Skip to Search Skip to Global Navigation Skip to Local Navigation Skip to Content
Handbook of Operating Procedures
Chapter 8 - Facilities and University Services
Publication Date: December 12, 2014
Responsible Executive: VP for Academic Affairs


8.16 Information Security Administrator Policy


I. POLICY STATEMENT


The University of Texas at San Antonio (UTSA) relies significantly on a wide variety of Information Resources to achieve its missions. The UTSA Office of Information Security (OIS) and the UTSA Office of Information Technology (OIT) are responsible for administering programs that create a reliable and secure university computing environment. In order to maintain the security and integrity of the computing infrastructure, every effort must be made to protect the data, intellectual property and Information Resources used to carry out UTSA business.

OIS can more effectively manage UTSA’s security program by including Information Security Administrators (ISA) - staff members from colleges and/or departments – to assist with the implementation and administration of information security initiatives and Data Owner security needs.


II. RATIONALE


The Information Security Administrator program is mandated by The University of Texas System (UT System) Information Resources Use and Security Policy (UTS165).


III. SCOPE


This policy applies to all UTSA staff members who have been designated as an ISA by their department, college or Data Owner and manage a shared Information Resource. Shared resources may include printers, servers and network drives.


IV. WEBSITE ADDRESS FOR THIS POLICY


http://www.utsa.edu/hop/chapter8/8-16.html


V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS


UTSA or UT System Policies or the Board of Regents' Rules & Regulations

  1. UT System Policy INT124, Information Resources Acceptable Use and Security Policy
  2. UT System Policy UTS165, UT System Information Resources Use and Security Policy
  3. UT System Policy UTS178, Required Reporting of Significant Events 
  4. UTSA HOP policy 8.15, Acceptable Use Policy

Other Policies & Standards

  1. Title 1 Texas Administrative Code, Part 10, Chapter 202, Subchapter C

VI. CONTACTS


If you have any questions about HOP policy 8.16, Information Security Administrator, please contact the following office: 

Office of Information Technology (OIT) or Office of Information Security (OIS)
(210) 458-4555


VII. DEFINITIONS


A full list of definitions related to Information Resources Acceptable Use can be found in UT System Policy UTS 165, Information Resources Use and Security Policy.

Access Control List: A list of individuals and their general level of access to information resources.

Data Custodian: An employee who is responsible for day-to-day maintenance of UTSA Information Resources. In some instances, this responsibility is assigned to a third-party vendor or OIT.  

Data Owner: The manager or agent responsible for the business function supported by the Information Resource or the individual upon whom responsibility rests for carrying out the program using the Information Resources. 

Information Resources:  The procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.  This may include but not limited to any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices,  pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment ( e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and hosted services.

Information Security Administrator (ISA): A staff member who, in close cooperation with the OIS, provides assistance with the implementation and administration of information security initiatives and Data Owner security needs.

Information Security Incident: An event which results in unauthorized access, loss, disclosure, modification, disruption or destruction of information resources, whether accidental or deliberate.

Information Security Officer (ISO): Staff member responsible for providing and administering the overall information security program for all centrally maintained and all distributed systems and computer equipment.

Information Security Risk Assessment: A review of information resources that analyzes the potential loss of data and the probability that data may be lost.

Information System: An interconnected set of Information Resources under the same direct management control that shares common functionality. An Information System normally includes hardware, software, information, data, applications, communications and people.

VIII. RESPONSIBILITIES


  1. Information Security Administrator (ISA)
    1. Implements and complies with all information technology policies and procedures relating to assigned systems.
    2. Assists Data Owners in performing annual Information Security Risk Assessments for Mission Critical Information Resources.
    3. Reports information Security Incidents to the ISO.
    4. As a member of the ISA Work Group, assists the ISO in developing, implementing and monitoring the Information Security Program.
    5. Assists the Data Owner in maintaining metrics in InSight at or above UTSA’s stated goals.
    6. Monitors security policy and procedures changes and informs his/her Data Owners of changes so the Data Owners can make adjustments as necessary.
    7. Acts as liaison between the departments, Data Owners and the Information Security Program.
  2. Information Security Officer
    1. Approves the appointment of all ISAs.
    2. Requires that each ISA performs an annual Information Security Risk Assessment.
    3. Holds regularly scheduled meetings with ISAs to discuss information security.  Meetings are scheduled by OIT and ISAs are notified of the meeting times.
    4. Ensures that ISAs are adequately trained on information security requirements.
    5. Works with the Data Owners to ensure compliance with the Data Owner policy.
  3. Data Owner
    1. Assigns one or more ISAs in support of their Data Owner responsibilities.
    2. Ensures ISA(s) performs(s) Information Security Risk Assessment(s) on a regular basis.
    3. Holds regularly scheduled meetings with ISAs to discuss information security.
  4. Data Custodian
    1. Implements and complies with all information technology policies and procedures relating to assigned systems, including those required to maintain compliance with all metrics defined in the InSight application.
    2. Implements the controls specified by the Data Owner(s).
    3. Provides physical, technical and procedural safeguards for the Information Resources.
    4. Backs up Data in accordance with risk management decisions and secures Backup media.
    5. Assists Data Owners in evaluating the cost-effectiveness of controls and monitoring.
    6. Implements monitoring techniques and procedures for detecting, reporting and investigating Security Incidents.

IX. PROCEDURES


  1. General Procedure for Information Security Administrators
    1. The program for ISAs is designed to complement the information security program and to augment the protection of data and computing resources by identifying, training and assisting qualified representatives in the departments of the University that have a staff member who is a Data Owner.
    2. The ISA must be appointed by the department head or the principal investigator of a grant. If needed, an Information Technology Associate may function as the ISA for a department, as long as that person is qualified, on the basis of criteria established by the department and/or the ISO. Small departments may share the services of one ISA, if approved by the ISO.
    3. ISAs must be properly trained for their function. These individuals perform critical security tasks, which if not performed correctly, can lead to costly information security breaches. A department unable to provide or obtain appropriate technical training for the ISA should not host departmental information systems and data such as a specific computer application or server maintained by the department.  Those functions should be moved to the institution’s central IT organization or be outsourced to an organization capable of providing professional services in a secure environment.  OIS can provide assistance with training requirements.
    4. The ISA will attend all regularly-scheduled ISA meetings and training sessions conducted by OIS, unless work schedule precludes attendance.
    5. The ISA, with assistance from the Data Owner, will conduct an initial inventory of software, hardware and secured facilities under his/her responsibility. The inventory document will be provided to OIS.
    6. The ISA will review Access Control Lists (ACLs) consisting of (at minimum) names of individuals and their general level of access to resources by reviewing the computer logs. The review will be done on a regular basis.
    7. The ISA will maintain the inventory and ACL documents for the Data Owner.

Additional information can be found in the Standard for Information Security Administrators. This standard contains definitions of terms used in this section and general procedures. 

  1. Access Management
    1. All accounts that access UTSA information must be managed according to access management principles as specified in the associated standard. The level of authorized access for an individual account must be based on the Principle of Least Privilege - that is, an individual may be granted access to only the information needed to perform the required duties. Access to information resources and applications is determined and granted by the delegated individual(s) in faculty or staff member’s department.
    2. All accounts will be uniquely identifiable and will be assigned to an individual. Account names may not be re-assigned or changed under any circumstances.
    3. Accounts will be changed to reflect the modification of privileges if an employee or a student changes roles within UTSA.
    4. Commensurate with risk and reasonable practice, accounts must be reviewed regularly to ensure currency of the privileges.
    5. Password aging and expiration dates must be enabled for all special accounts granted to outside vendors, contractors and those with contractually limited access.  The department or application owner that grants access to a special account is responsible for this task.

Additional information can be found in the Standard for Account Management.  This standard contains other procedures that apply to access management for data owners. 

  1. Information Security Risk Assessments
    1. Departments and Data Owners who manage Information Resources must conduct formal risk assessments to identify potential problems that may affect the operation and security of assigned Information Resources.
    2. The staff members who perform the Information Security Risk Assessment  will work with the Data Owner/department head and the OIS to identify controls that will provide protection and/or recovery from loss, exposure or inappropriate modification of the Data.
    3. The strategy report that results from the Information Security Risk Assessment will be submitted to the ISO and will cover the planning and control for the most critical risks.
    4. The ISO will incorporate the strategy reports into a university-wide framework.
    5. Information Security Risk Assessments will be performed on a regular basis at an appropriate unit level, summarized and provided to upper organization levels.
    6. The Data Owner will review and update the Information Security Risk Assessment on a regular basis. ISAs will provide assistance as needed.
    7. Copies of the risk assessments/updates and executive summaries will be provided to the OIS.

Additional information can be found in the Standard for Information Security Risk Assessment. This standard contains definitions of terms used in this section and a list of other procedures that apply to risk assessment. 


X. SPECIAL INSTRUCTIONS FOR INITIAL IMPLEMENTATION


None


XI. FORMS AND TOOLS/ONLINE PROCESSES


Faculty as Information Security Administrators: More information


XII. APPENDIX


None