Data Ownership - The University of Texas at Tyler

minorbigarmΑσφάλεια

30 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

71 εμφανίσεις

Data Ownership


The University of Texas at Tyler

Diane Garrett, Information Security Officer

Responsibilities & Procedures


1

Why Do I need training?


In the past Information Resources (central
IT) managed & owned most of the data on
our campus


Several areas have information resources
outside of central IT’s operations in
outlying areas of our University have set
up resources


With decentralized data ownership, the
need for training is essential to comply
with state law and UT System policy

2

Basis for training:


Data ownership is required by
Texas
state
law & UT System Policy


TAC 202


UTS 165



Provides accountability
for the data
which is gathered, stored, & transmitted
by the University


Data owners will be able to identify
security requirements that are most
appropriate for their data
.

3

At the end of training you:


Will have been presented with the state
and UT System requirements for data
ownership


Will be able to classify the data on your
resource & provide an initial value for
your asset


Will have a basic understanding of the
Risk Assessment requirements


Will formally acknowledge your
resources, the custodians, & ISA’s




4

Legal Jargon & Policy Talk




Exposure to Texas Administrative Code
(TAC) 202


Exposure to UT System (UTS) Policy 165


Attack low
-
lying fruit (things we can
accomplish now or in a short period of
time)


Talk about future actions on the road to
full compliance

5

THE BORING

BUT

NECESSARY

EVILS

6

TAC 202 Language


Data Owner Definition:


A person with statutory or operational
authority for specified information (e.g.,
supporting a specific business function)
and responsibility for establishing the
controls for its generation, collection,
processing, access, dissemination, and
disposal

7

TAC 202 Data Owner Responsibilities

The owner or his or her designated
representative(s) are responsible for and
authorized to:


Approve access


Formally
assign custody of
the
information resource asset


Determine the asset's
value


Specify data controls and convey to
users and custodians



8


Specify appropriate controls, based
on a risk assessment, to protect the
information resource from:


unauthorized modification


unauthorized deletion


unauthorized disclosure


These controls extend to resources
and services outsourced by UT Tyler

9


Confirm that controls are in place
to ensure the confidentiality,
integrity, and availability of data
and other assigned information
resources.


Assign custody of information
resources assets


Provide appropriate authority to
implement security controls and
procedures.


10


Review access lists based on
documented risk management
decisions.


Approve, justify, document, and be
accountable for exceptions to
security controls.


The information owner shall
coordinate exceptions to security
controls with the agency
information security officer

11


The information owner, with the
concurrence of the state agency
head or his or her designated
representative(s), is responsible for
classifying business functional
information.

12

UTS 165 Language

Data Owner Definition:

The manager or agent responsible for the
business function that is supported by the
information resource or the individual upon
whom responsibility rests for carrying out
the program that uses the resources.


The
owner is responsible for establishing the
controls that provide the security and
authorizing access to the information
resource.


13

Definition continued:

The owner of a collection of information is
the person responsible for the business
results of that system or the business use of
the information.


Where appropriate,
ownership may be shared.

14

UTS 165 Responsibilities


Grants access to the Information System
under his/her responsibility.


Classifies Digital Data based on Data
sensitivity and risk.


Backs up Data under his/her responsibility
in accordance with risk management
decisions and secures back up media.

15


Owner of Mission Critical Information
Resources


Designates an individual to serve as an
Information Security Administrator (ISA)
to implement information security
policies and procedures and for reporting
incidents to the ISO.


Performs an annual information security
risk assessment and identifies,
recommends, and documents acceptable
risk levels for information resources
under his/her authority.


16

Data Classification



To determine to what extent a resource
needs to be protected, the data which
resides on the system must be classified


UT Tyler adopted UT Austin’s data
classification guidelines


http://www.uttyler.edu/ISO/dataclassifi
cation.html

17

3 Categories of Data

18

Category I data:


University data protected specifically by
federal or state law or University of Texas
at Tyler rules and regulations.



Examples of Laws:


FERPA


HIPPA


Texas Identity Theft Enforcement &
Protection Act


19

Examples of Category I data:


Social Security number


Credit Card Numbers


Grades (including test scores,
assignments, and class grades)


Personal vehicle information


Access device numbers (building access
code, etc.)


Biometric identifiers and full face images

20

More Cat I data:


Patient Medical/Health Information
(HIPPA) protected data


Payment Guarantor's information


Human subject information


Sensitive digital research data


21

Category II data:


University data not otherwise identified
as Category
-
I data, but which are
releasable in accordance with the Texas
Public Information Act (e.g., contents of
specific e
-
mail, date of birth, salary,
etc.) Such data must be appropriately
protected to ensure a controlled and
lawful release.


22

Examples of Category II data:


The calendar for a university official or
employee


The emails of a university official or
employee containing sensitive
information


Date of birth, place of birth of students
or employees


Internal audit data


23

More Cat II data:


Student evaluations of a specific faculty
member


Human subjects research data with no
personal identifying information


24

Category III data:


University data not otherwise identified
as Category
-
I or Category
-
II data (e.g.,
publicly available).

25

Examples of Category III data:


Departmental Web site


Blogs


Library data and holdings


Public phone directory


Course catalog and curriculum
information


General benefits information


26

More Cat III data:


Enrollment figures


Publicized research findings


State budget


All public information


27

Road Map

To

Compliance

28

1

Compliant

2

3

4

5

6

Training

Assess and classify information

Assign system custodian/sign acknowledgement

Complete annual/biennial risk
assessments

7

Identify security controls based on risk

Review and approve system access

periodically

Prepare/update disaster recovery

plans

8

Monitor/ensure compliance

2010 FY

2011 FY

29

2009
-
2010 (Now)


Training (Done)


Assess and classify information


Classify the data on your systems (Cat I,
Cat II, Cat III) & determine if mission
critical (to dept
or institution)


Assign a monetary value to your system
(replacement value of system)


If you are able to assign a monetary value
to the data, that is even better (very hard
to do)


30


Assign system custodian/sign
acknowledgement


Will do this at end of training


Complete annual/biennial risk
assessments


Purchased Risk Watch


Surveys will be sent out


Will build on questions each year


31

2010
-
2011


Update resource list and reclassify data
and value of assets as needed


Identify security controls based on risk
(from previous year’s risk assessment)


Review and approve system access
periodically


Perform annual risk assessments if
mission critical resource



32

2010
-
2011 continued


Prepare/update disaster recovery plans
(only if necessary)


Monitor/ensure compliance

33