Information Technology Standard 01.2.0

IT Security Roles & Responsibilities


Date of Current Revision or Creation: November 1, 2021


The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this compliance standard is to clearly define the roles and responsibilities involved in the Â鶹´«Ã½ Information Technology Security Program.

Definitions

Data Classification - In the context of information security, the classification of data is based on its level of sensitivity and the impact to the University should that data be disclosed, altered, or destroyed without authorization.

Data Compliance Owners - University employees (typically at the level of Unit Leader) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of institutional data under their purview. Data Compliance Owners understand the compliance requirements for their data, designate the compliance level of their data, and approve access to their data. University Data Compliance Owners oversee compliance for data that is shared or leveraged across the University, such as HR, Finance, Financial Aid, and Student FERPA data. Departmental Data Compliance Owners oversee the data that is specific to the departmental application or system that is not overseen by one or more of the University Data Compliance Owners.

System Compliance Owners - Manager or departmental head responsible for operation and maintenance of a University IT system or overseeing hosted systems under their purview. System Compliance Owners are responsible for the overall compliance and security of their system.

Data Users - Those authorized to access institutional data and information to perform their assigned duties or to fulfill their role in the University community.

Application Administrators - Individuals with administrative application or system privileges, who are responsible to ensure that appropriate controls, mechanisms, and processes are in place to meet the security requirements necessary to protect an information technology resource. Application administrators ensure appropriate controls are in place for the applications that administer the data.

Information Security Officer (ISO) - The Â鶹´«Ã½ employee, appointed by the President or designee, who is responsible for developing and managing Â鶹´«Ã½'s information security program.

Data Trustee - Senior University officials (typically at the level of Associate or Assistant Vice President) who have planning and policy-level responsibilities for university data and who assign accountability for data management. Data Trustees typically report to Vice Presidents who have oversight authority for compliance within their reporting structure.

Information Technology Security Program - provides a high-level view of the University's information security controls and elements used to satisfy the laws and regulations relevant to information security. The Information Security Officer has delegated authority for the selection and implementation of security controls and manages the overall information security program.

Standards Statement

This standard defines the roles and responsibilities as defined by the Â鶹´«Ã½ Information Technology Security Program. The roles are assigned to individuals and may differ from their official position title. Individuals may be assigned multiple roles as long as there is separation of duties, protection against fraud and conflicts of interest.

President
The University President or designee is responsible for the security of the University's IT systems and data. The President's IT security responsibilities include the following:

  1. Designate and inform the Virginia Information Technology Agency (VITA), by way of an email or hard copy signed letter, to the Chief Information Security Officer of the Commonwealth (CISO), the individual chosen as the Â鶹´«Ã½ Information Security Officer (ISO), including the person's name, title, and contact information. The Agency head's designee may email the information to VITA with a copy to the Â鶹´«Ã½ Agency Head. The President may also designate an assistant or deputy ISO as needed.
  2. Determine the optimal place of the IT security function within the University hierarchy with the shortest practicable reporting line to the President.
  3. Maintain an IT security program that is sufficient to protect the University's IT systems, and that is documented and effectively communicated.
  4. Review and approve or have the designated ISO or designee review and approve the Business Impact Analyses (BIAs), Risk Assessments (RAs) and IT Continuity of Operations Plan (COOP), to include an IT Disaster Recovery Plan.
  5. Review or have the designated ISO review the System Security Plans (in the form of System Risk Assessments) for all agency IT systems classified as sensitive, and approve System Security Plans that provide adequate protections against security risks; or disapprove System Security Plans that do not provide adequate protections against security risks, and require that the System Compliance Owner implement additional security controls on the IT system to provide adequate protections against security risks.
  6. Maintain an IT Security audit program that includes, but is not limited to, requiring development and implementation of a plan for IT security audits; requiring that the planned IT security audits are conducted; receiving reports of the results of IT security audits; and requiring development of Corrective Action Plans to address findings of IT security audits.
  7. Ensure a program of IT security safeguards.
  8. Ensure an IT security awareness and training program.
  9. Provide the resources to enable employees to carry out their responsibilities for securing IT systems and data.
  10. Prevent, or have a designee prevent, conflict of interest and adhere to the security concept of separation of duties.

Information Security Officer (ISO)
The ISO is responsible for developing and managing Â鶹´«Ã½'s IT security program. At Â鶹´«Ã½, this role has been formally assigned to a position in Information Technology Services (ITS). Portions of these responsibilities may be delegated as part of the comprehensive IT Security Program effort. The Information Security Officer must be an employee of the Commonwealth of Virginia. The ISO is restricted from holding the role of System Compliance Owner or Data Compliance Owner except in the case of compliance systems for information security. The Information Security Officer is responsible for the following:

  1. Develop and manage an IT security program that follows industry standards such as the International Standards Organization's ISO-27000 series of standards, best practices, and the practices of similar higher education institutions.
  2. Ensure that University systems and data are classified for sensitivity.
  3. Develop and maintain an IT security awareness and training program for faculty, staff, and students, including contractors and IT service providers.
  4. Implement and maintain the appropriate balance of protective, detective, and corrective controls for information systems commensurate with data sensitivity, risk, and systems criticality.
  5. Mitigate and report all information security incidents in accordance with and take appropriate actions to prevent recurrence.

Data Management Executive Committee (DMEC):
A senior level team comprised of representatives from the executive level and the Data Trustee level, which establishes overall policies for management and access to the institutional data of the University. The DMEC is charged with facilitating and monitoring the quality and protection of enterprise information at Â鶹´«Ã½. The DMEC is responsible for the following:

  1. Develop, implement, maintain and help enforce University-wide data management policies, standards, guidelines, and operating procedures related to University Institutional Data assets.
  2. Facilitate communication with senior institutional executives.
  3. Mediate disputes related to policies and standards.
  4. Facilitate development of information security awareness strategies.

Data Management Group (DMG):
The Data Management Group is comprised of representatives of Data Compliance Owners and technical leads at the University. The DMG is responsible for the following:

  1. Review the operational effectiveness of data management policies and procedures.
  2. Standardize definitions of commonly used terms, data elements and metrics.
  3. Define, with the assistance of Data Compliance Owners and the University ISO, which data elements are restricted and other data classifications.
  4. Ensure regular and appropriate collaborative communication with Data Users.
  5. Establish and apply rules to:
    • Improve the quality of the data, including accuracy, integrity timeliness, and definition.
    • Reduce redundancy of data.
  6. Provide input in the development and maintenance of a data map or inventory.
  7. Approve procedures for maintaining data use approvals.
  8. Approve requests for data sharing that are under the control of multiple owners/stewards.
  9. Establish procedures for consistent documentation of approvals of shared data and data views.
  10. Make the final determination on data restrictions.

Privacy Officer
At Â鶹´«Ã½, a Privacy Officer has not been designated. The University has assigned an individual as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Official as outlined in Â鶹´«Ã½ Policy 1004: Health Insurance Portability & Accountability Act of 1996 ("HIPAA") Compliance Policy. Other privacy responsibilities are to be carried out by the Data Compliance Owner or their designee for the data that is subject to law or regulation. The Privacy Officer or designee is responsible for providing guidance on the following:

  1. The requirements of state and federal privacy laws pertaining to the data involved.
  2. Disclosure and access to sensitive or confidential data.
  3. Security and protection requirements in conjunction with IT systems when there is overlap among sensitivity, disclosure, privacy, and security issues.

System Compliance Owner
The System Compliance Owner is the manager or department head responsible for operation and maintenance of a University IT system or who is the contract owner for a hosted system. The System Compliance Owner is restricted from acting as System Administrator for systems they own. The System Compliance Owner must be an employee of the Commonwealth of Virginia and can own multiple systems. The System Compliance Owner's information security responsibilities include the following:

  1. Require that all IT system users complete IT security awareness and training activities prior to, or as soon as practicable after, receiving access to the system, and no less than annually, thereafter.
  2. Manage system risk, risk documentation, and development of additional IT security procedures and guidelines required to protect the system in a manner commensurate with risk.
  3. Identify the type(s) of data handled by the University IT system and determine whether each type of data is also subject to other regulatory requirements. Maintain and implement the University's data classification requirements as spelled out in University Policy 3504 - Data Administration and Classification and supporting Standards, including ITS 08.1.0 Standard - System Risk Assessment Standard.
  4. Classify the IT system as sensitive if any type of data handled by the IT system has a sensitivity of high on any of the criteria of confidentiality, integrity, or availability. Use the information documented in the data classification policy as a primary input to the Risk Assessment process.
  5. Follow industry standards such as the International Standards Organization's ISO-27000 series of standards by following ITS Standards, as well as best practices and the practices of similar higher education institutions where warranted.
  6. Maintain compliance with requirements specified by Data Compliance Owners for the handling of data processed by the system.
  7. Designate System or Application Administrators for the system.
  8. Participate in the development of the University's Business Impact Analysis (BIA) when applicable.
  9. Develop and maintain an Information System Security Plan when warranted via the System Risk Assessment.
  10. In consultation with the Data Compliance Owner, document IT systems with which data is shared, including the types of shared data or direction(s) of data flow.
  11. Ensures an appropriate agreement is in place for any data shared with an external system.

Data Compliance Owner
The Data Compliance Owner is the manager responsible for the policy and practice decisions regarding data. The Data Compliance Owner must be an employee of the Commonwealth of Virginia and can own data in multiple systems. The Data Compliance Owner is restricted from acting as System or Application Administrator for data they own whenever possible. The Data Compliance Owner's information security responsibilities include the following:

  1. Know and understand the data for which they are responsible.
  2. Evaluate and classify sensitivity of the data.
  3. Maintain and implement the University's data classification requirements as spelled out in University Policy 3504 - Data Administration and Classification and supporting Standards.
  4. Determine the potential damages to the University if the data was compromised.
  5. Review and approve requests for access to data under their jurisdiction.
  6. Classify the IT system as sensitive if any type of data handled by the IT system has a sensitivity of high on any of the criteria of confidentiality, integrity, or availability.
  7. Use the information documented in the data classification policy as a primary input to the Risk Assessment process.
  8. Communicate data protection requirements to the System Compliance Owner.
  9. Define protection requirements for the data, with the support of the System Compliance Owner and System or Application Administrator, based on the sensitivity of the data, any legal or regulatory requirements, and business needs.
  10. Participate in account access audits.
  11. Establish policies regarding the manipulation, modification, or reporting of institutional data elements and for creating derived elements, which are also institutional data.
  12. Develop procedures and define requirements for access to the data.
  13. Coordinate with Information Technology Services to determine data retention requirements and archiving strategies for storing and preserving historical operational data.

System Administrator
The System Administrator is an analyst, engineer, or consultant who implements, manages, and/or operates a system or systems at the direction of the System Compliance Owner, or Data Compliance Owner. The System Administrator's information security responsibilities include the following:

  1. Assists management in the day-to-day administration of IT systems.
  2. Implements security controls and other requirements of the security program on IT systems for which assigned.
  3. The System Administrator can administer multiple systems.

Security Administrator
The Security Administrator ensures that proper security software, controls, and configurations are in place to protect information technology resources. The Security Administrator is restricted from acting as System, Application, and/or Database Administrator or System Compliance Owner with the exception of information security systems. The Security Administrator's IT security responsibilities include the following:

  1. Scan for vulnerabilities.
  2. Propose, require, and oversee the implementation of security controls.
  3. Monitor for violations or attempted violations of the security environment.
  4. Perform forensics of compromised systems when needed.
  5. Coordinate corrective actions for compromised systems.
  6. Track and report security violations.

Application Administrator
Application Administrators are individuals or organizations in physical or logical possession of data for Data Compliance Owners. Unless the application is hosted with an agreement that the vendor will fill this role and an appropriate contract is in place, the Application Administrator must be an employee of the Commonwealth of Virginia and can administer multiple systems. The Application Administrator's IT security responsibilities include the following:

  1. Protect the data in their possession from unauthorized access, alteration, destruction, or usage per the requirements established by the System and Data Compliance Owners.
  2. Establish, monitor, and operate the application in a manner consistent with security policies and standards.
  3. Provide Data and System Compliance Owners with reports, when necessary and applicable.

Database Administrator
Database Administrators are individuals or organizations in physical or logical possession of data, via the database, for Data Compliance Owners. Unless the application is hosted with an agreement that the vendor will fill this role and an appropriate contract is in place, the Database Administrator must be an employee of the Commonwealth of Virginia and can fill this role for own multiple systems. The Database Administrator's IT security responsibilities include the following:

  1. Protect the data in their possession from unauthorized access, alteration, destruction, or usage per the requirements established by the System and Data Compliance Owners.
  2. Establish, monitor, and operate the database in a manner consistent with security policies and standards.
  3. Provide Data and System Compliance Owners with reports, when necessary and applicable.

Data Users
Data Users are individuals and organizations that access Institutional Data and Information in order to perform their assigned duties or to fulfill their role in the University community. The Data User's information security responsibilities include the following:

  1. Protect their access privileges.
  2. Properly use the University data they access.
  3. Follow policy and information access procedures established by data compliance owners.
  4. Access only the information for which they are authorized.
  5. Report suspected or actual violations of policies.
  6. Exercise due care in the use of data.
  7. Work with Data Compliance Owners to define useful and meaningful schedules for creation of standard data extracts.

University Managers
Managers at all levels must provide for the information security needs under their jurisdiction. They shall take all reasonable actions to provide adequate IT security and to escalate problems, requirements, and matters related to information security to the highest level necessary for resolution.

Information Technology System Users
All users of IT systems, including faculty, staff, students, contractors, and visitors, are responsible for the following:

  1. Read and comply with IT security program requirements.
  2. Report breaches of IT security, actual or suspected, to their university management and/or the Information Security Officer (ISO).
  3. Take reasonable and prudent steps to protect the security of IT systems and data to which they have access.

Roles Assigned to Contractors
Roles may be assigned to contractors. In such circumstances, the contract language must include specific responsibility and background check requirements.

Procedures, Guidelines & Other Related Information

History

Date Responsible Party Action
October 2008 ITAC/CIO Created
October 2009 ITAC/CIO Reaffirmed
October 2010 ITAC/CIO Reaffirmed
October 2011 ITAC/CIO Reaffirmed
March 2012 ITAC/CIO Replaced Standard 02.2.1 and 02.2.1
Numbering revision
June 2015 IT Policy Office Added oversight groups and updated roles and responsibilities
August 2015 ITAC/CIO Revision affirmed
September 2018 IT Policy Office Links and definitions checked, language updated
November 2021 ITAC/CIO Revised terminology for compliance owners
Ìý