Policy Number: 175

Roles and Responsibilities for University Information Resources

Subject:

Information resources

Scope:

This policy applies to anyone who:

  • uses, accesses, provides, maintains, supports or implements university information resources;
  • is responsible for the security, management or compliance of university information resources;
  • enforces policies and performs investigations related to university information resources.

Date Reviewed: August 2011

Responsible Office: Information Technology

Responsible Executive: Vice President and Chief Information Officer

I.     POLICY AND GENERAL STATEMENT

Information resources are owned by The University of Texas Health Science Center at Houston (“university”) and exist to support the mission of the university.  University information resources must be used, managed and protected appropriately to ensure that university data is: 

University information resources fall under the authority and responsibility of the Chief Information Officer (CIO) and are subject to federal, state, and local laws and regulations,  University of Texas System (UT System) policies including UT System Policy UTS 165, and university policies. The Executive Vice President, Chief Operating and Financial Officer delegates the responsibility to department heads for ensuring the university is in compliance with all relevant laws, regulations and policies. The Chief Information Security Officer (CISO) assists department heads by establishing security policies, procedures and guidance for university information resources, published in the IT Policy and Document Repository. The central Information Technology department assists department heads by establishing operations policies, procedures and guidance for university information resources, which are also published in the IT Policy and Document Repository.

University information resources are subject to many different threats that can reduce or eliminate data availability, compromise integrity and violate confidentiality; so it is imperative they are safeguarded appropriately. Individual users’ actions can contribute to or reduce the risk of most threats; so all users are responsible for their use, management and protection of information resources and are accountable for their actions. All users have one or more roles to fulfill related to university information resources. This policy outlines the university information resource roles and describes the responsibilities of each. University information resource roles and responsibilities are governed by federal, state, and local laws and regulations, UT System policies, and university policies.

II.     DEFINITIONS

University Information Resources – Data, software, equipment, facilities and devices that are designed, built, operated and maintained to create, collect, record, process, store, retrieve, display and transmit university information. Any electronic equipment, devices or media that a user connects to the university network or uses to process or store university information, including equipment, devices or media owned by the user or funded by another source, are considered university information resources for the purpose of compliance with laws, regulations and policies.

Examples:

Applications, web sites, software programs, servers, personal computers, notebook computers, netbook computers, personal digital assistant (PDA), pagers, mobile phones, USB flash drives, external hard drives, CDs, DVDs, backup tape, telephones, fax machines, routers, switches, cabling, network attached data storage, printers, network attached or computer controlled medical and laboratory equipment.

III.     PROCEDURE

All users must identify their university information resource role(s) and accept the associated responsibilities. Role responsibilities cannot be delegated except for the System Owner role as provided below.

Each user, by default, is assigned the User information resource role. Users may have more than one role, and are responsible for reading the role descriptions below, identifying all of their additional roles and meeting the responsibilities of each role. For example, a User who is responsible for a business function that depends on a system may also be a System Owner; a User who is responsible for the implementation of a new system may also be a Project Manager; a User who is responsible for technical support of a system may also be a Custodian.

University Information Resource Roles:

University Information Resource Roles and Responsibilities:

A. User

A User is anyone who is granted access to university information resources.

Examples of Users:

User’s primary responsibilities:

  1. Use university information resources responsibly and for their intended purposes as established by the System Owner; comply with controls established by the System Owner and be accountable for their actions.
  2. Know and comply with published university policies and procedures.
  3. Read and sign the Information Resources User Acknowledgement Form.
  4. Do not share passwords or similar information or devices used for identification and authorization purposes.
  5. Protect data appropriately regardless of the method of access.
  6. Determine if other university information resource roles apply to him or her, accept responsibility for the role(s) and meet the associated responsibilities.
  7. Report information security incidents, including unintentional or intentional misuse, in accordance with Computer Security Incident Response Policy.
  8. Complete required university information resource and security related training.

B. System Owner (Information Owner, Data Owner)

A System Owner is the person responsible for the business function or project that depends on a system. If the system supports multiple business functions, the system owner is the person responsible for carrying out the overall program that the system supports. A system is a university information resource.

Examples of System Owners:

System Owners are typically one organizational level below the positions of President, Executive Vice President, Vice President, Dean, or Executive Director of The University of Texas Harris County Psychiatric Center, and rarely more than two levels below.

System Owner’s primary responsibilities: 

  1. Assume the role of System Owner or delegate the role. Accountability cannot be delegated.
  2. Formally assign/acknowledge the Custodian(s) for the system, including outsourced systems. Approve the level of access the Custodian needs to perform required administration and maintenance and to implement required security controls and procedures.
  3. Insure the system is in compliance with applicable federal, state, and local laws and regulations, UT System policies, and university policies, procedures and guidance. These include, but are not limited to: the accessibility requirements as set forth in Title 1, Chapters 206 and 213 of the Texas Administrative Code and in UT System Policy UTS 150; information security and other information resource standards in UT System Policy UTS 165; university policies, procedures and guidance found in the IT Policy & Document Repository.
  4. If the university information resource is a system containing electronic records subject to the Code of Federal Regulations, Title 21 part 11 (21 CFR part 11), the system owner must demonstrate compliance with the requirements of those regulations.
  5. Determine the system’s value.
  6. Perform a risk assessment annually for mission critical systems and biennially for non-mission critical systems.  Identify and document actions required and taken to meet acceptable risk levels.
  7. Classify and secure data appropriately, taking into consideration security or operational controls required to ensure the availability, confidentiality and integrity of the system’s data. Communicate these controls to the Custodian, train the users as needed and confirm the controls are in place on a regular basis.
  8. Document, obtain approval and be accountable for exceptions to security controls. The System Owner must obtain approval for exceptions to security controls from the CISO.
  9. Determine appropriate access for system users based on the minimum necessary access required to perform their assigned job responsibilities. Approve new access assignments and review all assigned access for appropriateness on a regular basis.
  10. Report information security incidents, including unintentional or intentional misuse, in accordance with Computer Security Incident Response Policy.
  11. Create, maintain and train users on a departmental business continuity plan.
  12. Include an adequate disaster recovery plan for the system as part of the departmental business continuity plan; see the Information Security Program. Assure the assigned Custodian has a copy of the disaster recovery plan.
  13. Retain and destroy records in accordance with HOOP Policy 181 Records Management Program.

C. Custodian / Information Security Administrator

A Custodian provides technical facilities and/or hardware, software or application production support services for a university information resource. He or she is assigned by Information Technology management and/or the System Owner and should have the knowledge and experience required to adequately perform the associated responsibilities.

An Information Security Administrator (ISA) is a Custodian that has additional, security-focused responsibilities as outlined in UT System Policy UTS 165. A Custodian is assigned to the additional role of ISA by the System Owner. A third party providing outsourced support cannot be an ISA. The ISA assists the CISO in advancing the Information Security Program as a member of the Information Security Working Group.

 Examples of Custodians:

Custodian’s primary responsibilities:

  1. Perform required administration and maintenance of the university information resource.
  2. Implement applicable university information resource policies, procedures and guidance in the IT Policy & Document Repository, including change management and security safeguards and controls.
  3. Report information security incidents, including unintentional or intentional misuse, in accordance with Computer Security Incident Response Policy.
  4. Assist System Owner in performing risk assessments and evaluating the cost effectiveness of controls.
  5. Implement controls specified by System Owner and confirm they are in place as appropriate.
  6. Implement processes that aid in detecting, reporting and investigating security incidents.
  7. Assist System Owners in disaster recovery planning for the university information resource; see the Information Security Program. Maintain a copy of the disaster recovery plan in the appropriate location(s).
  8. Assist System Owners with the destruction of records in accordance with HOOP Policy 181 Records Management Program.

D. Project Manager

A Project Manager for an information technology project is responsible for its entire implementation from concept to rollout, which includes strategic, financial and technical responsibilities, and ensuring the project is built and implemented securely. The implementation includes all or most of the following: procurement, functional and technical specification documentation, development, testing, integration, installation and training. Consideration must also be given to any manual or automated processes the implementation will impact, including other university information resources. An information technology project is any project that includes or relies on a university information resource.

Typical Examples of Project Managers:

Project Manager’s primary responsibilities:

  1. Determine if existing university resources can be used to deliver the information technology project by contacting the university’s central Information Technology department or an established information technology department in a school. The university’s Information Technology department(s) is the preferred provider because they understand the environment, infrastructure, compliance issues and other requirements of the university better than any vendor.
  2. If the information technology project will be outsourced or hosted by a third party and will transmit, process or store university data, refer to the Information Services Provider Security & Compliance Checklist.
  3. Follow the System Development Methodology guideline when implementing information technology projects.
  4. Insure the information technology project is in compliance with applicable federal, state, and local laws and regulations, UT System policies and university policies, procedures and guidance. These include, but are not limited to: the accessibility requirements set forth in Title 1, Chapters 206 and 213 of the Texas Administrative Code and in UT System Policy UTS 150; information security and other information resource standards in UT System Policy UTS 165; and the university policies, procedures and guidance found in the IT Policy & Document Repository.
  5. If the university information resource is a system containing electronic records subject to the Code of Federal Regulations, Title 21 part 11 (21 CFR part 11), the system owner must demonstrate compliance with the requirements of those regulations.
  6. Identify, document, and address security requirements in all phases of development or acquisition of a university information resource.
  7. Insure the university information resource is/will be in compliance with federal, state and local laws and regulations, UT System and university policies and applicable university information resource policies, procedures and guidance published in the IT Policy & Document Repository.

E. IT Infrastructure Owner

An IT Infrastructure Owner is a Custodian of shared technology and is responsible for maintaining and operating hardware and associated software to provide computing services, storage and connectivity for university information resources. IT Infrastructure Owners are information technology professionals who report to the university’s central Information Technology department directly or indirectly through an established information technology department in a school.

Examples of IT Infrastructure Owners include information technology professionals reporting to the following areas:

IT Infrastructure Owner’s primary responsibilities:

     1.   Procure, support, maintain and/or operate computing services, storage and connectivity, including but not limited to:   

•   Servers
•   Storage systems
•   Internet
•   Intranet
•   Wide Area Ethernet network (clinics and business partner connections)
•   Fire alarm system
•   Security camera systems for University of Texas at Houston Police Department
•   Telephone system
•   Firewalls
•   Intrusion detection/protection

     2.  Implement applicable university information resource policies, procedures and guidance published in the IT Policy & Document Repository, including security and change management controls.

F. Chief Information Security Officer (CISO)

The Executive Vice President, Chief Operating and Financial Officer has designated the CISO to serve as the information security officer as required by Title 1, Rule §202.71(d) of the Texas Administrative Code with authority for the entire university. The CISO leads the Information Security and Disaster Recovery Planning department and reports directly to the Executive Vice President, Chief Operating and Financial Officer, with an indirect (“dotted-line”) reporting relationship to the Chief Compliance Officer and the Chief Information Officer. The CISO and the department are assisted by the Information Technology Security Core Team and the departmental Information Security Administrators (ISAs).

CISO’s primary responsibilities:

  1. Develop, oversee the implementation of, and monitor a documented Information Security Program and related security policies and procedures (including monitoring the effectiveness of defined controls for mission critical information). This program is applicable to all university information resources and everyone who has a university information resource role at the university.
  2. Obtain approval of the Information Security Program by the president or his/her designee.
  3. Provide regular reports and updates to the university’s Executive Compliance Committee (ECC) and to UT System. Provide a report to the president (or his/her designee) at least once annually on the status and effectiveness of information resources security controls.
  4. Promote the university information resource security policies, procedures, standards and guidelines applicable to central and decentralized areas of the university.
  5. Work with System Owners, Custodians, ISAs, IT Infrastructure Owners, Project Managers and other information technology professionals to determine security requirements for university information resources and security solution implementations that protect against unauthorized or accidental modification, destruction or disclosure.
  6. Have authority over security solutions and implementation decisions.
  7. Review and approve security requirements for purchases of hardware, software, applications, information services or system development services.
  8. Perform risk assessments to determine if university information resources are adequately protected.
  9. Make policy and procedure changes and practice recommendations as appropriate to improve security posture.
  10. Establish and administer a process to address violations of security policies and procedures.
  11. Exercise authority to issue exceptions to security policies and procedures after appropriate review. Any such exceptions shall be justified, documented and communicated as part of the risk assessment process.
  12. Obtain access to any university information resource as needed.
  13. Report certain violations to the Triage Team, UT System and/or the Texas Department of Information Resources (DIR) as required.
  14. Ensure information security awareness training is provided to all employees on a regular basis and to all new employees within 30 days of date of hire.

G. Chief Information Officer

The Executive Vice President, Chief Operating and Financial Officer has designated the CIO as the university information resource manager for the university. The CIO is responsible for overseeing the management of the university’s information resources and risk management program.

CIO’s primary responsibilities:

  1. Develop strategic information technology plans and operating and capital budgets for the university to provide reliable and secure university information resources, which include applications and infrastructure supporting the administrative, academic, research and clinical functions of the university.
  2. Promote the university information resource administrative and operational policies, procedures, standards and guidelines applicable to central and decentralized areas of the university.
  3. Promote record management policies and procedures and provide appropriate systems and services for effective and efficient records management capabilities consistent with industry standards and federal, state, and local laws and regulations.
  4. Promote partnerships with internal and external parties, including federal, state and local agencies, UT System, other UT institutions and Houston Medical Center entities.
  5. Serve as the university’s technical representative to the Information Technology Governance Council.
  6. Perform an annual risk assessment for university information resources.
  7. Responsible for the design, execution and effectiveness of internal controls providing reasonable assurance that operations are effective and efficient, assets are safeguarded, financial information is reliable, and applicable laws, regulations, policies and procedures are met.
  8. Respond to information resource audit recommendations and risk mitigation requirements.

H. Auditing & Advisory Services

Auditing and Advisory Services assesses information resources and the control environment and reports results to management and the Audit Committee.  Failure on the part of management to enforce compliance with federal, state and local laws and regulations, UT System policies and university policies may result in fines, penalties and/or review by UT System, review by the Office of the State Auditor, review by federal agencies, or disapproval by the DIR and further action as deemed necessary by the DIR to ensure compliance.

I. Office of Institutional Compliance (OIC)

OIC promotes compliance with all applicable legal, regulatory and policy requirements. The OIC assists the university’s Information Technology department(s) in conducting an annual risk assessment, identifying high risk areas with the assistance of the ECC, developing risk mitigation plans and performing verification activities to ensure the level of information resource risk to the university is within a range acceptable to the ECC.

J. Triage Team

The Triage Team meets regularly to review incidents of suspected non-compliance. The Triage Team is made up of the following permanent members, with others requested to attend as needed:

Triage Team’s primary responsibilities:

  1. The Chief Compliance Officer, in coordination with the Triage Team, investigates or coordinates the investigation of all reports of suspected non-compliance with federal, state or local laws or regulations, UT System policies or university policies.
  2. The Triage Team recommends an appropriate course of action which may include counseling, disciplinary action and/or reporting to another agency as required.
  3. The Triage Team reviews the results of all investigations and recommends further action as necessary.

IV.     CONTACTS

ContactTelephoneEmail/Web Address
IT Risk and Compliance Manager 713-486-3608

itcompliance@uth.tmc.edu