Chapter 11 - Information Technology
Previous Publication Date: June 24, 2005
Publication Date: August 2, 2022
Policy Reviewed Date: November 21, 2023
Policy Owner: VP for Information Technology
11.01 Information Technology Resources Use and Security
I. POLICY STATEMENT
At The University of Texas at San Antonio (UTSA), the protection of Data and Information Technology Resources within its academic, research, and administrative environments is not only required by various contracts and state, federal and international privacy laws, but it is also critical to the advancement of UTSA’s mission and strategic plans. Accordingly, the UTSA community must avoid compromise, degradation, and disruption of information services vital to the work of faculty, staff, students, guests, and external individuals or organizations. Towards that end, UTSA Tech Solutions promotes the widest possible access, appropriate use, and integrity of its Information Technology Resources through awareness programs, training, and technical and physical protective measures.
II. RATIONALE
While UTSA has the primary responsibility of maintaining and developing the security of UTSA Information Technology Resources, every Data User shares that responsibility and is responsible for understanding the legal and ethical standards expected for its use. In exercising its responsibilities, UTSA reserves the right to limit or restrict use based on privacy laws, institutional priorities, contracts, and financial considerations. UTSA may also limit or restrict use when violations of UTSA policy, contractual agreements, or privacy laws require limitation or restriction to protect UTSA Information Technology Resources.
III. SCOPE
This policy applies to all Data Users of UTSA Information Technology Resources, which includes but is not limited to faculty, staff, students, guests, and external individuals or organizations. This policy also applies regardless of the ownership of the equipment used to access UTSA Information Technology Resources (i.e., a person or company accessing UTSA Information Technology Resources on non-UTSA equipment is still subject to this policy)
IV. WEBSITE ADDRESS FOR THIS POLICY
http://www.utsa.edu/hop/chapter11/11.01.html
V. RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS
- Family Educational Rights and Privacy Act of 1974, as amended in 2000.
- Copyright Act of 1976, as amended.
- Foreign Corrupt Practices Act of 1977, as amended in 1988.
- Computer Fraud and Abuse Act of 1986, as amended in 1996.
- Computer Security Act of 1987.
- The Health Insurance Portability and Accountability Act of 1996 as amended by the Health Information Technology for Economic and Clinical Health Act and the Privacy, Security and Breach Notification Regulations at 45 Code of Federal Regulations §§ 160 and 164.
- USA Patriot Act of 2001.
- The Texas Public Information Act.
- Texas Government Code, Section 441.
- Texas Administrative Code section 202.
- Information Resource Management Act, Texas Government Code section 2054.075(b).
- Texas Penal Code, Chapters 33 and 33A.
- Texas Department of Information Resources Practices for Protecting Information Resources Assets.
- Texas Department of Information Resources Standards Review and Recommendations Publications.
- The University of Texas System (UTS) Information Resources Use and Security Policy 165.
- UTSA Student Code of Conduct and Judicial Procedures Sections 201, 202, 203.
- UTSA Handbook of Operating Procedures (HOP), Code of Ethics, Chapter 4.01.
- Texas Government Code section 2054
VI. CONTACTS
If you have any questions about Handbook of Operating Procedures policy 11.01, Information Technology Resources Use and Security, contact one of the following offices:
- Office of Information Security
210-458-7974
informationsecurity@utsa.edu - UTSA Tech Solutions
210-458-4555
TechCafe@utsa.edu
VII. DEFINITIONS
- Chief Information Security Officer (CISO): The lead UTSA employee responsible for providing and administering the overall security program for UTSA Information Technology Resources for all centrally maintained and distributed systems and computer equipment. The CISO assesses Information Technology Resources security risks and engages in a transparent discussion of risks with internal stakeholders. The CISO is also responsible for the continuous development of this Policy and related UTSA Security Standards. The CISO promotes and tests for compliance through standards development, training, awareness programs, and risk assessments. The CISO responds to the misuse of Information Technology Resources and any unauthorized access of Information Technology Resources by external or internal parties.
- Data: Information that is recorded - regardless of form or media – and used to support the mission of UTSA, whether in an administrative, educational, or research capacity. Data may be saved or transmitted in hard copy (printed or written), digital/electronic (including video, audio, images), or other formats.
- Data Custodian: The Data Custodian is responsible for the day-to-day maintenance of UTSA Information Technology Resources. In some instances, this responsibility is assigned to a Department, Vice President Unit, or College employee, a third-party vendor, or UTSA Tech Solutions.
- Data Owner: The Department or College manager or agent responsible for the business functions supported by the Information Technology Resources or the individual upon whom responsibility rests for carrying out the program using the Information Technology Resources.
- Data User: With authorization from the Data Owner, the Data User is any person who accesses, reads, enters, or updates information and/or Information Technology Resources whether done individually, through facilitation, or responsibility for an automated application or process.
- Information Security Officer: The Information Security Officer oversees and is responsible for the security of the Information Technology Resources within a Department, College, or Facility.
- Information System: An interconnected set of Information Technology Resources under the same direct management and control that shares common functionality. An Information System normally includes hardware, software, information, Data, applications, communications, and people.
- Information Technology Resources: The procedures, equipment, facilities, software, and Data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. This may include, but is not limited to, any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing websites, or otherwise capable of receiving, storing, managing, or transmitting Data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, mobile devices, pagers, distributed processing systems, network-attached and computer-controlled medical and laboratory equipment (e.g., embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and hosted services.
VIII. RESPONSIBILITIES
- Information Security Officer: The Information Security Officer oversees the security of the Information Technology Resources within a Department, Vice President Unit, College, or Facility.
- Data Owners: The Data Owner collects the Data, is the primary controller of a Data asset, or is the Principal Investigator (PI) of a UTSA-managed research project or sponsored program. Data Owners ensure compliance with this Policy, applying for exemptions when justified, and accepting residual risk when security threats cannot be further mitigated. Data Owners approve or deny requests to access Data, periodically review access assignments and take corrective action if inappropriate access is detected. Data Owners designate Data Custodians. Data Owners also designate Data users and set the rules and procedures for access to the Data.
- Data Custodian: The Data Custodian assists with the ongoing operational tasks of managing information assets.
- Data User: Data Users typically have no role in determining the security requirements for the information asset or performing server or application maintenance. Nonetheless, Data Users must understand and abide by the security requirements of this Policy, the UTSA Security Standards, and the expectations of the Data Owner.
IX. PROCEDURES
- All Data Users of UTSA Information Technology Resources are required to comply with this policy, all UTSA HOP policies, and The Office of Information Security (OIS) develops and promotes and requirements. Violation of this policy may result in disciplinary action through regular, published disciplinary procedures in accordance with this Handbook of Operating Procedures, the Student Code of Conduct, degree program handbooks, and/or could include actions taken by sponsors of research or sponsored programs as well as federal oversight agencies. Discipline may include, but is not limited to, termination of employees and temporary employees; termination of contracts in the case of contractors or consultants; dismissal of interns and volunteers from the department or facility; and/or removal from a degree program, suspension, or expulsion of students. Additionally, individuals may lose access to UTSA Information Technology Resources and may face state or federal civil and/or criminal penalties, pending on the violation.
X. SPECIAL INSTRUCTIONS FOR IMPLEMENTATION
None
XI. FORMS AND TOOLS/ONLINE PROCESSES
None
XII. APPENDIX
None
XIII. Dates Approved/Amended
08-02-2022
06-24-2005