The University of Texas at TylerDiane Garrett, Information Security Officer
Responsibilities & Procedures
Why Do I need training?
In the past Information Resources (central IT) managed & owned most of the data on our campusSeveral areas have information resources outside of central IT’s operations in outlying areas of our University have set up resourcesWith decentralized data ownership, the need for training is essential to comply with state law and UT System policy
Basis for training:
Data ownership is required byTexasstatelaw & UT System PolicyTAC 202UTS 165Provides accountabilityfor the datawhich is gathered, stored, & transmitted by the UniversityData owners will be able to identify security requirements that are most appropriate for their data.
At the end of training you:
Will have been presented with the state and UT System requirements for data ownershipWill be able to classify the data on your resource & provide an initial value for your assetWill have a basic understanding of the Risk Assessment requirementsWill formally acknowledge your resources, the custodians, & ISA’s
Legal Jargon & Policy Talk
Exposure to Texas Administrative Code (TAC) 202Exposure to UT System (UTS) Policy 165Attack low-lying fruit (things we can accomplish now or in a short period of time)Talk about future actions on the road to full compliance
TAC 202 Language
Data Owner Definition:A person with statutory or operational authority for specified information (e.g., supporting a specific business function) and responsibility for establishing the controls for its generation, collection, processing, access, dissemination, and disposal
TAC 202 Data Owner Responsibilities
The owner or his or her designated representative(s) are responsible for and authorized to:Approve accessFormallyassign custody ofthe information resource assetDetermine the asset'svalueSpecify data controls and convey to users and custodians
Specify appropriate controls, based on a risk assessment, to protect the information resource from:unauthorized modificationunauthorizeddeletionunauthorizeddisclosureThese controls extend to resources and services outsourced by UT Tyler
Confirm that controls are in place to ensure the confidentiality, integrity, and availability of data and other assigned information resources.Assign custody of information resources assetsProvide appropriate authority to implement security controls and procedures.
Review access lists based on documented risk management decisions.Approve, justify, document, and be accountable for exceptions to security controls.The information owner shall coordinate exceptions to security controls with the agency information security officer
The information owner, with the concurrence of the state agency head or his or her designated representative(s), is responsible for classifying business functional information.
UTS 165 Language
Data Owner Definition:The manager or agent responsible for the business function that is supported by the information resource or the individual upon whom responsibility rests for carrying out the program that uses the resources. The owner is responsible for establishing the controls that provide the security and authorizing access to the information resource.
Definition continued:The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared.
UTS 165 Responsibilities
Grants access to the Information System under his/her responsibility.Classifies Digital Data based on Data sensitivity and risk.Backs up Data under his/her responsibility in accordance with risk management decisions and secures back up media.
Owner of Mission Critical Information ResourcesDesignates an individual to serve as an Information Security Administrator (ISA) to implement information security policies and procedures and for reporting incidents to the ISO.Performs an annual information security risk assessment and identifies, recommends, and documents acceptable risk levels for information resources under his/her authority.
To determine to what extent a resource needs to be protected, the data which resides on the system must be classifiedUT Tyler adopted UT Austin’s data classification guidelineshttp://www.uttyler.edu/ISO/dataclassification.html
3 Categories of Data
Category I data:
University data protected specifically by federal or state law or University of Texas at Tyler rules and regulations.Examples of Laws:FERPAHIPPATexas Identity Theft Enforcement & Protection Act
Examples of Category I data:
Social Security numberCredit Card NumbersGrades (including test scores, assignments, and class grades)Personal vehicle informationAccess device numbers (building access code, etc.)Biometric identifiers and full face images
More Cat I data:
Patient Medical/Health Information (HIPPA) protected dataPayment Guarantor's informationHuman subject informationSensitive digital research data
Category II data:
University data not otherwise identified as Category-I data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) Such data must be appropriately protected to ensure a controlled and lawful release.
Examples of Category II data:
The calendar for a university official or employeeThe emails of a university official or employee containing sensitive informationDate of birth, place of birth of students or employeesInternal audit data
More Cat II data:
Student evaluations of a specific faculty memberHuman subjects research data with no personal identifying information
Category III data:
University data not otherwise identified as Category-I or Category-II data (e.g., publicly available).
Examples of Category III data:
Departmental Web siteBlogsLibrary data and holdingsPublic phone directoryCourse catalog and curriculum informationGeneral benefits information
More Cat III data:
Enrollment figuresPublicized research findingsState budgetAll public information
Assess and classify information
Assign system custodian/sign acknowledgement
Complete annual/biennial risk assessments
Identify security controls based on risk
Review and approve system accessperiodically
Prepare/update disaster recoveryplans
Training (Done)Assess and classify informationClassify the data on your systems (Cat I, Cat II, Cat III) & determine if mission critical (to deptor institution)Assign a monetary value to your system (replacement value of system)If you are able to assign a monetary value to the data, that is even better (very hard to do)
Assign system custodian/sign acknowledgementWill do this at end of trainingComplete annual/biennial risk assessmentsPurchased Risk WatchSurveys will be sent outWill build on questions each year
Update resource list and reclassify data and value of assets as neededIdentify security controls based on risk (from previous year’s risk assessment)Review and approve system access periodicallyPerform annual risk assessments if mission critical resource
Prepare/update disaster recovery plans (only if necessary)Monitor/ensure compliance