Information Resources Use and Security Policy

1.1. The university must designate responsibility for the information security function by documenting key roles and responsibilities.

1.2. The Chancellor of UT System shall be responsible for the following:

1.2.1. Budgeting sufficient resources to fund ongoing and continuous information security remediation, implementation, and compliance activities that reduce compliance risk to an acceptably low level; and

1.2.2. Ensuring that appropriate corrective and disciplinary action is taken in the event of non-compliance.

1.3. The President of the university shall be responsible for the following:

1.3.1. Compliance with this Policy;

1.3.2. Budgeting sufficient resources to fund ongoing and continuous information security remediation, implementation, and compliance activities that reduce compliance risk to an acceptably low level;

1.3.3. Approving the university's Information Security Program, or designate someone to provide approval; and

1.3.4. Ensuring that appropriate corrective and disciplinary action is taken in the event of non-compliance.

1.4. The Chancellor shall designate an individual to serve as UT System Chief Information Security Officer (CISO). The responsibilities of the UT System CISO shall include the following:

1.4.1. Providing leadership, strategic direction, and coordination for the UT System-wide information security initiative including issuing security practice bulletins relating to standards and best practices;

1.4.2. Establishing the UT System CISO Council and hold meetings at least quarterly;

1.4.3. Developing and providing oversight for a UT System-wide Information Security Compliance Program. This program shall include UT System-wide and institutional action plans, training plans, and monitoring plans;

1.4.4. Providing guidance on the institutional Information Security Program including organizational duties and responsibilities, covered activities, authority to act, terminology definitions, standard methodologies, and minimum standards;

1.4.5. Defining the risk management process to be used for all information security risk management activities;

1.4.6. Exploring and recommending the acquisition of tools and resources that can be utilized UT System-wide and how expertise can be shared among institutions;

1.4.7. Establishing reporting guidance, metrics, and timelines and monitoring effectiveness of security strategies at each institution; and

1.4.8. Apprising the Chancellor and Board of Regents quarterly on the status and effectiveness of the information security compliance programs and activities at each institution.

1.5. The university's Vice President for Information Technology and Chief Information Officer (CIO), who is charged with oversight of information technology for the university shall serve in the functional role of Information Resources Manager (IRM) as defined by the state and will have authority for the entire university.

1.6. The President shall designate an individual other than the Information Resources Manager (IRM) to serve as the university's Chief Information Security Officer (CISO) who shall serve in the capacity as required by state law and with authority for all of the university. The responsibilities of the CISO shall include the following:

1.6.1. Assuring information security for all centrally maintained and all distributed systems and computer equipment;

1.6.2. Developing an institutional Information Security Compliance Program. This program shall include institutional action plans, training plans, and monitoring plans;

1.6.3. Conducting and documenting an information security assessment annually in accordance with 1 TAC 202.72 that identifies Mission Critical Information Resources in the central and decentralized areas;

1.6.4. Ensuring an annual information security risk assessment is performed (using the process defined above) by each Owner of Mission Critical Information Resources;

1.6.5. Requiring each Owner of Mission Critical Information Resources to designate an Information Security Administrator (ISA);

1.6.6. Establishing an Institutional Information Security Working Group composed of ISAs and hold meetings at least quarterly;

1.6.7. Documenting and maintaining an up-to-date Institutional Information Security Program. The program shall identify specific mitigation strategies to be used by each Owner of Mission Critical Information Resources to manage identified risk;

1.6.8. Establishing reporting guidance, metrics, and timelines and monitoring effectiveness of security strategies in both central and decentralized operations;

1.6.9. Communicating instances of non-compliance to appropriate administrative officers for corrective, restorative and/or disciplinary action; and

1.6.10. Reporting quarterly to the UT System CISO the current status of the information security risk assessment and Information Security Program, including any significant incidents, situations of non-compliance, barriers to program execution, and planned remedies. The report is to include a certification that best efforts have been made to ensure appropriate strategies are being applied consistently over time, and that all security incidents have been reported.

1.7. Owners of Mission Critical Information Resources at the university shall designate an individual to serve as an Information Security Administrator (ISA) to implement information security policies and procedures and to report incidents to the CISO. The responsibilities of the ISA shall include the following:

1.7.1. Implementing and complying with all university information technology policies and procedures relating to assigned systems;

1.7.2. Reporting general computing and security incidents to the CISO;

1.7.3. Assisting, as a member of the ISA Working Group, the CISO in developing, implementing, and monitoring the Information Security Program.

1.7.4. Establishing reporting guidance, metrics, and timelines for CISO to monitor effectiveness of security strategies in both the centralized and decentralized operations; and

1.7.5. Reporting at least annually to the CISO about the status and effectiveness of information resources security controls.

1.8. Department Heads and Principal Investigators (PI) at the university shall be responsible for compliance with this policy as it relates to Non-Research and Research Data respectively under their control, including when holding subcontracts for projects in which the prime award is at another institution or agency.

1.9. The university's Offices of Institutional Compliance and Internal Audit shall provide high-level monitoring of the Information Security Compliance Program through inspections and verifications of reported information and periodic audits respectively.

1.10. All Users must comply with this policy. Users who fail to comply are subject to disciplinary action in accordance with Section 28.