This content is viewable by Everyone

Unit Heads and Security Leads

Save

Unit Heads and Security Leads

The core roles within the IS-3 policy are those of Unit Head (UH) and Unit Information Security Lead (UISL). These two roles must be assigned to named individuals. Executives are responsible for naming Unit Heads, and the Unit Heads are responsible for naming the Unit Information Security Leads within their areas of governance for units that do their own computing and/or other units' computing. 

Unit Heads' (UH) Responsibilities:

  • Unit compliance with IT Security Policies
  • Consult with security leads and business liaisons when making risk decisions
  • Managing resources (including budget) to achieve compliance, where required
  • Risk management processes
  • Risk acceptance (at certain levels)
  • Assign security lead responsibilities where required
  • Incident response process
  • Procurement processes
  • Inventory processes
     

Unit Information Security Leads' Responsibilities (UISL)

  • Security risk assessment process
  • Inventory process
  • Access management processes
  • Procurement process
  • Vulnerability management process
  • Incident notification process
  • Provide oversight and execution of information security responsibilities for services provided
  • Identify risks and implement risk treatment plans for services provided

 

Other typical activities by type ...

When thinking about the type of tasks that are common to each of these roles (UH and UISL), it can be helpful to consider common domains where responsibility exists. The following examples, by category, should provide additional insights into the type of work that might be required.

Unit Head 

Procurement:  

  • Assure that all IT purchases within the Unit are routed through the appropriate procurement office in order to avoid circumventing IT risk assessments.

CMDB: 

  • Accountable for ensuring the Unit has a process to inventory all Unit IT assets not managed by UCSF (using the university's central database for IT assets called the CMDB). 

Data Classification:   

  • Assure that protection and availability levels are classified and understood for all data managed at the Unit level. 

Risk Assessment: 

  • Assure that Unit business and system owners complete UCSF IT security risk assessments when new applications are purchased, developed, or implemented 

Security Exceptions: 

  • A security exception may require Unit Head approval. The Unit Head is responsible for evaluating security risks against business needs and deciding whether to accept the risk. 

Vulnerability Management: 

  • Vulnerabilities that cannot be remediated in a timely manner may be escalated to the Unit Head. The Unit Head is responsible for evaluating security risks against business needs and deciding whether to accept the risk.  

Incident Response: 

  • Ensuring that Unit resources and the Security Leads support the incident response process
  • In coordination with the Incident Response Team, communicating with key stakeholders and sponsors or contracted parties that may be impacted by a security incident 

 

Unit Information Security Lead (UISL)

Procurement: 

  • Assure that all IT purchases within the Unit are routed through the appropriate procurement office in order to avoid circumventing IT risk assessments.

CMDB: 

  • Responsible for the Unit’s execution of the process to inventory all Unit IT assets not managed by UCSF in the CMDB 

Data Classification: 

  • Communicate the Unit’s protection and availability level requirements to Service Providers who are responsible for hosting the Unit’s data 

Risk Assessment: 

  • Understand the UCSF IT security risk assessment process and assist Unit business and system owners in completing assessments when new applications are purchased, developed, or implemented 

Security Exceptions: 

  • Security Leads may be asked to assist with security exception requests submitted for their Units. Security Leads are responsible for ensuring their Units’ system owners understand the security exception process and are engaged in developing risk mitigation plans in consultation with UCSF IT Security.  

Vulnerability Management: 

  • Security Leads will be informed of vulnerabilities identified for systems within their Unit. Security Leads are responsible for ensuring their Units’ system owners are engaged in resolving identified vulnerabilities in a timely manner.  

Incident Response: 

  • Serving as a key Unit contact during the incident response process