How To Manage Information Security At A University

Transcription

1 Data Management & Protection: Roles & Responsibilities Document Version: 1.0 Effective Date: December, 2008 Original Issue Date: December, 2008 Most Recent Revision Date: November 29, 2011 Approval Authority: Laura Patterson, AVP Contact: Information and Infrastructure Assurance Table of Contents Purpose... 2 Data Management and Protection Roles and Responsibilities... 2 University Level Roles and Responsibilities... 2 Data Steward... 2 Delegated Data Steward... 2 Data Manager... 3 Data Management Integration Coordinator...3 Compliance Officer... 3 IT Security Executive Sponsors... 4 IT Security Council... 4 University Chief Information Technology Security Officer... 4 Office of University Audits... 5 Privacy Oversight Committee... 5 Unit Level Roles and Responsibilities... 5 Deans and Directors... 5 Business Owner... 5 Information Security Unit Liaison... 6 Information Security Coordinator... 6 Information Security Administrator... 7 Information Security Communications Coordinator... 7 IT Service Provider...7 IT Resource User... 8 Data User... 8 Updates... 8 References... 8

2 2 Data Management & Protection: Roles & Responsibilities Purpose This document defines University roles and responsibilities associated with managing and protecting the University information resources. It supplements applicable University policies and guidelines and is also intended as a reference for University personnel who will either fill these roles or assign others to fill them. The roles are organized into two categories: University level roles which apply across the University Unit level roles which apply across an individual unit school, college, or central office For additional information about responsibilities of central offices that are specifically related to mitigating serious security incidents please refer to the Information Security Incident Management Operating Level Agreement (OLA), which lists relevant responsibilities of the Department of Public Safety, Office of General Counsel, Risk Management, Office of the Vice President for Communications, and others. Data Management and Protection Roles and Responsibilities University Level Roles and Responsibilities Data Steward The Data Stewards are the University Executive Officers having policy level responsibility for managing a segment of the University s information resources as designated by the Regental by laws. Communicating applicable policies and procedures to staff, faculty, and students and promoting data management and security training, education, and awareness; Establishing goals, objectives, and action plans to implement relevant policies and programs; Incorporating information security risk considerations into business planning and budgeting; Identifying delegated data stewards for segments of the University s information resource as appropriate; Ensuring the accurate, valid and timely collection of data; Classifying data relative to their sensitivity and criticality to the institution; Setting policies regarding the storage, protection, manipulation, access to and sharing of data; Ensuring disaster recovery and business continuity contingency plans and processes are developed and implemented; In conjunction with the Chief Information Technology Security Officer, determining appropriate response to serious security incidents that impact information protected under the regulation. The University Data Stewards/Data Managers list is available at Delegated Data Steward The Delegated Data Stewards are senior University officials who have policy level responsibility for managing a segment of the University s information resource who have been designated to serve as the data steward for that segment of the information resource. Carrying out data steward responsibilities for specific segments of the information resource upon delegation.

3 3 The University Data Stewards/Data Managers list is available at Data Manager The Data Managers are University officials and their staff who have operational level responsibility for data capture, maintenance, and dissemination of a segment of the University s information resource. Carrying out data steward responsibilities for specific segments of the information resource upon delegation; Developing operational level procedures to ensure the accurate, valid and timely collection of data; Responding to questions regarding data validity; Implementing operational level procedures regarding the storage, protection, manipulation, and sharing of data; Implementing procedures to grant and maintain access to data and appointing individuals to authorize data access; Providing appropriate user support in the use of data upon delegation. The University Data Stewards/Data Managers list is available at Data Management Integration Coordinator The Data Management Integration Coordinators are University officials and their staff who are responsible for facilitating and resolving shared data management issues among central offices, schools and colleges, and the health system. Working with data stewards and their delegates to facilitate policy, process and practice discussions about the institutional data; Driving resolution of shared data management issues to best support the entire University by working with the data stewards and their delegates; Providing appropriate user support in the use of data (e.g., collection and maintenance, validation and correction, storage and replication, backup and recovery, understanding, reporting and access, proper use) in partnership with the data stewards and their delegates. The University Data Stewards/Data Managers list is available at Compliance Officer The Compliance Officers are appointed by the Executive Officers to bring the University into compliance with specific regulations and are the University focal points for communication on given regulations. The responsibilities listed in this document apply to regulations that relate to information security, including, but not limited to: Health Insurance Portability and Accountability Act (HIPAA) Gramm Leach Bliley Act (GLBA) Family Educational Rights and Privacy Act (FERPA) Sarbanes Oxley Act (SOX)/Internal Controls Freedom of Information Act (FOIA) Cardholder Information Security Program/Payment Card Industry (CISP/PCI) Carrying out data steward responsibilities for the scope of data specified by the applicable regulation; Establishing goals, objectives, and action plans to implement relevant regulations and collaborate with IIA on their implementation; In conjunction with the Chief Information Technology Security Officer, determining appropriate response to serious security incidents that impact information protected under the regulation.

4 4 IT Security Executive Sponsors The Executive Sponsors are the University Executive Officers having high level responsibility for championing and guiding the University IT Security Program. They include: Executive Vice President and Chief Financial Officer Executive Vice President and Provost Executive Vice President for Medical Affairs Vice President for Research Providing strategic direction to the IT Security Program; Approving University wide security policies; Endorsing security related communications to the University Community; Seeking the involvement of IIA where appropriate; Publicizing their sponsorship of the IT Security Program to the University Community. IIA Council The IIA Council ( is composed of appointed representatives of schools, colleges, and central offices who guide the development of IT security policies and standards. Advising UM executive officers about issues related to the security of information systems or data used by UM students, faculty, and staff; Ensuring that UM policies, practices, and standards provide safeguards to secure the IT systems and data at the UM; Serving as a governance board for IIA. University Chief Information Technology Security Officer The University Chief Information Technology Security Officer directs the IIA office, and is the appointed University focal point for information security issues, including security training, awareness, information security incident management and response, risk management and data resource protection. Directing and coordinating the University wide IT Security Program; Determining unit level compliance with the Information Security Policy, SPG ; Providing a focal point for oversight of serious security incidents as indicated in SPG , Information Security Incident Reporting Policy; Establishing security metrics, tracking the progress of the IT Security Program, and providing a Universitywide risk profile; Assisting units in fulfilling their unit level information security requirements; Overseeing development of information security training courses and materials; Coordinating training and awareness programs; providing educational materials and tool kits for dissemination and training across the University; Providing additional information security services (such as forensics), tools, and expert knowledge to assist units in detecting and resolving incidents; Acting as the delegated data steward for information security information in accordance with SPG and the Data Administration Guidelines for Institutional Data Resources.

5 5 Office of University Audits The Office of University Audits ( provides audit services throughout the University Community. Incorporating information security risk considerations into audit planning; Coordinating information security efforts with the University Chief Information Technology Security Officer; Working with Data Stewards (or designees) and IT Resource Providers in the development or implementation of proper controls in essential administrative systems. Providing periodic examination of and reporting on information security issues in a audit context; Communicating applicable policies and procedures to staff, faculty, and students and promoting data management and security training, education, and awareness. Privacy Oversight Committee The Privacy Oversight Committee advises the President and the Associate Provost for Academic, Information and Instructional Technology Affairs about issues that may affect the privacy of students, faculty, and staff. Ensuring that UM policies and practices provide safeguards to individuals rights and expectations of privacy; Reviewing enterprise resource planning (ERP) and administrative policy and design decisions; Implementing applicable policies. Unit Level Roles and Responsibilities Deans and Directors The University Deans and Directors are responsible for implementing and ensuring compliance with University policies, guidelines and procedures relevant to data management and protection as applicable to their areas. Communicating applicable policies and procedures to staff, faculty, and students and promoting data management and security training, education, and awareness; Establishing goals, objectives, and action plans to implement relevant policies and programs; Incorporating information security risk considerations into business planning and budgeting; Designating unit staff to information security roles (including information security unit liaisons and information security coordinators) to collaborate with central offices on the implementation of policies and programs; Making necessary arrangements with vendors, consultants, and external researchers to ensure their compliance with information security policies and procedures; Carrying out data steward responsibilities for data unique to their school/college. Business Owner The Business Owners are University officials having policy level and operational responsibilities for a set of business processes and are major stakeholders of applications and services that support their areas.

6 6 In collaboration with University units, providing requirements and priorities to IT service providers for the development or acquisition of applications and services; Sponsoring applications and services through budget acquisition and funding; Accepting and approving the functionality of applications and services; Ensuring that technical access controls and other security measures are appropriately prioritized among other application or service features; Ensuring security requirements for applications and services are appropriate to the sensitivity and criticality of the information they access; Determining and enforcing acceptable use policies for applications and services. Information Security Unit Liaison The Information Security Unit Liaison is appointed by the dean or director to serve as the focal point for coordinating security activities within the unit and with IIA. This role may be performed by the unit information security coordinator. Alternatively, units may assign some of the unit liaison responsibilities to the information security coordinator, or may designate two individuals to jointly serve as the Information Security Unit Liaisons. The Information Security Unit Liaison may hold the title of Information Security Officer, Information Security Manager, IT Director/Manager, or Business Manager (responsible for IT and security), as appropriate. Serving as the main interface to IIA and participating in IIA sponsored activities; Regularly communicating with unit leadership on security related issues including appraising them of relevant security risks and of the unit s progress in implementing the security program; Identifying the general security needs of the unit including unit security roles, training needs, and resource requirements; Ensuring unit security roles are assigned, understood, maintained, and communicated within the unit and to IIA; Ensuring that individuals who are assigned to security roles are appropriately trained; Coordinating the preparation of the information security plan, annual plan updates, self assessments, risk assessments, and other unit level security documents and providing them to IIA; Ensuring unit has established appropriate unit level security procedures that are consistent with University policies and guidelines; Collaborating with IIA on the implementation of the unit s information security plan; Coordinating information security education and awareness for the unit; Providing feedback to IIA of special security needs, priorities, and concerns. Information Security Coordinator The Information Security Coordinator is the senior information security professional in a given unit, who may hold the title of Information Security Officer or Information Security Manager for the unit. The Information Security Coordinator may also be the appointed information security unit liaison for the unit. Managing the daily information security activities of the unit; Establishing unit plans for conducting periodic risk assessments, coordinating risk assessment activities, developing unit risk mitigation plans and coordinating their execution; Acting as the focal point for information security incident management in the unit; informing IIA and unit management of serious incidents and coordinating incident response in conjunction with IIA; Maintaining inventory of sensitive and critical information resources; Ensuring unit has established appropriate unit level security procedures that are consistent with University policies and guidelines; Collaborating with IIA on the implementation of the unit s information security plan;

7 7 Coordinating information security education and awareness for the unit; Providing feedback to IIA of special security needs, priorities, and concerns. Information Security Administrator The Information Security Administrators are security professionals who have gone through the IIA security administrator training (or equivalent) and are assigned to handle the security needs for a unit. Depending on the size and complexity of the unit, several security administrators may be needed to perform this function. Individuals in this role will typically have the University job title of Data Security Analyst Intermediate. In cases where the unit has not yet acquired or developed a trained information security administrator, the unit may make arrangements to delegate this role to IIA. Participating in IIA sponsored security coordination meetings and technical interchanges; Obtaining security training and maintaining an appropriate level of expertise and awareness; Responding to information security incidents according to University and unit policies and procedures; Providing expert technical advice and guidance to their constituency; Conducting security risk assessments; Providing core security services as required, such as intrusion detection, vulnerability scanning and firewall administration. Information Security Communications Coordinator The Information Security Communications Coordinator acts as a focal point for the unit s communications relative to information security. This role may be carried out by the existing unit communications staff, the Information Security Unit Liaison or the Information Security Coordinator. Preparing and implementing communication plans; Assessing the communication methods used in the unit and how best to use them; Identifying key audiences and sponsors in the unit and determining how to provide information to them; Preparing and distributing security related messages, presentation materials, reference materials, Web information, promotion and awareness documents; Disseminating relevant e mail messages, security awareness and communication materials from IIA and other sources to appropriate audiences; Monitoring the effectiveness of security communications and awareness activities and improving communication processes as necessary. IT Service Provider The IT Service Providers are organizations, departments, managers, or staff members responsible for the acquisition, development and operation of IT assets and services. Information security administrators as defined in this document typically reside within an IT service provider organization. SPG , and the IT Security Program; Promoting awareness and education of security policies and guidelines within their areas and in communications with business owners; Ensuring information security administrators within their areas are properly trained and regularly participate in IIA sponsored interchanges; Acquiring, developing and operating IT assets including networks, servers, workstations, applications, and databases; Maintaining operational service levels to meet availability requirements of business owners; Ensuring the development and implementation of unit level security policies and procedures; Appropriately securing information systems based on University policies and guidelines and industry

8 8 best practices. IT Resource User The IT Resource Users are members of the University community who access University information technology resources and services. They may include faculty, staff, students, vendors, consultants, external researchers, and any other users of University information technology resources. Promptly reporting all information security incidents (including computer loss or theft) to their unit information security coordinators or to IIA, as specified in SPG ; Maintaining awareness of University policies relating to IT resource use; Learning, understanding and following acceptable use policies and guidelines applicable to the system to which they have access; Fulfilling data user responsibilities as applicable. Data User The Data Users are any authorized user of University data. University employees will have access to data only as necessary in the performance of their official University duties. Accessing and using data in accordance with institutional policies and applicable federal and state laws; Utilizing and sharing data appropriately based on University role, and data documentation provided by the data steward. Reporting data validity issues to the proper data manager, providing as much information as possible to help understand and diagnose the problem, and supporting other efforts to correct the data; Notifying data stewards if there is a need to review the restrictions to or lack of restrictions to data. References Standard Practice Guide Proper Use of Information Resources, Information Technology, and Networks at the University of Michigan Standard Practice Guide Privacy and the Need to Monitor and Access Records Standard Practice Guide Institutional Data Resource Management Policy Standard Practice Guide Information Security Incident Reporting Policy Standard Practice Guide Information Security Policy Information Security Incident Management Guideline ( Information Security Incident Management Operating Level Agreement (please contact its.iia@umich.edu to obtain a copy.) Data Management and Protection Common Definitions ( Data Steward/Data Manager List ( Data Administration Guidelines for Institutional Data Resources (