Purpose

The purpose of this Practice is to define the Roles and Responsibilities for all members of the UTHSC Community essential to the implementation of the UTHSC Information Security Program. This standard is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

All members of the UTHSC Community are subject to the UTHSC Information Security Program.

Definitions

UTHSC Information Security Program – a program to effectively secure and safeguard UTHSC’s information in terms of confidentiality, integrity and availability while allowing individuals to appropriately access and share information when needed.

Responsibilities

Responsibilities are defined in the Practice section.

Practice

In addition to the responsibilities outlined in GP-001-UTHSC Information Security Program, the UTHSC Information Security Program identifies the following Roles and Responsibilities:
1. UTHSC Office of Cybersecurity: a group of UTHSC employees assigned the implementation of the UTHSC Information Security Program. Specific responsibilities include:
  1. Preserve the availability, integrity, and confidentiality of information through the recommendation of the implementation of reasonable and appropriate safeguards and controls
  2. Develop, implement, and maintain information security standards, practices, and procedures
  3. Guide and recommend effective information security processes and practices
  4. Analyze information security risk. Recommend and implement administrative, technical, and operational safeguards towards mitigation/remediation
  5. Monitoring of security compliance with internal and external requirements
  6. Provide for Information Security awareness training
  7. Timely response to, and management of, security events and incidents
  8. Response to reporting requirements
  9. Effective communications
2. Data Owner: a senior level individual (or his/her documented delegate) overseeing and maintaining UTHSC Data or Information. Specific responsibilities include:
  1. Appropriately classify UTHSC Data or Information per GP-002-Data & System Classification
  2. Assign day-to-day administrative and operational responsibilities to both Data Custodians for UTHSC Data or Information and Application Owners for application(s) maintaining UTHSC Data or Information.
  3. Approving standards, practices, and procedures related to day-to-day administrative and operational management of UTHSC Data or Information and application(s) maintaining UTHSC Data or Information.
  4. Determining the appropriate criteria for obtaining access UTHSC Data or Information and application(s) maintaining UTHSC Data or Information.
  5. Define reasonable and appropriate security controls towards the protection of the confidentiality, integrity and availability of UTHSC Data or Information
  6. Ensure that Data Custodians implement the defined security controls
  7. Defining risk tolerance and accepting or rejecting risk related to security threats that impact the confidentiality, integrity and availability of UTHSC Data or Information
3. Data Custodian: an UTHSC employee who has administrative and/or operational responsibility over UTHSC data or Information. Specific responsibilities include:
  1. Implement appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of UTHSC Data or Information
  2. Provision and de-provision access to UTHSC Data or Information as authorized by the Data Owner
  3. Understand and report on how UTHSC Data or Information are stored, processed and transmitted by the University and by third-party entities
  4. Document and disseminate administrative and operational procedures to ensure consistent storage, processing and transmission of UTHSC Data or Information
  5. Understand and report on security risks and how security risks impact the confidentiality, integrity and availability of UTHSC Data or Information
4. System or Application owner: an UTHSC employee or group of employees with the responsibility to ensure that the program or programs, which make up the system or application, accomplish the specified objective or set of user requirements established for that application. Specific responsibilities include:
  1. Responsible for the specific service or application.
  2. Accountable for incidents, problems, and changes that impact the service or application
  3. Implement appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of UTHSC Data or Information supported by the application.
  4. Assign and modify users to roles in the application based on need to know and least privilege.
5. Users: any member of the UTHSC Community authorized to access UTHSC IT Resources. Specific responsibilities include:
  1. Adhere to UTHSC Information Security policies, standards, practices, processes, guidelines, and procedures
  2. Maintain the security, confidentiality, integrity, and availability of data and information the UTHSC creates, acquires, maintains and distributes in various forms.
  3. Report violations of UTHSC Information Security Program in accordance with GP-001.04-Information Security Violations.