The Official Web site for the Office of Information Technology - UTSA

This document should be rendered in an HTML format with cascading style sheets and JavaScript turned on.

Office of Information Technology Home Page

Skip to Main Content

Skip to Navigation

Please take a few minutes to read our Accessibility Page which will make your visit through this Web site easier.

Copyright (c) 2010. The University of Texas at San Antonio. All rights reserved.

OIT Home > Security > Computer Security Handbook > Rules and Responsibilities

Roles and Responsibilities

The program for information security at UTSA is based on technologies, user awareness and user participation.  According to System-wide policy, Information Resources Acceptable Use and Security (UTS 165), each member of the community has defined duties in this program.  This list assigns responsibilities according to UTS 165; some have been augmented with duties specific to UTSA.

Chancellor

  • Budgets sufficient resources to fund ongoing and continuous information security remediation, implementation and compliance activities that reduce compliance risk to an acceptably low level.

  • Ensures that appropriate corrective and disciplinary action is taken in the event of non-compliance.

Chief Administrative Officer (President)

  • Ensures the Entity’s compliance with this Policy.

  • Budgets sufficient resources to fund ongoing and continuous information security remediation, implementation and compliance activities that reduce compliance risk to an acceptably low level.

  • Approves the Institutional Information Security Program, or designates someone to provide this approval.

  • Ensures that appropriate corrective and disciplinary action is taken in the event of non-compliance.

  • Designates an individual other than the Information Resource Manager to serve as the Information Security Officer (ISO) who shall serve in the capacity as required by state law and with authority for that entire Entity.

Chief Information Security Officer (UT System)

  • Provides leadership, strategic direction, and coordination for the U. T. System-wide information security initiative including issuing security practice bulletins relating to standards and best practices.

  • Establishes the U. T. System CISO Council and holds meetings at least quarterly.

  • Develops and provides oversight for a U. T. System-wide Information Security Compliance Program.

  • Provides guidance on the institutional Information Security Program including organizational duties and responsibilities, covered activities, authority to act, terminology definitions, standard methodologies, and minimum standards.

  • Defines the risk management process to be used for all information security risk management activities.

  • Explores and recommends the acquisition of tools and resources that can be utilized U. T. System–wide and how expertise can be shared among Entities.

  • Establishes reporting guidance, metrics, and timelines and monitors effectiveness of security strategies at each Entity.

  • Apprises the Chancellor and the Board of Regents quarterly on the status and effectiveness of the information security compliance programs and activities at each Entity.

Department Head and Principal Investigator

  • Complies with this Policy as it relates to Non-Research and Research Data respectively under their control including when holding subcontracts for projects in which the prime award is at another institution or agency.

Entity (UTSA)

  • Designates responsibility for the information security function by documenting key roles and responsibilities.

  • Performs a risk analysis of Information Resources per Texas Administrative Code 202.72.

  • Develops a plan for identifying Digital Data that is Sensitive.

  • Manages and protects the confidentiality and integrity of Sensitive Digital Data.

  • Controls and monitors access to its Sensitive Digital Data based on data sensitivity and risk.

  • Discontinues use of social security number as an individual’s primary identification number.

  • Uses and collects social security numbers only as reasonably necessary for the proper administration or accomplishment of the institution's business, governmental, educational and medical purposes.

  • Assigns a unique identifier for each applicant, student, employee, insured dependent, research subject, patient, alumnus, donor, contractor, and other individuals who become associated with the institution at the earliest possible point of contact with the institution.

  • Provides the notice required by Section 7 of the Federal Privacy Act of 1974 and by Section 559.003 of the Texas Government Code each time it requests that an individual initially disclose his or her social security number.

  • Limits and monitors access to records containing social security numbers to those employees who need to see the number for the performance of the employees' job responsibilities.

  • Follows procedures to report incidents involving computer security, as required by State or Federal Law.

  • Reports to the U. T. System CISO incidents involving computer security that compromises the security, confidentiality, or integrity of Sensitive Digital Data or Personal Identifying Information it maintains.

  • Discloses in accordance with applicable federal and state law, incidents involving computer security that compromises the security, confidentiality, or integrity of Personal Identifying Information it maintains to any resident of Texas and Data Owners whose Personal Identifying Information was, or is reasonably believed to have been, acquired without authorization.

  • Adheres to policies, standards and/or procedures governing the secure transmission of Confidential Data via public networks.

  • Provides computer security awareness training.

  • Ensures that the protection of Information Resources (including data confidentiality, integrity, and accessibility) is considered during the development or purchase of new computer applications.

  • Ensures that information technology outsourcing contracts address security, backup and privacy requirements, and include right-to-audit or other provisions to provide appropriate assurances that applications and Data will be adequately protected.

  • Monitors Information Resources.

Entity Office With Designated Responsibility For Network and Application Account Creation

  • Manages accounts in accordance with the institution’s information security policies, standards, and/or procedures.

  • Approves all access methods, installation of all network hardware connected to the local-area network and methods and requirements for attachment of any non U. T. System owned computer systems or devices to the U. T. System network.

Entity Office Charged With Supporting Information Resources (OIT)

  • Formalizes best practice change management processes into practice standards.

  • Requires compliance from all individuals who manage Information Systems or applications

  • Provides support, guidance and problem resolution to department heads and principal investigators

Information Security Administrator (Department)

  • Implements and complies with all information technology policies and procedures relating to assigned systems.

  • Performs an annual information security risk assessment for Mission Critical Information Resources.

  • Reports general computing and security incidents to the institutional ISO.

  • Assists, as a member of the ISA Work Group, the ISO in developing, implementing, and monitoring the Information Security Program.

  • Establishes reporting guidance, metrics, and timelines for ISOs to monitor effectiveness of security strategies in both the centralized and decentralized operations.

  • Reports at least annually to the ISO about the status and effectivenees of information resources security controls.

Information Security Officer

  • Provides information security for all centrally maintained and all distributed systems and computer equipment.

  • Develops a full-scale institutional Information Security Compliance Program.

  • Conducts and documents an information security risk assessment annually in accordance with 1 TAC 202.72 that identifies Mission Critical Information Resources in the central and all decentralized areas.

  • Ensures an annual information security risk assessment is performed by each Owner of Mission Critical Information Resources.

  • Requires each Owner of Mission Critical Information Resources to designate an Information Security Administrator (ISA).

  • Establishes an Institutional Information Security Working Group composed of ISAs and holds meetings at least quarterly.

  • Documents and maintains up to date an Institutional Information Security Program.

  • Establishes reporting guidance, metrics, and timelines and monitors effectiveness of security strategies in both central and decentralized operations.

  • Communicates instances of non-compliance to appropriate administrative officers for corrective, restorative and/or disciplinary action.

  • Reports quarterly to the U. T. System CISO the current status of the information security risk assessment and Information Security Program, including any significant incidents, situations of non-compliance, barriers to program execution, and planned remedies.

  • Specifies and requires use of appropriate security software such as anti-virus, firewall, configuration management, and other security related software on computing devices owned, leased, or under the custodianship of any department, operating unit, or an individual who is serving in the role as an employee of the Entity as deemed necessary by the ISO to provide appropriate information security across the whole of the Entity

  • Ensures that ISAs and Data Owners are properly trained on information security requirements
    (This section has been modified to include specific UTSA information.)

Institutional Compliance and Internal Audit

  • Provides high-level monitoring of the Information Security Compliance program through inspections and verifications of reported information and periodic audits respectively.

Owner

  • Grants access to the Information System under his/her responsibility.

  • Classifies Digital Data based on Data sensitivity and risk.

  • Backs up Data under his/her responsibility in accordance with risk management decisions and secures back up media.

Added section from TAC 202

  • Specifies data control requirements and convey them to users and custodians

  • Specifies appropriate controls, based on a risk assessment, to protect the state’s information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources and services outsourced by the state agency

  • Confirms that controls are in place to ensure the confidentiality, integrity, and availability of data and other assigned information resources.

  • Assigns custody of information resources assets and provides appropriate authority to implement security controls and procedures

  • Approves, justifies, documents, and is accountable for exceptions to security controls.  The information owner shall coordinate exceptions to security controls with the agency information security officer or other person(s) designated by the state agency.

(This section has been modified to include specific UTSA information.)

  • Designates an individual to serve as an Information Security Administrator (ISA) to implement information security policies and procedures and for reporting incidents to the ISO.

  • Performs an annual information security risk assessment

Person accessing UT System Information Resources

  • Complies with this Policy.

  • Formally acknowledges and abides by the institution’s acceptable use policies.

  • Adheres to prudent and responsible Internet use practices as outlined in the institution’s policies associated with Information Resources acceptable use.

Vendor

  • Adheres to all state and federal laws and Regents’ Rules pertaining to the protection of Information Resources and privacy of sensitive information.

  • Complies with all applicable U. T. System rules associated with this Policy, practice standards and agreements, and adheres to Federal and State laws to which U. T. System must adhere.

  • Represents warrants and certifies it will hold all U. T. System Sensitive Data in the strictest confidence.

Last revised: October 15, 2010

Tools