Information owners, custodians, and users of information resources
shall, in consultation with the institution IRM and ISO, be identified,
and their responsibilities defined and documented by the state institution
of higher education. The following distinctions among owner, custodian,
and user responsibilities should guide determination of these roles:
(1) Information Owner Responsibilities. The owner or
his or her designated representative(s) are responsible for:
(A) classifying information under their authority,
with the concurrence of the state institution of higher education
head or his or her designated representative(s), in accordance with
institution of higher education's established information classification
categories;
(B) approving access to information resources and periodically
review access lists based on documented risk management decisions;
(C) formally assigning custody of information or an
information resource;
(D) coordinating data security control requirements
with the ISO;
(E) conveying data security control requirements to
custodians;
(F) providing authority to custodians to implement
security controls and procedures;
(G) justifying, documenting, and being accountable
for exceptions to security controls. The information owner shall coordinate
and obtain approval for exceptions to security controls with the institution
of higher education information security officer; and
(H) participating in risk assessments as provided under §202.75
of this chapter.
(2) Information Custodian Responsibilities. Custodians
of information resources, including third party entities providing
outsourced information resources services to state institutions of
higher education shall:
(A) implement controls required to protect information
and information resources required by this chapter based on the classification
and risks specified by the information owner(s) or as specified by
the policies, procedures, and standards defined by the institution
of higher education information security program;
(B) provide owners with information to evaluate the
cost-effectiveness of controls and monitoring;
(C) adhere to monitoring techniques and procedures,
approved by the ISO, for detecting, reporting, and investigating incidents;
(D) provide information necessary to provide appropriate
information security training to employees; and
(E) ensure information is recoverable in accordance
with risk management decisions.
(3) User Responsibilities. The user of an information
resource has the responsibility to:
(A) use the resource only for the purpose specified
by the institution or information-owner;
(B) comply with information security controls and institutional
policies to prevent unauthorized or accidental disclosure, modification,
or destruction; and
(C) formally acknowledge that they will comply with
the security policies and procedures in a method determined by the
institution head or his or her designated representative.
(4) Institution information resources designated for
use by the public shall be configured to enforce security policies
and procedures without requiring user participation or intervention.
Information resources must require the acceptance of a banner or
notice prior to use.
|