Information Classification and Handling Standard - Section F
F. Information Protection Roles and Responsibilities
Any campus business unit may have confidential or personally identifiable information in its records collections, both paper and electronic. For each such collection of information, there always exists an information owner/authority (campus list maintained in a separate document), information custodian/steward and information users with the following responsibilities:
The information owner / authority is identified by law, contract or policy with responsibility for granting access to and ensuring appropriate use of the information. For example,
- The student is the authority of his or her personal information that is stored in campus records.
- A principle investigator is ordinarily the authority of research information, except when a contract with a granting agency or other funding source might specify that the agency is the authority.
- The Family Educational Rights and Privacy Act requires the campus to appoint a information authority (i.e., the FERPA Compliance Officer) for student academic records and the Health Insurance Portability and Privacy Act requires the campus to appoint a information authority (i.e., the HIPAA Privacy Officer) for medical records
The information custodian / steward has operational responsibility for the physical and electronic security of the information.
- In the case of electronic information, the information custodian/steward typically is an analyst/programmer, database administrator, or systems administrator.
- In a large business unit, full-time employees in all three of these classifications may be sharing the role of information custodian/steward.
- In a small business unit, it might be a part-time assignment for an employee with other responsibilities.
Information users are individuals who need and use University information as part of their assigned duties or in fulfillment of assigned roles or functions within the University community.
- Individuals who are given access to sensitive information have a position of special trust and as such are responsible for protecting the security and integrity of that information.
Information Authority Roles and Responsibilities
The information owner/authority is responsible to:
- Ensure that he or she does not put his or her information at risk through his or her own actions.
- Assign classification standard values to information (data, records) for which they have responsibility, using the campus Information Classification and Handling Standard.
- Implement Information Handling Standards following the campus Information Classification and Handling Standard.
- Implement an information retention schedule for their subject area following the Information Retention and Disposition Standard.
- Submit the Information Security Risk Inventory and Self-Assessment Report to the Information Security Officer (ISO) at least once every 12 months.
- Work with the ISO, information custodian/steward, and other authorized individuals on the investigation and mitigation of information security incidents/breaches affecting the integrity and confidentiality and availability of their information.
- Perform information security duties as required by other Cal Poly standards and practices, CSU policies, executive orders, coded memoranda, etc.
- Establish written procedures granting and revoking access privileges.
- Ensure that those with access to the information understand their responsibilities for collecting, using, retaining, and disposing of the information only in appropriate ways.
- Monitor usage of the information.
Information Custodian / Steward Roles and Responsibilities
The information custodian/steward is responsible to:
- Ensure that access to and protection of information and the file systems that host them are in compliance with all applicable information security policies and the authorized directives of the information authority.
- Ensure that any electronic systems have all appropriate security features installed. This includes operating systems and systems software, database management systems, applications systems, computer hardware, firewalls where appropriate, and communications hardware and software being administered by the information custodian/steward.
- Work with the ISO, information authority, and other authorized individuals on the investigation and mitigation of information security incidents/breaches affecting the integrity and confidentiality of the information.
- Perform information security duties as required by Cal Poly standards and practices, including CSU policies, executive orders, and coded memoranda.
- Review access request to and use of information stored in the campus central data warehouse, determine appropriate access, and authorize or deny the request under their authority.
Information User Roles and Responsibilities
The information user is responsible to:
- Ensure that he or she does not put at risk through his or her own actions any University information for which he/she has been given access.
- Perform information security duties as required by Cal Poly standards and practices, including CSU policies, executive orders, coded memoranda, etc., as appropriate.