100 Information Security Roles and Responsibilities

101: Institutional Responsibilities

Information Security Policies & Procedures Manual
Section 100: Information Security Roles and Responsibilities
Effective: 01/11/2010

Purpose

The purpose of this Institutional Responsibilities document is to clearly outline the roles of President, CIO, and CISO in fulfilling Oregon State University’s responsibilities with respect to information security as directed in the OUS Information Security Policy.

Institutional Responsibilities

President:  As directed in the OUS Information Security Policy, the President has overall oversight responsibility for institutional provisions set forth in that policy.  The President will hold the CIO and CISO accountable for instituting appropriate policy and programs to ensure the security, integrity, and availability of OSU’s information assets.

Chief Information Officer (CIO):  As directed in the OUS Information Security Policy, the CIO is responsible for ensuring that the institutional policies governing Information Systems, User and Personal Information Security, Security Operations, Network and Telecommunications Security, Physical and Environmental Security, Disaster Recovery, and Awareness and Training are developed and adhered to in accordance with the OUS policy.

Chief Information Security Officer (CISO):  Reporting to the CIO, the CISO is responsible for the member institution’s security program and for ensuring that institutional policies, procedures, and standards are developed, implemented maintained and adhered to.

102: University Community Responsibilities

Information Security Policies & Procedures Manual
Section 100: Information Security Roles and Responsibilities
Effective: 01/11/2010

Purpose

The purpose of this section is to clarify individual responsibility in handling information entrusted to the institution.

Background

The University is required to protect certain information by federal laws, state laws, and State Board of Higher Education administrative rules.  However, ready access to information is a requirement for academic inquiry and the effective operation of the institution.  Current information technology makes it easier than ever for individuals to collect, process, and store information on behalf of the University; therefore, all individuals acting on behalf of the university need to understand their responsibilities.

Responsibilities

Individuals, including faculty, staff, other employees, and affiliated third party users, who are part of the University Community have a responsibility to protect the information entrusted to the institution.  When special protections are warranted, the appropriate Records Custodian will define appropriate handling requirements and minimum safeguards.  All members of the OSU Community have an obligation to understand the relative sensitivity of information they handle, and abide by University policy regarding protections afforded that information.  These protections are designed to comply with all federal and state laws, regulations, and policies associated with Information Security. 

Responsibilities include:

  • Comply with University policies, procedures, and guidelines associated with information security.
  • Meet or exceed the minimum safeguards as required by the Records Custodian based on the information classification.
  • Comply with handling instructions for Protected Information as provided by the Records Custodian. 
  • Report any unauthorized access, data misuse, or data quality issues to your supervisor, who will contact the Records Custodian for remediation.
  • Participate in education, as required by the Records Custodian(s), on the required minimum safeguards for Protected Information.

103: Records Custodians

Information Security Policies & Procedures Manual
Section 100: Information Security Roles and Responsibilities
Effective: 01/11/2010

Purpose

The purpose of this section is to clarify the role of “Records Custodian” as defined in OSU policy and practice, to ensure that specific University obligations are met.

Background Information

OSU’s policy on Acceptable Use of University Information defines a specific set of data related to the operation of the University and assigns a set of Records Custodians for those data in accordance with state law and University standard practice.  These Records Custodians have been designated by the University President to ensure accountability and proper records handling for institutional data regardless of which individual collects this information on behalf of the University.  These data include student records, financial records, and human resource records.  For the purposes of Information Security Policy, University personnel who collect data that do not fit these categories are recognized as the appropriate Records Custodian for that data.  

Responsibilities

Records Custodians documented in the Acceptable Use of University Information policy (or their delegates) have planning and policy-level responsibility for Information Systems within their functional areas and management responsibility for defined segments of Institutional Information.  All Records Custodians have the responsibility to ensure appropriate handling of information entrusted to the institution.

Records Custodians should do the following:

  1. Develop, implement, and manage information access policies and procedures.
  2. Ensure compliance with contractual obligations and/or federal, state, and University polices and regulations regarding the release of, responsible use of, and access to information.
  3. Assign information classifications based on a determination of the level of sensitivity of the information (see OSU ISM 202: Information Systems – Classification Standards.)
  4. Assign appropriate handling requirements and minimum safeguards which are merited beyond baseline standards of care as defined in OSU ISM 203.
  5. Promote appropriate data use and data quality, including providing communication and education to data users on appropriate use and protection of information.
  6. Develop and implement record and data retention requirements in conjunction with University Archives.