Policies & Procedures

Security Roles and Responsibilities 6029

I. PURPOSE

The purpose of this policy is to establish university-wide security roles with assigned responsibilities for protecting university data and information technology (IT) systems.

II. POLICY

Designation of Roles:
1. All security roles will be designated in such a way that allows for separation of duties and prevents conflict of interests.
  1. The Information Security Officer is not a system owner or a data owner except in the case of compliance systems for information security.
  2. The system owner and the data owner are not system administrators for IT systems or data they own.
2. Designations of security roles and assigned responsibilities must be documented:
  1. for employees, in their Position Description or Employee Work Profile.
  2. for system vendors in their contract.
3. Responsibilities of individuals in security roles will be reviewed annually.
4. Any individual designated as system owner and/or data owner must be an active; management level employee.
Explanation of Responsibilities:
1. Chief Information Officer (CIO): The CIO is accountable for directing the information and data integrity of the enterprise to include:
  1. Reporting data breaches to the Office of the Attorney General or to the Commissioner of Health without unreasonable delay.
  2. Working with senior management when contacting external agencies or authorities regarding an incident, as defined in Incident Response.
  3. Designating an alternate, as relevant to Incident Response.
2. Information Security Officer (ISO): The ISO is responsible for developing and managing the IT security program to include:
  1. Developing and managing an IT security program in accordance with the Information Technology Security Program Policy.
  2. Developing and maintaining a security awareness and training program in accordance with the Security Awareness and Training Policy.
  3. Ensuring that all university data and IT systems are classified for sensitivity.
  4. Implementing and maintaining an appropriate balance of protective, detective and corrective controls for IT systems commensurate with data sensitivity, risk and systems' criticality.
  5. Designating a single system owner for each IT system.
  6. Designating Incident Response Coordinator(s), certified in incident response, as approved by the ISO.
  7. Designating an alternate, as relevant to Incident Response.
  8. Documenting the responsibilities for each role.
  9. Reviewing System Security Plans:
    1. Approving System Security Plans that provide adequate protections against IT security risks; or
    2. Disapproving System Security Plans that do not provide adequate protections against security risks, and require the system owner implement additional security controls on the IT system to mitigate those security risks.
  10. Assist in the determination of investigative goals during an incident, as defined in Incident Response.
3. System Owner: A system owner is responsible for the operation and maintenance of the IT system(s) they own, to include:
  1. Managing system risk and developing any additional procedures required to protect the system in a manner commensurate with risk.
  2. Determining the investigative goals during an incident, as outlined in the Incident Response Plan.
  3. Ensuring compliance with applicable policies and standards.
  4. Ensuring compliance with requirements specified by data owners for the handling of data processed by the system.
  5. Designating system administrators:
    1. Each system will have at least two system administrators;
    2. Security tasks may be divided between application security and infrastructure security which may be assigned to different individuals;
    3. Any individual designated as a system administrator for infrastructure must be either a member of Information Technology Services (ITS) staff or a vendor.
  6. Designating the data owners for any data created or shared within their division.
4. Data Owner: A data owner is responsible for the policy and practice decisions regarding data he or she owns, to include:
  1. Evaluating and classifying the sensitivity of the data.
  2. Defining the protection requirements for the data based on the Data Classification Policy and/or business needs.
  3. Communicating data protection requirements to the system owner.
  4. Defining requirements for access to the data.
  5. Determining the investigative goals during an incident, as outlined in the Incident Response Plan
  6. Designating a data custodian for the data.
5. Incident Response Team (IRT): An IRT is responsible for the investigation of incidents, as outlined in the Incident Response Plan, to include:
  1. Collecting and analyzing evidence to determine the threat and subsequent containment of the incident.
  2. Documenting individual actions during an incident.
6. Incident Response Coordinators (IRC): An IRC is responsible for assembling and managing an IRT during the investigation of an incident, as outlined in the Incident Response Plan, to include:
  1. Serving as a liaison between the ISO and the IRT.
  2. Ensuring that system and data owner investigative goals are met and special handling instructions and priorities are adhered to
  3. Ensuring evidence is properly collected, documented, and secured.
7. System Administrator: A system administrator is responsible for implementing, managing and/or operating a system, for which he or she has been assigned, at the direction of the system owner, data owner and/or data custodian to include:
  1. Managing and documenting vulnerability scans.
  2. Implementing security controls and other requirements of the security program.
  3. Reporting security events per the Incident Response Policy.
8. Data Custodian: A data custodian is responsible for the physical or logical data for which he or she has been assigned to include:
  1. Protecting the data from unauthorized access, alteration, removal or usage.
  2. Establishing, monitoring and operating systems in a manner consistent with security policies and standards.
  3. Providing, administering, and documenting general controls, such as backup and recovery systems.
9. Privacy Officer: A privacy officer is responsible for directing the University's adherence to state or federal privacy law (e.g., FERPA, HIPAA) to include:
  1. Providing guidance on the requirements of the laws or regulations, including limits on disclosure of and access to sensitive data.
  2. Advising the University on the adoption of security protection requirements in conjunction with IT systems when there is some overlap among sensitivity, disclosure, privacy and security issues.
10. User: All members of the university community are responsible for the protection of the confidentiality, integrity, and availability of university data to include:
  1. Adhering to the Data Handling Standards to consistently protect the data throughout its life cycle and in any form.
  2. Knowing, understanding, and abiding by the following:
    1. Virginia DHRM Policy No. 1.75: Use of the Internet and Electronic Communication Systems
    2. Policy 5222: Misconduct Involving Abuse of Technology
    3. Policy 6002: Acceptable Use of Information Technology Resources and Systems
    4. Policy 6023: Password Management
    5. Policy 6014: Incident Response
    6. FERPA

III. ENFORCEMENT

The University regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action, in addition to possible cancellation of IT resources and systems access privileges. Users of IT resources and systems at Longwood are subject to all applicable local, state and federal statutes. This policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal and international laws and regulations.

Approved by the Board of Visitors, December 5, 2008.
Revised and approved by the Board of Visitors, March 25, 2011.
Revised and approved by the Board of Visitors, March 22, 2013.