Skip to Search Skip to Global Navigation Skip to Local Navigation Skip to Content
Handbook of Operating Procedures
Chapter 11 - Information Technology
Previous Publication Date: May 10, 2016
Publication Date: August 2, 2022
Policy Reviewed Date: November 21, 2023
Policy Owner: VP for Information Technology


11.02 Data Owner


I. POLICY STATEMENT


Data Owners are the individuals officially designated as the employees responsible for specific non-research Data that is transmitted, used, and/or stored on Information Technology Resources. It is the policy of The University of Texas at San Antonio (UTSA) that Data Owners exercise reasonable efforts to preserve and safeguard all Data as outlined in all UTSA policies, comply with requirements of international, federal and state privacy laws, and refrain from unauthorized disclosure of Data. UTSA is committed to providing direction and support for Data Owners.


II. RATIONALE


  1. This policy sets forth procedures relating to non-research Data Owner responsibilities to be followed at UTSA to ensure compliance with Texas Administrative Code 202.71 (TAC 202) and The University of Texas System (UT System) Information Technology Resources Use and Security Policy (UTS165).
  2. Research and sponsored project Data are governed by a separate policy, Handbook of Operating Procedures (HOP) 10.09, Research and Other Sponsored Projects Data or Record Ownership and Retention.
  3. In addition, the terms "Data Owner" and "Data Ownership" do not refer to intellectual property or other rights to information under any other UT System or UTSA policies.

III. SCOPE


This policy applies to all UTSA employees who are designated as a Data Owner. A Data Owner is required for any non-research Data on Information Technology Resource, or any shared system/project that handles or stores Data.


IV. WEBSITE ADDRESS FOR THIS POLICY


http://www.utsa.edu/hop/chapter11/11.02.html


V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS


  1. University of Texas System Policies or the Board of Regents' Rules & Regulation
    1. UTSA HOP Policy 11.03, Acceptable Use Policy.
    2. UT System Policy UTS 165, UT System Information Technology Resources Use, and Security Policy.
    3. UT System Policy UTS 178, Required Reporting of Significant Events.
  2. Other Policies and Standards
    1. Title 1 Texas Administrative Code, Part 10, Chapter 202, Subchapter C.
    2. Higher Education Opportunity Act of 2008.

VI. CONTACTS


If you have any questions about Handbook of Operating Procedures policy 11.02, Data Owner, contact one of the following offices:

  1. Office of Information Security
    210-458-7974
    informationsecurity@utsa.edu
  2. UTSA Tech Solutions
    210-458-4555
    TechCafe@utsa.edu  

VII. DEFINITIONS


  1. Asset Management Portal
    1. The Asset Management Portal (Insight) is a repository and dashboard which displays Data relating to the implementation of Information Technology Resources policies and standards in accordance with the support of Standard for Configuration and Asset Management.
  2. Data
    1. Information that is recorded - regardless of form or media – that is used to support the mission of UTSA, whether in an administrative or educational capacity. Data may be saved or transmitted in hard copy (printed or written), digital/electronic (including video, audio, images), or other formats on UTSA Information Resources.
  3. Data Classification
    1. At UTSA, Data is classified as Category I (confidential), Category II (controlled), or Category III (published/public data), with each category subject to its own protection requirements and processes. More information, including definitions, protection requirements, and examples of Data can be found in the Standard for Data Classification.
  4. Data Custodian
    1. The Data Custodian is responsible for the day-to-day maintenance of UTSA Information Technology Resources. In some instances, this responsibility is assigned to a Department, Vice President Unit, College employee, a third-party vendor, or University Technology Solutions.
  5. Data Owner
    1. The manager or agent responsible for the business function supported by the Information Technology Resource or the individual upon whom responsibility rests for carrying out the program using the Information Technology Resources.
  6. Data User
    1. With authorization from the Data Owner, The Data User is any person who accesses, reads, enters, or updates information and/or Information Technology Resources whether done individually, through facilitation, or responsibility for an automated application or process.
  7. Department
    1. The office in which the Data Owner primarily conducts business. The Department may be an individual office, a suite of offices, or a college within UTSA.
  8. Information Security Administrator
    1. A designated staff member or Data Custodian for each Department who, in close cooperation with the Office of Information Security (OIS), is assigned to implement and administer information security initiatives and assist other Data Custodians and/or Data Owners within the respective Department with any security needs.
  9. Information Security Risk Assessment
    1. A process where Information Technology Resources are evaluated to identify potential threats that could affect the operation and security of those resources, the likelihood of their occurrence, and the impact of the threat are realized.
  10. Information Technology Resources
    1. The procedures, equipment, facilities, software, digital applications, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. This may include, but is not limited to, any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting Data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices, pagers, distributed processing systems, network-attached and computer-controlled medical and laboratory equipment (e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers, digital applications and hosted services.

VIII. RESPONSIBILITIES


  1. Data Owner
    1. Assigns custody of Information Technology Resources and provides appropriate authorization to implement security controls and procedures. These assignments must be included in Data Owner’s job descriptions, performance evaluations, and/or related contracts.
    2. Ensures the physical security of the Information Technology Resources (servers, workstations, laptops, etc.) under their responsibility.
    3. Identifies, recommends, and documents acceptable risk levels for Data and Information Technology Resources under their authority and shall perform a security risk assessment on an annual basis specifying appropriate controls to protect Information Technology Resources from unauthorized modification, deletion, or disclosure. Controls will extend to Information Technology Resources outsourced by UTSA and controlled by third-party Data Custodians.
    4. Confirms that controls are in place to ensure the confidentiality, integrity, and availability of Data and other assigned Information Technology Resources.
    5. Approves, justifies, documents, and is responsible for exceptions to security controls.
    6. Reviews the status of compliance with all UTSA Tech Solutions policies and procedures and provides appropriate direction to the Information Security Administrator and Data Custodians for implementation.
    7. Attends, or sends a delegate to attend, special Data Owner meetings and completes UTSA-sponsored training related to Data Ownership.
    8. Ensures that metrics in Asset Management Portal under their responsibility remain at or above stated UTSA goals. The responsibility for this function may be delegated to another staff member within the Department.
    9. Ensures Data retention in accordance with UTSA’s Records Retention Schedule is established and adhered to for all Data under their ownership, including assurance that Data is being purged once retention periods have expired.
    10. Complies with UTSA Security Standards and contract policies when procuring Information Technology Resources to ensure appropriate security, access, and control of Data and require monitoring and metrics reporting.
    11. Determines the asset’s added dollar value.
    12. Specifies Data control requirements per UTSA and UT System policies and conveys the requirements to Data Users, Information Security Administrators, and Data Custodians.
    13. Reviews access lists based on documented security risk management decisions.
    14. Properly classifies Data per the Standard for Data Classification and any related business functional information.
  2. Data Custodian
    1. Implements the controls specified by the Data Owner(s).
    2. Implements and complies with all information security and contract policies and procedures relating to assigned Information Technology Resources, including those required to maintain compliance with all Asset Management Portal metrics.
    3. Provides physical, technical, and procedural safeguards for Information Technology Resources.
    4. Backs up Data in accordance with risk management decisions and secures backup media.
    5. Assists Data Owners in evaluating the cost-effectiveness of controls and monitoring.
    6. Implements monitoring techniques and procedures for detecting, reporting, and investigating Security Incidents
  3. Information Security Administrator
    1. Implements the controls specified by the Data Owner(s).
    2. Implements and complies with all information security and contract policies and procedures relating to assigned Information Technology Resources, including those required to maintain compliance with all Asset Management Portal metrics.
    3. Provides physical, technical, and procedural safeguards for Information Technology Resources.
    4. Backs up Data in accordance with risk management decisions and secures backup media.
    5. Assists Data Owners in evaluating the cost-effectiveness of controls and monitoring.
    6. Implements monitoring techniques and procedures for detecting, reporting, and investigating Security Incidents.
    7. Assists Data Owners in performing annual Information Security Risk Assessments for Information Technology Resources.
    8. Reports Information Security Incidents to OIS.
    9. Assists the Chief Information Security Officer in developing and implementing information security programs and monitoring Information Technology Resources.
    10. Assists the Data Owner in maintaining metrics in the Asset at or above UTSA’s stated goals.
    11. Monitors security policy and procedures changes and informs Data Owners of changes so the Data Owners can adjust, as necessary.
    12. Acts as a liaison between the Department, Data Custodians, Data Owners, and the OIS.

IX. PROCEDURES


  1. Information Security Risk Assessment
    1. Data Owners who manage Information Technology Resources must conduct an initial and, thereafter, an annual Information Security Risk Assessment to identify potential problems that may affect the operation and security of assigned Information Technology Resources.
    2. The Data Owner will consult with the Department, the Information Security Administrator, and/or the OIS, as necessary.
    3. The Information Security Risk Assessment will identify controls that will provide protection and/or recovery from loss, exposure, or inappropriate modification of the Data. The Information Security Risk Assessment will also address the most critical risks.
    4. The Data Owner will submit the Information Security Risk Assessment to the Chief Information Security Officer and OIS.
    5. The Chief Information Security Officer will incorporate the strategy reports into a UTSA-wide framework.
    6. Additional information and forms can be found in the Standard for Information Security Risk Assessment, and mySecurity.

X. SPECIAL INSTRUCTIONS FOR IMPLEMENTATION


None


XI. FORMS AND TOOLS/ONLINE PROCESSES


  1. Classifying your data:
    1. Data Classification Examples.

XII. APPENDIX


None


XIII. Dates Approved/Amended


08-02-2022
05-10-2016