POLICY TITLE:     Roles and Responsibilities for Information Security

POLICY #: IT - 16

DATE DRAFTED: 12/30/02

DATE POSTED for Review: 05/03/03    

APPROVED DATE: 04/12/05

REVISION DATE: 05/03/03

BRIEF DESCRIPTION:  To define the roles and responsibilities of the University community who are responsible for information assets and security at the University of Iowa.

Introduction | Policy Statement | Related Policies | IT Policy Index

Introduction:

Information assets of the University of Iowa, in all its forms and throughout its life cycle, will be protected through information management policies and actions that meet applicable federal, state, regulatory, or contractual requirements and support the University of Iowa’s mission, vision, and values.

Policy Statement:

The University of Iowa is responsible for implementing a comprehensive enterprise information security program.  This responsibility is delegated to the following groups and individuals:

Data Steward

The enterprise vice-president or top-level executive having policy-level responsibility for a particular set of information assets. The Data Steward will:

  1. Establish standards for business use of information.

  2. Assign administrative responsibility to Business Owners.

  3. Monitor compliance and periodically review violation reports.

Information Security Committee (ISC)

The Information Security Committee is responsible for governance and oversight of the enterprise information security program. The ISC will:

  1. Analyze and manage institutional risks.

  2. Review and recommend policies, procedures, and standards.

  3. Ensure consistency in disciplinary processes for violation.

Information Technology Security Officer

The official responsible for directing implementation of the enterprise information security program. The Information Technology Security Officer will:

  1. Coordinate the development and maintenance of information security policies and standards.

  2. Investigate security incidents and coordinate their resolution as defined in the IT Security Escalation Policy.

  3. Assist Business Owners in assessing their data for classification and advise them of available controls.

  4. Implement an information security awareness program.

  5. Serve as liaison to the Information Security Committee, law enforcement, Internal Audit, and University Legal Services.

  6. Provide consulting services for information security throughout the enterprise.

Business Owner

The senior official within a college or departmental unit (or his/her designee) accountable for managing information assets. The Business Owner will:

  1. Approve business use of information.

  2. Identify a Data Custodian (see Section 2.6) for each segment of information under his/her control.

  3. Ensure implementation of policies, and, documentation of process and procedures for guaranteeing availability of systems, including:

    • Risk assessment
    • Data backup plan
    • Disaster recovery
    • Emergency mode operation
    • Software testing and revision controls
  4. Determine security classification of each segment of data as described in the Institutional Data Access Policy. 

  5. Define departmental access roles and assign access for individuals based on their need to know.

  6. Ensure that all department/unit personnel with access to information assets are trained in relevant security and confidentiality policies and procedures.

  7. Ensure the protection of health information assets under his/her control, including:
    • Register all health information assets containing individually identifiable health information in any medium in the central repository.
    • Ensure that validated corrections to health information are implemented.
    • Ensure compliance with federal and state laws and University policy regarding the use of individually identifiable health information in directed communication/solicitation.
    • Require the completion of an information sharing agreement before access to health information assets is granted to external entities.

Department Security Liaison

The individual within a department/unit who acts as a liaison for timely and relevant information flow between central networking and computer security personnel and the department/unit.  The Security Liaison will:

  1. Receive all security vulnerability reports for departmental/unit computer systems and disseminate such information to appropriate technical staff for resolution.

  2. Receive network alerts, outage notifications, or other networking issues affecting the department/unit and disseminate such information to appropriate staff.

  3. Coordinate departmental response to computer security incidents.

Data Custodian

The technical official (and his/her staff) that has operational-level responsibility for the capture, maintenance, and dissemination of a specific segment of information, including the installation, maintenance, and operation of hardware and software platforms. The Data Custodian will:

  1. Define and implement processes for assigning User access codes (using access profiles prepared for that use), revoking User access privileges, and setting file protection parameters. 

  2. Implement data protection and access controls established by the institutional policy.

  3. Define and implement procedures for backup and recovery of information.

  4. Ensure processes are in place for the detection of security violations.

  5. Monitor compliance with information security standards.

  6. Limit physical access to information assets, including:

    • Equipment control (into and out of site).
    • Authorization procedures prior to physical access.
    • Maintenance records.
    • Sign-in for visitors and escort, if appropriate.
  7. Maintain ongoing internal audit processes (to the extent technologically practical), which record system activity such as log-ins, file accesses, and security incidents.
  8. Maintain records of those granted physical access to information assets.
  9. Provide special handling and protection for health information assets, including:

a.  Ensure that operating and maintenance personnel are given access necessary to perform system maintenance responsibilities without compromising individually identifiable health information.

b.  Ensure that authorized, knowledgeable persons supervise personnel performing maintenance activities related to health information assets. 

Authorized Data User

Individuals who have been granted access to specific information assets in the performance of their assigned duties are considered Authorized Data Users (Users). Users include, but are not limited to faculty and staff members, trainees, students, vendors, volunteers, contractors, or other affiliates of the University of Iowa.  Users will:

  1. Seek access to data only through the authorization and access control process.

  2. Access only that data which s/he has a need to know to carry out job responsibilities.

  3. Disseminate data to others only when authorized.

  4. Report access privileges inappropriate to job duties to the Business Owner for correction.

  5. Attend training in security and confidentiality policies/procedures.

  6. Attest in writing to knowledge of and compliance with health-related security and confidentiality policies and procedures prior to accessing protected health information.

Related Policies, References and Attachments:

This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.

They are incorporated into the University of Operations Manual (http://www.uiowa.edu/~our/opmanual/index.html) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://www.uiowa.edu/~our/opmanual/ii/19.htm)

Copyright © 2005 The University of Iowa. All rights reserved.