330 likes | 501 Vues
Data Ownership. Responsibilities & Procedures. The University of Texas at Tyler Diane Garrett, Information Security Officer. Why Do I need training?. In the past Information Resources (central IT) managed & owned most of the data on our campus
E N D
Data Ownership Responsibilities & Procedures The University of Texas at Tyler Diane Garrett, Information Security Officer
Why Do I need training? • In the past Information Resources (central IT) managed & owned most of the data on our campus • Several areas have information resources outside of central IT’s operations in outlying areas of our University have set up resources • With decentralized data ownership, the need for training is essential to comply with state law and UT System policy
Basis for training: • Data ownership is required by Texas state law & UT System Policy • TAC 202 • UTS 165 • Provides accountability for the data which is gathered, stored, & transmitted by the University • Data owners will be able to identify security requirements that are most appropriate for their data.
At the end of training you: • Will have been presented with the state and UT System requirements for data ownership • Will be able to classify the data on your resource & provide an initial value for your asset • Will have a basic understanding of the Risk Assessment requirements • Will formally acknowledge your resources, the custodians, & ISA’s
Legal Jargon & Policy Talk • Exposure to Texas Administrative Code (TAC) 202 • Exposure to UT System (UTS) Policy 165 • Attack low-lying fruit (things we can accomplish now or in a short period of time) • Talk about future actions on the road to full compliance
THE BORING BUT NECESSARY EVILS
TAC 202 Language Data Owner Definition: • A person with statutory or operational authority for specified information (e.g., supporting a specific business function) and responsibility for establishing the controls for its generation, collection, processing, access, dissemination, and disposal
TAC 202 Data Owner Responsibilities The owner or his or her designated representative(s) are responsible for and authorized to: • Approve access • Formally assign custody of the information resource asset • Determine the asset's value • Specify data controls and convey to users and custodians
Specify appropriate controls, based on a risk assessment, to protect the information resource from: • unauthorized modification • unauthorized deletion • unauthorized disclosure • These controls extend to resources and services outsourced by UT Tyler
Confirm that controls are in place to ensure the confidentiality, integrity, and availability of data and other assigned information resources. • Assign custody of information resources assets • Provide appropriate authority to implement security controls and procedures.
Review access lists based on documented risk management decisions. • Approve, justify, document, and be accountable for exceptions to security controls. • The information owner shall coordinate exceptions to security controls with the agency information security officer
The information owner, with the concurrence of the state agency head or his or her designated representative(s), is responsible for classifying business functional information.
UTS 165 Language Data Owner Definition: The manager or agent responsible for the business function that is supported by the information resource or the individual upon whom responsibility rests for carrying out the program that uses the resources. The owner is responsible for establishing the controls that provide the security and authorizing access to the information resource.
Definition continued: The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared.
UTS 165 Responsibilities • Grants access to the Information System under his/her responsibility. • Classifies Digital Data based on Data sensitivity and risk. • Backs up Data under his/her responsibility in accordance with risk management decisions and secures back up media.
Owner of Mission Critical Information Resources • Designates an individual to serve as an Information Security Administrator (ISA) to implement information security policies and procedures and for reporting incidents to the ISO. • Performs an annual information security risk assessment and identifies, recommends, and documents acceptable risk levels for information resources under his/her authority.
Data Classification • To determine to what extent a resource needs to be protected, the data which resides on the system must be classified • UT Tyler adopted UT Austin’s data classification guidelines • http://www.uttyler.edu/ISO/dataclassification.html
Category I data: • University data protected specifically by federal or state law or University of Texas at Tyler rules and regulations. • Examples of Laws: • FERPA • HIPPA • Texas Identity Theft Enforcement & Protection Act
Examples of Category I data: • Social Security number • Credit Card Numbers • Grades (including test scores, assignments, and class grades) • Personal vehicle information • Access device numbers (building access code, etc.) • Biometric identifiers and full face images
More Cat I data: • Patient Medical/Health Information (HIPPA) protected data • Payment Guarantor's information • Human subject information • Sensitive digital research data
Category II data: • University data not otherwise identified as Category-I data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) Such data must be appropriately protected to ensure a controlled and lawful release.
Examples of Category II data: • The calendar for a university official or employee • The emails of a university official or employee containing sensitive information • Date of birth, place of birth of students or employees • Internal audit data
More Cat II data: • Student evaluations of a specific faculty member • Human subjects research data with no personal identifying information
Category III data: • University data not otherwise identified as Category-I or Category-II data (e.g., publicly available).
Examples of Category III data: • Departmental Web site • Blogs • Library data and holdings • Public phone directory • Course catalog and curriculum information • General benefits information
More Cat III data: • Enrollment figures • Publicized research findings • State budget • All public information
8 Monitor/ensure compliance 2011 FY 7 Compliant Prepare/update disaster recovery plans 6 Review and approve system access periodically 5 Identify security controls based on risk 4 Complete annual/biennial risk assessments 2010 FY 3 Assign system custodian/sign acknowledgement 2 Assess and classify information 1 Training
2009-2010 (Now) • Training (Done) • Assess and classify information • Classify the data on your systems (Cat I, Cat II, Cat III) & determine if mission critical (to dept or institution) • Assign a monetary value to your system (replacement value of system) • If you are able to assign a monetary value to the data, that is even better (very hard to do)
Assign system custodian/sign acknowledgement • Will do this at end of training • Complete annual/biennial risk assessments • Purchased Risk Watch • Surveys will be sent out • Will build on questions each year
2010-2011 • Update resource list and reclassify data and value of assets as needed • Identify security controls based on risk (from previous year’s risk assessment) • Review and approve system access periodically • Perform annual risk assessments if mission critical resource
2010-2011 continued • Prepare/update disaster recovery plans (only if necessary) • Monitor/ensure compliance