UCSF 650-16 Addendum A - UCSF Roles and Responsibilities for Securing Electronic Information Resources
I. UCSF Leadership
UCSF leadership plays a critical role in securing Electronic Information Resources (EIR). They do so by making direct statements to the campus, Medical Center, and labs about the need to ensure that restricted data is protected while it is stored, used, and transmitted by academic and administrative units throughout the University. Such statements lead to better understanding of standards of accountability for all employees during the regular discharge of their duties and in the case of security incidents. Establishing accountability involves assigning responsibility for the consequences of a security event. Leadership must support the enforcement of standards of accountability for safeguarding restricted data through employee performance management processes.
II. Individual Responsibilities
All members of the campus community (faculty, staff, students, and student employees) are required:
- to identify, to the best of their ability, any restricted data that resides on their individual devices and
- to comply both with campus requirements regarding the storage of restricted information on these devices and with minimum standards to connect to the campus network.
If an individual has a specific requirement to store restricted data on an individual device, certification of compliance with prescribed procedures for protection and use of such data will be required.
III. Information Security Committee
Individuals designated by the Chancellor with responsibility on behalf of the UCSF enterprise to:
- evaluate current EIR security practices and services;
- develop policy and minimum security standards; and
- recommend to the IT Governance Committee priorities, strategic direction, and best practices for improving UCSF information security.
IV. Unit Department Officials
Units are the highest levels of organizational entity defined within the governance, organization, and culture of each campus where actionable responsibility can be assigned. Departmental Officials have administrative responsibility for campus organizational units [e.g., control unit heads, deans, department chairs, principal investigators, directors, or managers] or individuals having functional ownership of data.
Department Officials have responsibility for:
- administering data access policies and permissions;
- administering and enforcing connectivity standards;
- assigning responsibility for security programs;
- maintain inventories of systems, software, protected data and their protection level classifications;
- articulating guidelines and practices for protection of information assets, conducting and funding security audits, handling information security incidents, and implementing remediation strategies; and
- complying with relevant provisions of BFB IS-3 "Electronic Information Security" for systems in support of University business administration.
When a security incident occurs, the unit participates in the incident response process which will involve the Security & Policy Officer, Privacy Officer, external experts (e.g. FBI or forensics specialists) as appropriate. The unit has primary responsibility, in coordination with campus legal and external relations specialists, for notifying affected individuals as required under the law and covering the costs of the incident response process. The unit must also ensure that the proper incentives are in place to ensure the timely reporting of security incidents according to University guidelines.
V. Information Technology Services (ITS)
Those individuals within the campus ITS department who have responsibility to:
- facilitate a secure, distributed, standard environment;
- comply with applicable UC policies (e.g., BFB IS-3) and federal and state regulations (e.g., HIPAA and SB 1386) and facilitate departmental compliance with those laws and regulations;
- recommend or provide standardized tools and services for security solutions, such as antivirus, spyware defense, encryption, security awareness and training;
- facilitate consistency and effectiveness of security solutions;
- provide enterprise wide access controls (firewalls);
- monitor for security breaches and viruses (intrusion detection);
- develop enterprise wide policy, standards, and guidelines;
- work with central IT organizations and departments to conduct risk assessments and establish levels of acceptable risk; and
- provide a secure physical environment for central administrative servers.
VI. Other Central IT Organizations
Those individuals within other central IT organizations have responsibility to:
- implement a secure, standard environment;
- comply with applicable UC policies (e.g., BFB IS-3) and federal and state regulations (e.g., HIPAA and SB 1386);
- implement security solutions consistent with the UCSF enterprise;
- adopt enterprise wide security policies, standards, and guidelines; and
- conduct risk assessments and establish levels of acceptable risk in accordance with BFB IS-3 “Electronic Information Security.”
VII. Technology Support Providers
Technology Support Providers are those individuals who design, manage, and operate enterprise EIRs (e.g. project managers, system designers, computer support coordinators (CSCs), application programmers, or system administrators) and have responsibility to:
- maintain knowledge and expertise regarding relevant security requirements and guidelines;
- analyze potential threats to the security of EIRs;
- assess the feasibility of various security measures in order to recommend mitigation strategies and procedures to Departmental Officials;
- implement security measures that mitigate threats, consistent with the level of acceptable risk established by Department Officials;
- maintain security of departmental servers, desktops, and LANs according to UCSF policies and guidelines;
- provide basic procedures and training on security practices for departmental faculty and staff;
- maintain and track inventory of departmental systems, software, protected data and their protection level classifications;
- establish procedures to ensure that privileged accounts are kept to a minimum and that privileged users comply with privileged access agreements;
- communicate the purpose and appropriate use for the resources under their control;
adhere to UCSF Minimum Standards for Electronic Information Resources and BFB IS-3;
- respond to and report to the Security & Policy Office any suspected or actual security issues and potential threats; and
- provide for ongoing EIR monitoring, assessment, and compliance activities at the local level.
VIII. Authorized Users
UCSF workforce members or others who have been authorized to access an EIR for the purpose of performing their job duties or other functions directly related to their affiliation with UCSF. An Authorized User, when invoking his or her authority to access an EIR, accepts responsibility to:
- obtain knowledge about how to employ relevant security requirements and standards;
- seek assistance from ITS, Medical Center IT or Technology Support Providers when needed to implement the security standards; and
- protect the EIRs under their control, including their individual workstations, unique user ID and passwords, mobile devices, and data.