(a) The agency head or his or her designated representative(s)
shall review and approve ownership of information resources and their associated
responsibilities.
(b) The owner of an information resource, with the agency head's
concurrence, is responsible for classifying business functional information.
Agencies are responsible for defining all information classification categories
except the Confidential Information category, which is defined in §202.1
of this chapter, and establishing the appropriate controls for each.
(c) Owners, custodians, and users of information resources
shall be identified, and their responsibilities defined and documented by
the agency. In cases where information resources are used by more than one
major business function, the owners shall reach consensus and advise the information
security function as to the designated owner with responsibility for the information
resources. The following distinctions among owner, custodian, and user responsibilities
should guide determination of these roles:
(1) Owner Responsibilities. The owner or his or her designated
representatives(s) are responsible for and authorized to:
(A) Approve access and formally assign custody of an information
resources asset;
(B) Determine the asset's value;
(C) Specify data control requirements and convey them to users
and custodians;
(D) Specify appropriate controls, based on risk assessment,
to protect the state's information resources from unauthorized modification,
deletion, or disclosure. Controls shall extend to information resources outsourced
by the agency.
(E) Confirm that controls are in place to ensure the accuracy,
authenticity, and integrity of data.
(F) Ensure compliance with applicable controls;
(G) Assign custody of information resources assets and provide
appropriate authority to implement security controls and procedures.
(H) Review access lists based on documented agency security
risk management decisions.
(2) Custodian responsibilities. Custodians of information resources,
including entities providing outsourced information resources services to
state agencies must:
(A) Implement the controls specified by the owner(s);
(B) Provide physical and procedural safeguards for the information
resources;
(C) Assist owners in evaluating the cost-effectiveness of controls
and monitoring; and
(D) Implement the monitoring techniques and procedures for
detecting, reporting, and investigating incidents.
(3) User responsibilities. Users of information resources shall
use the resources only for defined purposes and comply with established controls.
(d) The Information Security Officer. Each agency head shall
designate an information security officer to administer the agency information
security program. The Information Security Officer shall report to executive
level management.
(1) It shall be the duty and responsibility of this individual
to develop and recommend policies and establish procedures and practices,
in cooperation with owners and custodians, necessary to ensure the security
of information resources assets against unauthorized or accidental modification,
destruction, or disclosure.
(2) The Information Security Officer shall document and maintain
an up-to-date information security program. The information security program
must be approved by the agency head.
(3) The Information Security Officer is responsible for monitoring
the effectiveness of defined controls for mission critical information.
(4) The Information Security Officer shall report, at least
annually, to the agency head the status and effectiveness of information resources
security controls.
(e) A review of the agency's information security program for
compliance with these standards will be performed at least annually by individual(s)
independent of the information security program and designated by the agency
head or his or her designated representative.
|