(a) The agency head of each state institution of higher
education is ultimately responsible for the security of state information
resources.
(b) The agency head or their designated representative
shall:
(1) designate an Information Security Officer who has
the explicit authority and the duty to administer the information
security requirements of this chapter institution wide;
(2) allocate resources for ongoing information security
remediation, implementation, and compliance activities that reduce
risk to a level acceptable to the institution head;
(3) ensure that senior institution of higher education
officials and information-owners, in collaboration with the Information
Resources Manager and Information Security Officer, support the provision
of information security for the information systems that support the
operations and assets under their direct or indirect (e.g., cloud
computing or outsourced) control;
(4) ensure that the institution of higher education
has trained personnel to assist the institution of higher education
in complying with the requirements of this chapter and related policies;
(5) ensure that senior institution of higher education
officials support the institution of higher education Information
Security Officer in developing, at least annually, a report on institution
of higher education information security program, as specified in §202.71(b)(10)
and §202.73(a) of this chapter;
(6) approve high residual risk management decisions
as required by §202.75(4) of this chapter;
(7) review and approve at least annually institution
of higher education information security program required under §202.74
of this chapter; and
(8) ensure that information security management processes
are part of the institution of higher education strategic planning
and operational processes.
|