prepared by the Office of the Executive Vice President for Academic Affairs/Provost This is a NEW Executive Policy UNIVERSITY OF HAWAI I Prepared by the Office of the Executive Vice President for Academic Affairs/Provost This is a NEW Executive Policy UNIVERSITY OF HAWAI I EXECUTIVE POLICY ON INSTITUTIONAL DATA GOVERNANCE September 2012

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

University of Michigan School of Music, Theatre & Dance Conflicts of Interest and Conflicts of Commitment Staff Policy

University of Michigan School of Music, Theatre & Dance Conflicts of Interest and Conflicts of Commitment Staff Policy Introduction University of Michigan School of Music, Theatre & Dance Conflicts of Interest and Conflicts of Commitment Staff Policy Standard Practice Guide (SPG) 201.65-1, Conflicts of Interest and Conflicts

More information

Wright State University Information Security

Wright State University Information Security Wright State University Information Security Controls Policy Title: Category: Audience: Reason for Revision: Information Security Framework Information Technology WSU Faculty and Staff N/A Created / Modified

More information

Health Sciences Compliance Plan

Health Sciences Compliance Plan INDIANA UNIVERSITY Health Sciences Compliance Plan 12.18.2014 approved by University Clinical Affairs Council Table of Contents Health Sciences Compliance Plan I. INTRODUCTION... 2 II. SCOPE... 2 III.

More information

ADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles and Responsibilities

ADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles and Responsibilities Policy Title: Information Security Roles Policy Type: Administrative Policy Number: ADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles Approval Date: 05/28/2014 Revised Responsible Office:

More information

Keeping watch over your best business interests.

Keeping watch over your best business interests. Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation

More information

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION Information security is a critical issue for institutions of higher education (IHE). IHE face issues of risk, liability, business continuity,

More information

Cal Poly Information Security Program

Cal Poly Information Security Program Policy History Date October 5, 2012 October 5, 2010 October 19, 2004 July 8, 2004 May 11, 2004 January May 2004 December 8, 2003 Action Modified Separation or Change of Employment section to address data

More information

University of Hawai i Executive Policy on Data Governance (Draft 2/1/12)

University of Hawai i Executive Policy on Data Governance (Draft 2/1/12) University of Hawai i Executive Policy on Data Governance (Draft 2/1/12) I. Definition Data governance is the exercise of authority and control (planning, monitoring, and enforcement) over the management

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Pacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009

Pacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009 Pacific University Policy Governing Identity Theft Prevention Program Red Flag Guidelines Approved June 10, 2009 Program adoption Pacific University developed this identity Theft Prevention Program ( Program

More information

SUMMARY OF POSITION ROLE/RESPONSIBILITIES:

SUMMARY OF POSITION ROLE/RESPONSIBILITIES: SUMMARY OF POSITION ROLE/RESPONSIBILITIES: Reporting to the Senior Vice President for Administration, this position is responsible for ensuring that the University of Florida, in its entirety, is compliant

More information

Approved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee

Approved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee Policy History Date Action Approved by President Mohammed Qayoumi May 27, 2013 April 9, 2013 Reviews: IT Management Advisory Committee Draft Policy Released Table of Contents Introduction and Purpose...

More information

October 8, 2014. User Conference. Ronald Layne Manager, Data Quality and Data Governance rlayne@gwu.edu

October 8, 2014. User Conference. Ronald Layne Manager, Data Quality and Data Governance rlayne@gwu.edu Ensuring the highest quality data is delivered throughout the university providing valuable information serving individual and organizational need October 8, 2014 Ronald Layne Manager, Data Quality and

More information

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

Director, IT Security District Office Kern Community College District JOB DESCRIPTION Director, IT Security District Office Kern Community College District JOB DESCRIPTION Definition Reporting to the Chief Information Officer, the Director of IT Security develops and implements procedures,

More information

ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY

ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY PURPOSE The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse,

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

BUSINESS CONTINUITY PLANNING

BUSINESS CONTINUITY PLANNING Policy 8.3.2 Business Responsible Party: President s Office BUSINESS CONTINUITY PLANNING Overview The UT Health Science Center at San Antonio (Health Science Center) is committed to its employees, students,

More information

Vendor Risk Management Financial Organizations

Vendor Risk Management Financial Organizations Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current

More information

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721 Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721 Electronic Information Security and Data Backup Procedures Date Adopted: 4/13/2012 Date Revised: Date Reviewed: References: Health Insurance Portability

More information

Institutional Data Governance Policy

Institutional Data Governance Policy Institutional Data Governance Policy Vanderbilt University and Medical Center Effective Date: 07/09/2014 Revision Date: N/A DOCUMENT CONTROL Document Title Institutional Data Governance Policy Summary:

More information

933 COMPUTER NETWORK/SERVER SECURITY POLICY

933 COMPUTER NETWORK/SERVER SECURITY POLICY 933 COMPUTER NETWORK/SERVER SECURITY POLICY 933.1 Overview. Indiana State University provides network services to a large number and variety of users faculty, staff, students, and external constituencies.

More information

IT Risk & Security Specialist Position Description

IT Risk & Security Specialist Position Description Specialist Position Description February 9, 2015 Specialist Position Description February 9, 2015 Page i Table of Contents General Characteristics... 1 Career Path... 2 Explanation of Proficiency Level

More information

Manag. Roles. Novemb. ber 20122

Manag. Roles. Novemb. ber 20122 Information Technology Manag gement Framework Roles and Respo onsibilities Version 1.2 Novemb ber 20122 ITM Roles and Version History Version ed By Revision Date Approved By Approval Date Description of

More information

Computer Security Incident Response Team

Computer Security Incident Response Team Computer Security Incident Response Team Operational Standards The University of Scranton Information Security Office August 2014 Table of Contents 1.0 Operational Standards Document Overview... 3 2.0

More information

FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY

FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY Authority: Category: Applies to: Chancellor, Fayetteville State University University-wide Faculty, Staff, and Students History: Approved on

More information

Utica College. Information Security Plan

Utica College. Information Security Plan Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles

More information

COLLEGE OF PHARMACY CONFLICTS OF INTEREST AND CONFLICTS OF COMMITMENT POLICY FOR STAFF. Introduction

COLLEGE OF PHARMACY CONFLICTS OF INTEREST AND CONFLICTS OF COMMITMENT POLICY FOR STAFF. Introduction COLLEGE OF PHARMACY CONFLICTS OF INTEREST AND CONFLICTS OF COMMITMENT POLICY FOR STAFF Introduction SPG 201.65-1 requires the deans of the schools or colleges and the directors of administrative units

More information

NORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701) 328-3290

NORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701) 328-3290 NORTH DAKOTA CLASS DESCRIPTION ND Human Resource Management Services Phone: (701) 328-3290 Class Code(s): 0117 0118 SCOPE OF WORK: INFORMATION SYSTEMS SECURITY ANALYST Work involves the completion of technical

More information

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

University of Central Florida Class Specification Administrative and Professional. Information Security Officer Information Security Officer Job Code: 2534 Serve as the information security officer for the University. Develop and computer security system standards, policies, and procedures. Serve as technical team

More information

Gramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007

Gramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007 Gramm Leach Bliley Act 15 U.S.C. 6801-6809 6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007 1 Objectives for GLBA Training GLBA Overview Safeguards Rule

More information

Date of Last Review Senior Vice President for Academic. September 2015 Affairs FORMAL REVIEW

Date of Last Review Senior Vice President for Academic. September 2015 Affairs FORMAL REVIEW Minnesota State University, Mankato University Policy Policy Name: University Data Effective Date of Last Revision Governance July 1, 2016 Custodian of Policy: Provost and Date of Last Review Senior Vice

More information

Information Security Plan May 24, 2011

Information Security Plan May 24, 2011 Information Security Plan May 24, 2011 REVISION CONTROL Document Title: Author: HSU Information Security Plan John McBrearty Revision History Revision Date Revised By Summary of Revisions Sections Revised

More information

DTCC RISK COMMITTEE CHARTER

DTCC RISK COMMITTEE CHARTER DTCC RISK COMMITTEE CHARTER Purpose The ability to identify, manage and mitigate risk is fundamental to the services that The Depository Trust & Clearing Corporation ( DTCC ) provides to its members and

More information

Information Technology Management Procedure June 1, 2015

Information Technology Management Procedure June 1, 2015 Information Technology Management Procedure June 1, 2015 Information Technology Management, page 1 of 7 Contents Responsibility for Local Information Technology Policies 3 Responsibility to Maintain Functionality

More information

Publication 805-A Revision: Certification and Accreditation

Publication 805-A Revision: Certification and Accreditation Postal Bulletin 22358 (3-7-13) Policies, Procedures, and Forms Updates Publication 805-A Revision: Certification and Accreditation Effective immediately, the January 2013 edition of Publication 805-A,

More information

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5 Information Security Policy Type: Administrative Responsible Office: Office of Technology Services Initial Policy Approved: 09/30/2009 Current Revision Approved: 08/10/2015 Policy Statement and Purpose

More information

University Information Technology Security Program Standard

University Information Technology Security Program Standard University Information Technology Security Program Standard July 2012 Version 3.0 This standard establishes requirements and general principles for initiating, implementing, maintaining, and improving

More information

Governance, Risk, and Compliance (GRC) White Paper

Governance, Risk, and Compliance (GRC) White Paper Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:

More information

Rowan University IT ACQUISITION POLICY

Rowan University IT ACQUISITION POLICY Rowan University IT ACQUISITION POLICY Effective: January 2014 Data Governance: IT Acquisition Policy Page 1 of 6 IT ACQUISITION POLICY Title: Data Governance: IT Acquisition Policy Subject: Information

More information

5 FAM 630 DATA MANAGEMENT POLICY

5 FAM 630 DATA MANAGEMENT POLICY 5 FAM 630 DATA MANAGEMENT POLICY (Office of Origin: IRM/BMP/OCA/GPC) 5 FAM 631 GENERAL POLICIES a. Data management incorporates the full spectrum of activities involved in handling data, including its

More information

RFP Attachment C Classifications

RFP Attachment C Classifications RFP 1. Applications IT Architect Analyzes and designs the architecture for software applications and enhancements, including the appropriate application of frameworks and design patterns and the interrelationships

More information

Del Mar College Job Description. Chief Information Technology Officer FLSA Status: Exempt. Position # 110035 Prepared: October 2006

Del Mar College Job Description. Chief Information Technology Officer FLSA Status: Exempt. Position # 110035 Prepared: October 2006 BRIEF DESCRIPTION: The purpose of this position is to serve as the chief technology officer with leadership and responsibility for the operational and maintenance of the College s information technology

More information

Campus-wide Planning for Business Continuity and Emergency Operations

Campus-wide Planning for Business Continuity and Emergency Operations Campus-wide Planning for Business Continuity and Emergency Operations Gloria Hauck Thiele & Alan McCord University of Michigan Office of the University CIO EDUCAUSE 2000 Agenda Welcome, Overview, Icebreaker

More information

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002

Indiana University of Pennsylvania Information Assurance Guidelines. Approved by the Technology Utilities Council 27-SEP-2002 Indiana University of Pennsylvania Information Assurance Guidelines Approved by the Technology Utilities Council 27-SEP-2002 1 Purpose... 2 1.1 Introduction... 2 1.1.1 General Information...2 1.1.2 Objectives...

More information

CORPORATE GOVERNANCE GUIDELINES (as amended and restated on January 20, 2014)

CORPORATE GOVERNANCE GUIDELINES (as amended and restated on January 20, 2014) CORPORATE GOVERNANCE GUIDELINES (as amended and restated on January 20, 2014) The Board of Directors (the Board or individually Director ) of Symantec Corporation (the Company ) represents the interests

More information

Stetson University College of Law Crisis Communications Plan

Stetson University College of Law Crisis Communications Plan Introduction and Guiding Principles Stetson University College of Law Crisis Communications Plan Stetson University College of Law s Crisis Communications Plan summarizes the roles, responsibilities, and

More information

Valdosta Technical College. Information Security Plan

Valdosta Technical College. Information Security Plan Valdosta Technical College Information Security 4.4.2 VTC Information Security Description: The Gramm-Leach-Bliley Act requires financial institutions as defined by the Federal Trade Commision to protect

More information

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4 State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes

More information

Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation

Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation Harvard University Payment Card Industry (PCI) Compliance Business Process Documentation Business Process: Documented By: PCI Data Security Breach Stephanie Breen Creation Date: 1/19/06 Updated 11/5/13

More information

Advisory Council member responsibilities include:

Advisory Council member responsibilities include: GOVERNANCE AND OVERSIGHT OF THE KUALI PROJECT: The following provides a chart of the Governance and Oversight Structure for the Kuali Project. In addition to the below, is a Functional Council that includes

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION. Air Traffic Organization Policy

U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION. Air Traffic Organization Policy U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION Air Traffic Organization Policy ORDER JO 1000.37A SUBJ: Air Traffic Organization Safety Management System Effective Date: 5/30/14 The mission

More information

Project Team Roles Adapted for PAAMCO

Project Team Roles Adapted for PAAMCO Project Team Roles Adapted for PAAMCO Project Roles, Authority & Responsibilities Role a defined funciton assumed by or assigned to a person in the project Authority the right to apply project resources,

More information

1.0 PREAMBLE... 2 2.0 WEB POLICY...

1.0 PREAMBLE... 2 2.0 WEB POLICY... Name: Web Policy and Procedures Policy Number: 2-2003 Origin: Information Technology Systems & Support (ITSS) Approved: 28 July 2004 Issuing Authority: Executive Management Group Responsibility: Director,

More information

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY Information Security Section: General Operations Title: Information Security Number: 56.350 Index POLICY.100 POLICY STATEMENT.110 POLICY RATIONALE.120 AUTHORITY.130 APPROVAL AND EFFECTIVE DATE OF POLICY.140

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:

More information

EMERGENCY PREPAREDNESS AND CRISIS MANAGEMENT PLAN

EMERGENCY PREPAREDNESS AND CRISIS MANAGEMENT PLAN EMERGENCY PREPAREDNESS AND CRISIS MANAGEMENT PLAN MAY 2009 Public Web Version Getting Help Immediately Any situation requiring immediate response from police, fire, or emergency medical services to preserve

More information

TABLE OF CONTENTS. University of Northern Colorado

TABLE OF CONTENTS. University of Northern Colorado TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...

More information

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary This Summary was prepared March 2009 by Ian Huggins prior to HSC adoption of the most recent

More information

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention Oklahoma State University Policy and Procedures Rules and Identity Theft Prevention 3-0540 ADMINISTRATION & FINANCE July 2009 Introduction 1.01 Oklahoma State University developed this Identity Theft Prevention

More information

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office. GAO United States General Accounting Office Internal Control November 1999 Standards for Internal Control in the Federal Government GAO/AIMD-00-21.3.1 Foreword Federal policymakers and program managers

More information

EMERGENCY MANAGEMENT ORGANIZATION

EMERGENCY MANAGEMENT ORGANIZATION VI. EMERGENCY MANAGEMENT ORGANIZATION General 1. The overall responsibility for emergency preparedness rests with government on all levels, including all agencies of state, county and city in coordination

More information

Computer Security Incident Response Team

Computer Security Incident Response Team University of Scranton Computer Security Incident Response Team Operational Standards Information Security Office 1/27/2009 Table of Contents 1.0 Operational Standards Document Overview... 3 2.0 Establishment

More information

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of

More information

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc. JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine

More information

University of California Regents Policy 7702 Senior Management Group Performance Management Review Process

University of California Regents Policy 7702 Senior Management Group Performance Management Review Process Senior Management Group Performance Management Review Process Approved July 17, 2008 Amended September 16, 2010 and March 29, 2012 Responsible Officer: Vice President Human Resources Responsible Office:

More information

INSTITUTIONAL COMPLIANCE PLAN

INSTITUTIONAL COMPLIANCE PLAN INSTITUTIONAL COMPLIANCE PLAN Responsible Party: Board of Trustees Contact: Institutional Compliance Office Original Effective Date: 02/16/2012 Last Revised Date: 10/13/2014 Contents I. SCOPE OF THE PLAN...

More information

Date of Last Review Senior Vice President for Academic. September 2015 Affairs INFORMAL REVIEW DRAFT

Date of Last Review Senior Vice President for Academic. September 2015 Affairs INFORMAL REVIEW DRAFT Minnesota State University, Mankato University Policy Policy Name: University Data Effective Date of Last Revision Governance July 1, 2016 Custodian of Policy: Provost and Date of Last Review Senior Vice

More information

Framework for Enterprise Risk Management

Framework for Enterprise Risk Management Framework for Enterprise Risk Management 2013 Johnson & Johnson Contents Introduction.... 4 J&J Strategic Framework... 5 What is Risk?.......................................................... 7 J&J Approach

More information

INFORMATION TECHNOLOGY ENGINEER V

INFORMATION TECHNOLOGY ENGINEER V 1464 INFORMATION TECHNOLOGY ENGINEER V NATURE AND VARIETY OF WORK This is senior level lead administrative, professional and technical engineering work creating, implementing, and maintaining the County

More information

PBGC Information Security Policy

PBGC Information Security Policy PBGC Information Security Policy 1. Purpose. The Pension Benefit Guaranty Corporation (PBGC) Information Security Policy (ISP) defines the security and protection of PBGC information resources. 2. Reference.

More information

IT Security Policy - Information Security Management System (ISMS)

IT Security Policy - Information Security Management System (ISMS) IT Security Policy - Information Security Management System (ISMS) Responsible Officer Contact Officer Vice-President, Finance & Operations Chief Digital Officer Superseded Documents IT Security Policy,

More information

Continuity Planning and Disaster Recovery

Continuity Planning and Disaster Recovery Responsible Officer: AVP - Information Technology Services & UC Chief Information Officer Responsible Office: IT - Information Technology Services Issuance Date: 7/27/2007 Effective Date: 7/27/2007 Scope:

More information

SCHOOL OF ART & DESIGN IMPLEMENTATION OF POLICY ON STAFF CONFLICTS OF INTEREST AND CONFLICTS OF COMMITMENT August 2007

SCHOOL OF ART & DESIGN IMPLEMENTATION OF POLICY ON STAFF CONFLICTS OF INTEREST AND CONFLICTS OF COMMITMENT August 2007 SCHOOL OF ART & DESIGN IMPLEMENTATION OF POLICY ON STAFF CONFLICTS OF INTEREST AND CONFLICTS OF COMMITMENT August 2007 SPG 201.65-1 requires the deans of the schools or colleges and the directors of administrative

More information

DHHS Directive Number II-12

DHHS Directive Number II-12 DHHS Directive Number II-12 Title: Delegation of Authority to the Director, Division of Information Resource Management Effective Date: November 3, 2008 Revision History: January 1, 2002 Authority: G.S.

More information

Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION

Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for

More information

Information Security Policy

Information Security Policy Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September

More information

Information Security Program

Information Security Program Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security

More information

INFORMATION SECURITY STRATEGIC PLAN

INFORMATION SECURITY STRATEGIC PLAN INFORMATION SECURITY STRATEGIC PLAN UNIVERSITY OF CONNECTICUT INFORMATION SECURITY OFFICE 4/20/10 University of Connecticut / Jason Pufahl, CISSP, CISM 1 1 MISSION STATEMENT The mission of the Information

More information

EMERGENCY MANAGEMENT POLICY

EMERGENCY MANAGEMENT POLICY Effective Date: November 2, 2009 Supersedes/Amends: VRS-50/December 2006 Originating Office: Office of the Vice-President, Services Policy Number: VPS-50 SCOPE This policy applies to all members of the

More information