ITS maintains many standards that support the Information Security Program at 圖朸厙. A key standard is the IT Security Roles and Responsibilities standard. This standard describes responsibilities for those who own on-premises systems or contracts for hosted applications, those who are responsible for data ownership, and those who are responsible for data administration, among others. As more services are offered via hosted applications, the roles of the contract administrator (acting as the system owner), the data owner and the data administrator become key to ensuring the security of the data that is being hosted.
System Owner
The System Owner is the manager or department head that is responsible for operation and maintenance of a University IT system or who is the contract owner for a hosted system. The System Owner must be an employee of the Commonwealth of Virginia and can own multiple systems. The System Owner's IT security responsibilities include:
- Require that system users complete IT security awareness and training activities prior to, or as soon as practicable after receiving access to the system, and no less than annually, thereafter.
- Manage system risk and risk documentation via a system risk assessment, and develop additional IT security policies and procedures required to protect the system in a manner commensurate with risk.
- Understand the type(s) of data handled by the University IT system and determine whether each type of data is also subject to other regulatory requirements. Maintain and implement the University's data classification requirements as spelled out in University Policy 3504 - Data Administration and Classification and supporting Standards, including ITS 08.1.0 standard - System Risk Assessment Standard.
- Classify the IT system as sensitive if any type of data handled by the IT system has a sensitivity of high on any of the criteria of confidentiality, integrity, or availability. Use the Data Administration and Classification Standard as the standard for understanding the classification of data and systems.
- Through adherence to the IT Security Program or similar practices, follow industry standards such as the International Standards Organization's ISO-27000 series of standards, best practices and the practices of similar higher education institutions.
- Maintain compliance with requirements specified by Data Owners for the handling of data processed by the system.
- Designate System, Application and\or Database Administrators for the system.
- Participate in the development of the University's Business Impact Analysis (BIA).
- Develop and maintain an IT System Security Plan via the System Risk Assessment.
- In consultation with the Data Owner, document IT systems with which data is shared, including the types of shared data or direction(s) of data flow.
- Ensure an appropriate agreement is in place for any data shared with an external system.
Data Owner
The Data Owner is the manager responsible for the policy and practice decisions regarding data. The Data Owner must be an employee of the Commonwealth of Virginia and can own data in multiple systems. The Data Owner is restricted from acting as System, Application or Database Administrator for systems they own. The Data Owner's IT security responsibilities include:
- Know and understand the data for which they are responsible.
- Maintain and implement the University's data classification requirements as spelled out in University Policy 3504 - Data Administration and Classification and supporting Standards, including the ITS Data Administration and Classification Standard.
- Provide input to the System Owner on data classification for input into the System Risk Assessment.
- Communicate data protection requirements to the System Owner.
- Determine the potential damages to the University if the data was compromised.
- Define protection requirements for the data, with the support of the System Owner, System, Application and\or Database Administrators and the Security Administrator, based on the sensitivity of the data, legal or regulatory requirements, and business needs.
- Develop procedures and define requirements for access to the data
- Review and approve requests for access to data under their jurisdiction.
- Participate in security access audits.
- Establish policies regarding the manipulation, modification, or reporting of institutional data elements and for creating derived elements, which are also institutional data.
- Coordinate with the University Records Manager to determine data retention requirements and archiving strategies for storing and preserving historical operational data.
Application Administrator
Application Administrators are individuals or organizations in physical or logical possession of data, through an application, for Data Owners. Unless the application is hosted with an agreement that the vendor will fill this role and an appropriate contract is in place, the Application Administrator must be an employee of the Commonwealth of Virginia and can fill this role for multiple systems. The Application Administrator's IT security responsibilities include:
- Protect the data in their possession from unauthorized access, alteration, destruction, or usage per the requirements established by the System and Data Owners.
- Establish, monitor, and operate the application in a manner consistent with security policies and standards.
- Provide Data Owners and System Owners with reports, when necessary and applicable.