ISPP-XX Standard

Status:
FIRST DRAFT April 17, 2012

Scope

This standard applies to all university information. It also applies to all individuals encountering university information, regardless of the individual’s role(s) or affiliation(s).

Purpose

This standard is part of the Indiana University Information Security and Privacy Program. The over-arching goals of the Information Security and Privacy Program and associated standards are to maintain Indiana University’s viability, both reputational and operational, as a premier institution of higher education; to support its mission of education (teaching and learning), research, and engagement (outreach and service); and to guide the conduct of university business.

The Information Security and Privacy Program outlines basic principles that guide Indiana University’s approach to information security and privacy. This standard on Information Security and Privacy Roles and Responsibilities primarily addresses the Accountability Principle, which establishes that the organization defines, documents, communicates, and assigns responsibility for the various aspects of information security and privacy to individuals or entities within the organization. This makes it possible to hold management and the stewards, custodians, and users of information accountable. Thus, individuals, organizations, and the community are responsible for their actions and may be required to explain them to others. This principle may also be called the Management Principle, the Administrative Requirements Principle, or the Responsibility Principle.

Standard

1. Introduction

   1. Every member of the Indiana University community has some responsibility and accountability for the security and privacy of data and information. This includes individuals at all levels of the organization, from the Board of Trustees to the end user of information. It includes faculty, staff, students, affiliates, and those under contract with Indiana University. In short, information security and privacy is everyone’s responsibility.
   2. Because operations at Indiana University are distributed, the ultimate responsibility and accountability for handling information appropriately rests with the unit and individual responsible for collecting, storing, manipulating, transmitting, or otherwise handling the information.
   3. This standard establishes and defines generic Indiana University information security and privacy role titles. It defines each role. It outlines high-level, general responsibilities for each role. It then distributes, down to the appropriate management level, the responsibility for identifying individuals to take on these roles as a part of their regular responsibilities.
   4. An individual may have one or more information security and privacy roles. For example, a Dean may hold both Executive Management and Business Function Management information security and privacy roles. In a small unit, an individual may hold the Technology Management, Data Custodian, Data Access Manager, and Technician information security and privacy roles. Nearly every individual will also hold the information security and privacy role of User.
   5. This standard lays out high-level, general information security and privacy responsibilities assumed by individuals or groups at Indiana University. Other more specific roles and responsibilities may be detailed in related policies, standards, guidelines, and procedures.
   6. For the purposes of the Indiana University Information Security and Privacy Program, the terms data and information are interchangeable, with a preference for the use of the term information.

2. Information Security and Privacy Role Titles, Definitions, and Responsibilities

   Role Title	Role Definition	Role Responsibilities
   Board of Trustees	The Board of Trustees is Indiana University’s governing board, legal owner, and final authority. For the purposes of information security and privacy governance, the Board is the owner of all information, except information excluded from university ownership as set forth in the Indiana University Policy on Intellectual Property.	Roles and Responsibilities for the Board of Trustees
   Executive Management	Those individuals assigned executive management responsibilities, typically with the titles of President, Vice President, and Chancellor, and including Academic Deans.	Roles and Responsibilities for Executive Management
   Business Function Management	Those individuals assigned business management responsibilities for a unit or service.	Roles and Responsibilities for Business Function Management
   Technology Management	Those individuals assigned technology management/director responsibilities for a unit or service.	Roles and Responsibilities for Technology Management
   Technician	An individual who applies security and privacy principles, policies, standards, guidelines, and procedures to technologies that contain, transport, or otherwise handle information.	Roles and Responsibilities for Technicians
   Data Steward	An individual who has been named to represent information, usually for a specific information type, business sector, or business function, for university-wide information governance purposes.	Roles and Responsibilities for Data Stewards
   Data Custodian	A manager of systems containing information. These systems may be in electronic or paper form, for example, in paper-based filing systems.	Roles and Responsibilities for Data Custodians
   Data Access Manager	An individual who has been assigned to receive, evaluate, and authorize or deny requests for access to systems, applications, and/or databases containing information. These systems may be electronic or in paper form, for example, in paper-based filing systems.	Roles and Responsibilities for Data Access Managers
   Compliance Officer	An individual who provides compliance oversight and/or coordination that includes information security and/or privacy, usually for a specific information type, business sector, or business function.	Roles and Responsibilities for Compliance Officers
   User	An individual who interacts with information.