Skip to Search Skip to Global Navigation Skip to Local Navigation Skip to Content
Handbook of Operating Procedures
Chapter 8 - Facilities and University Services
Publication Date: May 10, 2016
Responsible Executive: VP for Academic Affairs

8.14 Data Owner Policy


I. POLICY STATEMENT


The University of Texas at San Antonio (UTSA) relies significantly on a wide variety of Information Resources to achieve its missions. The UTSA Office of Information Security (OIS) and the Office of Information Technology (OIT) are responsible for administering programs that create a reliable and secure university computing environment. In order to maintain the security and integrity of the computing infrastructure, every effort must be made to protect the Data and Information Resources used to carry out UTSA business.

The Data used, stored and maintained by UTSA is critical to the programs and mission of the university. UTSA is committed to providing direction and support for individuals designated as Data Owners.

II. RATIONALE


This policy sets forth procedures relating to data ownership and Data Owner responsibilities to be followed at UTSA to ensure compliance with Texas Administrative Code 202.71 and The University of Texas System (UT System) Information Resources Use and Security Policy (UTS165).

The terms "Data Owner" and "Data Ownership" reflect the context of UTS165 and TAC202 and do not reflect any context of the same or similar terms related to intellectual property and rights to information under any other UT System policies.  Please note that research and sponsored project data are governed by their own policy - HOP 10.09, Research and Other Sponsored Projects Data or Record Ownership and Retention.


III. SCOPE


This policy applies to all UTSA employees who are designated as a Data Owner.  A Data Owner is required for any business- or mission-critical system or any shared system/project that handles or stores Category I data (See Data Classification information below).


IV. WEBSITE ADDRESS FOR THIS POLICY


http://www.utsa.edu/hop/chapter8/8-14.html


V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS


UTSA or UT System Policies or the Board of Regents' Rules & Regulations

  1. UTSA HOP policy 8.15, Acceptable Use Policy
  2. UT System Policy UTS165, UT System Information Resources Use and Security Policy
  3. UT System Policy UTS178, Required Reporting of Significant Events 

Other Policies & Standards

  1. Title 1 Texas Administrative Code, Part 10, Chapter 202, Subchapter C
  2. Higher Education Opportunity Act of 2008

VI. CONTACTS


If you have any questions about HOP policy 8.14, Data Owner, contact one of the following offices: 

Office of Information Security
210-458-4555
informationsecurity@utsa.edu

Office of Information Technology
210-458-4555
oitconnect@utsa.edu


VII. DEFINITIONS


A full list of definitions related to Information Resources Acceptable Use can be found in UT System Policy UTS 165, Information Resources Use and Security Policy.

Data: Information which is recorded - regardless of form or media – that is used to support the business of the University, whether in an administrative or research capacity.  Data may be saved or transmitted in hard copy (printed or written), digital/electronic (including video, audio, images) or other format.

Data Classification: At UTSA, Data is classified as Category I (confidential), Category II (controlled) or Category III (published/public data), with each category subject to its own protection requirements and processes.  More information, including definitions, protection requirements and examples of Data can be found in the Standard for Data Classification.

Data Custodian: An employee who is responsible for day-to-day maintenance of UTSA Information Resources. The Data Custodian shall implement approved mitigation strategies and adhere to information security policies and procedures to manage Information Resources in their care.  In some instances, this responsibility is assigned to a third-party vendor or Office of Information Technology (OIT).  

Data Owner: The manager or agent responsible for the business function supported by the Information Resource or the individual upon whom responsibility rests for carrying out the program using the Information Resources. The Data Owner shall perform a security risk assessment on an annual basis.  They shall identify, recommend and document acceptable risk levels for Information Resources under their authority.

Information Resources (IR): The procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.  This may include, but is not limited to, any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting Data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices,  pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment ( e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and hosted services .

Information Security Administrator (ISA): A staff member who, in close cooperation with the OIS, provides assistance with the implementation and administration of information security initiatives and Data Owner security needs.

Information Security Officer (ISO): Staff member responsible for providing and administering the overall information security program for all centrally maintained and all distributed systems and computer equipment.

Information Security Risk Assessment:  A process where Information Resources are evaluated to identify potential threats that could affect the operation and security of those resources, the likelihood of their occurrence and the impact if the threat is realized. 

Information System: An interconnected set of Information Resources under the same direct management control that shares common functionality. An Information System normally includes hardware, software, information, Data, applications, communications and people.
 
InSight Application: The InSight application provides a dashboard for all Data Owners which displays Data relating to the implementation of Information Resources policies and standards. https://insight.utsa.edu

Mission-critical Information Resource: An Information Resource defined by an entity to be essential to that entity's function and that, if made unavailable, will inflict substantial harm to the entity and the entity's ability to meet its instructional, research, patient care or public service missions.  More information, including a list of systems identified as "mission-critical" can be found in the Standard for Data Owners.

Server: A computer system that provides shared resources on the network (For example, Web server, print server, file server).

User: An individual,  who is authorized by the Data or Information Owner to access the information resource, in accordance with the Data Owner's procedures and rules. The User is any person who has been authorized by the Data Owner to read, enter, or update that information whether done individually or through facilitation or responsibility for an automated application or process. The User is the single most effective control for providing adequate security.


VIII. RESPONSIBILITIES


  1. Data Owner
    1. Assigns custody of Information Resource assets and provides appropriate authority to implement security controls and procedures. These assignments must be included in assigned parties' job descriptions, performance evaluations and/or related contracts.
    2. Ensures the physical security of the computers (servers, workstations, laptops, etc.) under his/her responsibility.
    3. Performs annual Information Security Risk Assessment for Information Resources under his/her responsibility.
    4. Specifies appropriate controls, based upon the Information Security Risk Assessment, Data Classification and value, to protect Information Resources from unauthorized modification, deletion or disclosure. Controls will extend to Information Resources and services outsourced by UTSA.
    5. Approves, justifies, documents and is accountable for exceptions to security controls.
    6. Identifies and assigns Information Security Assessment (ISA).
    7. Confirms that controls are in place to ensure the confidentiality, integrity and availability of Data and other assigned Information Resources.
    8. Reviews status of compliance with all information technology policies and procedures and provides appropriate direction to the ISA and Data Custodians for implementation.
    9. Attends, or sends a delegate to attend, special Data Owner meetings and completes University-sponsored training related to Data Ownership.
    10. Ensures that metrics in InSight under his/her responsibility remain at or above stated UTSA goals. The responsibility for this function may be delegated to another staff member within the department.
    11. Ensures Data retention periods in accordance with UTSA’s Records Retention Schedule are established and adhered to for all Data under his/her ownership, including assurance that Data is being purged once retention periods have expired.
    12. Ensures any third parties contracted to maintain University Information Resources under his/her ownership comply with UTSA information security policies. This includes adding appropriate wording in contracts, conducting independent audits and required monitoring and metrics reporting.
    13. Determines the asset’s value.
    14. Specifies Data control requirements and conveys them to users and custodians.
    15. Reviews access lists based on documented security risk management decisions.
    16. The Data Owner, with the concurrence of the institution of higher education head or his or her designated representative(s), is responsible for classifying business functional information.
  2. Data Custodian
    1. Implements the controls specified by the Data Owner(s).
    2. Implements and complies with all information technology policies and procedures relating to assigned systems, including those required to maintain compliance with all InSight metrics.
    3. Provides physical, technical and procedural safeguards for the Information Resources.
    4. Backs up data in accordance with risk management decisions and secures back up media.
    5. Assists Data Owners in evaluating the cost-effectiveness of controls and monitoring.
    6. Implements monitoring techniques and procedures for detecting, reporting and investigating Security Incidents.
  3. Information Security Administrator (ISA)
    1. Implements and complies with all information technology policies and procedures relating to assigned systems.
    2. Assists Data Owners in performing annual Information Security Risk Assessments for Mission Critical Information Resources.
    3. Reports information Security Incidents to the ISO.
    4. As a member of the ISA Work Group, assists the ISO in developing, implementing and monitoring the Information Security Program.
    5. Assists the Data Owner in maintaining metrics in InSight at or above UTSA’s stated goals.
    6. Monitors security policy and procedures changes and informs his/her Data Owners of changes so the Data Owners can make adjustments as necessary.
    7. Acts as liaison between the departments, Data Owners and the Information Security Program.

IX. PROCEDURES


  1. Data Owner General Procedure
    1. Data Owners will use physical controls, software and other methods to protect and monitor access to Data and/or systems that host that Data.
    2. Data Owners, Data Custodians and Users of Information Resources will be identified and their responsibilities defined and documented.
    3. In cases where Information Resources are used by more than one major business function, the Data Owners will reach consensus and advise the ISO of the designated owner responsible for the Information Resources. Any changes to the data schema (adding or removing data elements) must be reviewed and approved by the Data Owner.
    4. The Data must be retained based on the Data retention period set out in UTSA’s Records Retention Schedule.
    5. University Data must not be stored on personally-owned devices.

Additional information can be found in the Standard for Data Owners. This standard contains more information on the Data Owner General Procedure. 

  1. Access Management
    1. All accounts that access UTSA information must be managed according to access management principles as specified in the associated standard. The level of authorized access for an individual account must be based on the Principle of Least Privilege - that is, an individual may be granted access to only the information needed to perform the required duties. Access to Information Resources and applications is determined and granted by the delegated individual(s) in faculty or staff member’s department.
    2. All accounts will be uniquely identifiable and will be assigned to an individual. Account names may not be re-assigned or changed under any circumstances.
    3. Accounts will be changed to reflect the modification of privileges if an employee or a student changes roles within UTSA.
    4. Commensurate with risk and reasonable practice, accounts must be reviewed regularly to ensure currency of the privileges.
    5. Password aging and expiration dates must be enabled for all special accounts granted to outside vendors, contractors and those with contractually limited access.  The department or application owner that grants access to a special account is responsible for this task.

Additional information can be found in the Standard for Account Management.  This standard contains a discussion of other account management procedures applicable to Data Owners. 

  1. Information Security Risk Assessments
    1. Departments and Data Owners who manage Information Resources must conduct formal risk assessments to identify potential problems that may affect the operation and security of assigned Information Resources.
    2. The staff members who perform the Information Security Risk Assessment will work with the Data Owner/department head and the OIS to identify controls that will provide protection and/or recovery from loss, exposure or inappropriate modification of the Data.
    3. The strategy report that results from the Information Security Risk Assessment will be submitted to the Information Security Officer (ISO) and will cover the planning and control for the most critical risks.
    4. The ISO will incorporate the strategy reports into a University-wide framework.
    5. Information Security Risk Assessments will be performed on a regular basis at an appropriate unit level, summarized and provided to upper organization levels.
    6. The Data Owner will review and update the Information Security Risk Assessment on a regular basis. ISAs will provide assistance as needed.
    7. Copies of the risk assessments/updates and executive summaries will be provided to the OIS.

Additional information can be found in the Standard for Information Security Risk Assessment. This standard contains definitions of terms used in this paragraph (staff members, regular basis, etc.) and more information on procedures. 


X. SPECIAL INSTRUCTIONS FOR INITIAL IMPLEMENTATION


None


XI. FORMS AND TOOLS/ONLINE PROCESSES


Classifying your data: Data Classification Examples
All student grades must be stored in Blackboard – Memo from Provost, December 2013

None


XII. APPENDIX


None