Longwood University     Chief Information Officer:     Information and Instructional Technology Services   201 High Street, Coyner 107, Farmville, VA  23909    Phone: 434.395.2034         Fax: 434.395.2035

Policy 6135

SECURITY ROLES AND RESPONSIBILITIES

I.                   PURPOSE

The purpose of this policy is to establish University-wide security roles with designated responsibilities for protecting University data and information technology (IT) systems.

II.                POLICY

A.    Assignment of Roles:

2.      The President will designate an Information Security Officer and a backup Information Security Officer for the University.

3.      The Information Security Officer will designate a single system owner and at least one data owner for each University IT system. Any individual assigned the role of system owner or data owner must be a management level University employee.

4.      The system owner, for each IT system he or she owns, will designate the system administrator(s).

a.       Each IT system will have at least two system administrators.

b.      System administrator security tasks may be divided between application security and infrastructure security and assigned to different individuals.

c.       Either a member of Information and Instructional Technology Staff (IITS) or an IT system vendor will always be responsible for infrastructure security.

5.      The data owner, for any data he or she owns, will designate a member of IITS staff or an IT system vendor as a data custodian.

6.      The University will have designated privacy officers to provide guidance on state and federal privacy laws (e.g., HIPAA, FERPA) significant to the University.

7.      Designations of security responsibilities must be documented.

a.       Employees assigned to a security role must have those responsibilities included in their employment contract or Employee Work Profile.

b.      IT system vendors assigned to a security role must have those responsibilities documented in their contract with the University.

8.      A record of all assigned University security roles will be maintained in an organizational chart depicting the structure of responsibility for protecting University data and IT systems.

9.      All security roles will be reviewed annually.

B.     Explanation of Responsibilities:

1.      President: The President is ultimately responsible for ensuring that an appropriate IT security program is in place to provide for the security of University data and IT systems.

2.      Information Security Officer (ISO): The University’s ISO is responsible for the development and management of the University’s IT security program to include the following duties, roles and responsibilities:

a.       Develop and manage a University IT security program that meets or exceeds the requirements of Commonwealth of Virginia (COV) IT security policies and standards in a manner commensurate with risk.

b.      Verify and validate that all University data and IT systems are classified for sensitivity.

c.       Develop and maintain an IT security awareness and training program for University faculty and staff, including contractors and IT service providers.

d.      Coordinate and provide IT security information to the Commonwealth’s Chief Information Security Officer (CISO) as required.

e.       Implement and maintain the appropriate balance of protective, detective and corrective controls for the University IT systems commensurate with data sensitivity, risk and systems’ criticality.

f.       Mitigate and report all IT security incidents in accordance with §2.2-603 of the Code of Virginia and Virginia Information Technologies Agency (VITA) requirements and take appropriate actions to prevent recurrence.

g.      Maintain liaison with the Commonwealth’s CISO.

h.      Assign individuals to the roles necessary to implement the University IT security program and ensure those assignments prevent conflict of interests and promote separation of duties.

i.        Document the responsibilities of the designee for each role identified.

j.    Review IT System Security Plans for all sensitive agency IT systems and:

  (1)      Approve those IT System Security Plans that provide adequate protections against IT security risks; or

   (2)     Disapprove System Security Plans that do not provide adequate protections against IT security risks, and require that the System Owner implement additional security controls on the IT system to provide adequate protections against IT security risks.

3.      System Owner: A University system owner is responsible for the operation and maintenance of a University IT system as designated by the ISO.

a.       Require that all IT system users complete required IT security awareness and training activities prior to or as soon as practicable after receiving access to the IT system and no less than annually, thereafter.

b.      Manage IT system risk and develop any additional IT security policies and procedures required to protect the IT system in a manner commensurate with risk.

c.       Maintain compliance with University and COV IT security policies and standards in all IT system activities.

d.      Maintain compliance with requirements specified by data owners for the handling of data processed by the IT system.

e.       Designate a system administrator for the IT system.

4.      Data Owner:  A University data owner is responsible for the policy and practice decisions regarding data, and for the following:      

a.       Evaluate and classify sensitivity of the data.

b.      Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements and business needs.

c.       Communicate data protection requirements to the system owner.

d.      Define requirements for access to the data.

e.       Designate a data custodian for the IT system.

5.      System Administrator: A University system administrator is responsible for implementing, managing and/or operating an IT system at the direction of the system owner, data owner and/or data custodian.

a.       Assist University management in the day-to-day administration of University IT systems.

b.      Implement security controls and other requirements of the University IT security program on IT systems for which he or she has been assigned responsibility.

6.      Data Custodian: A University data custodian is responsible for the physical or logical data in his or her possession for data owners and the following:

a.   Protect the data from unauthorized access, alteration, destruction or usage.

b.   Establish, monitor and operate IT systems in a manner consistent with University and COV IT security policies and standards.

c.   Provide and administer general controls, such as backup and recovery systems.

7.      Privacy Officer: A University privacy officer is responsible for directing the University’s adherence to a specific state or federal privacy law (e.g., FERPA, HIPAA).

a.       Provide guidance on the requirements of the law or regulation, including limits on disclosure of and access to sensitive data.

b.      Advise the University on the adoption of security protection requirements in conjunction with IT systems when there is some overlap among sensitivity, disclosure, privacy and security issues.

III.             ENFORCEMENT

The University regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action, in addition to possible cancellation of IT resources and systems access privileges. Users of IT resources and systems at Longwood are subject to all applicable local, state and federal statutes. This policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal and international laws and regulations.

Approved by the Board of Visitors, December 5, 2008.

Back to the Table of Contents                        Next Policy