INFORMATION SECURITY ROLES AND RESPONSIBILITIES
Policy Objective
The responsibility for complying with the Information Security Program and associated regulations is shared across the entire college. This policy aims to clarify the roles and duties of information security functions to establish a successful security program.
Scope
All Information Security Policies at Parkland College
Policy
Section 1 – Information Security Program Management
Section 1a – The College President
The College President has primary responsibility for campus information security and safety.
-
Ensure the institution’s compliance with information security policies and standards
-
Designate an individual to serve as Chief Information Security Officer
-
Approve the Parkland College Information Security Program
-
Ensure appropriate corrective action is taken in the event of noncompliance
Section 1b – Vice President of Administrative Services and CFO
-
Budget sufficient resources to fund the information security program and initiatives including ongoing implementation, remediation, and other risk-reduction activities
-
Ensure procurement processes are compliant with information security policies and standards
-
Manage and review the College’s cyber insurance policies to ensure sufficiency and appropriateness of coverage
Section 1c – Chief Information Officer
-
Provide critical input and oversight to the Information Security Program
-
Ensure the College technology strategy includes and is informed by information security
-
Ensure Information Technology resources are employed to implement solutions and controls as required by information security policies and standards
Section 1d – Chief Information Security Officer
-
Develop and maintain a comprehensive, risk-based Information Security Program
-
Develop and maintain a comprehensive Vulnerability Management Program
-
Develop and communicate Security Incident Management policies, standards, and procedures including reporting, investigation, and response
-
Partner with the College community and stakeholders to ensure the security of information systems is maintained and appropriate controls are applied as part of the Information Security Program
-
Provide information security oversight for all IT information resources
-
Provide leadership and strategic direction for Parkland College information security, including facilitating security policies, standards, procedures, and guidelines
-
Ensure compliance with required and relevant laws, statutes, regulations, and standards
-
Apprise the President, Vice President, and Board of Trustees on the status and effectiveness of the Parkland College Information Security Program and related activities
-
Provide guidance and prioritization of Information Security efforts
Section 2 – Information Security Program Implementation
Section 2a – Department Heads
-
Oversee the execution of Parkland Information Security policies, standards, procedures, and guidelines within their respective departments
-
Manage cyber risk for their department including establishing acceptable risk tolerance levels and making risk decisions for their departments
-
Act as de facto owners and/or controllers for data within their department
-
Classify and appropriately secure data within their purview in their respective areas
-
Report information security incidents or compliance failures to the Chief Information Security Officer
-
Ensure compliance with information security training and education throughout their respective departments
-
Ensure services their respective departments purchase or use, including those managed by service providers, in the cloud, or delivered as software-as-a-service (SaaS) meet all applicable security requirements in collaboration with IT.
Section 2b – Information Resource or Data Owners / Stewards
Disambiguation: Owners are senior stakeholders accountable for systems and data with authority to make and authorize changes to the systems and data. Stewards are individuals responsible for implementing the data usage and security policies.
-
Approve granting access to information resources or data
-
Classify data based on the published Parkland College Data Classification standards and review the classifications at least annually.
-
Control and monitor access to data based on classification, sensitivity, and risk
-
Conduct inventories and risk analysis to identify the information resources or data under their purview and document the resource and level of risk
-
In consultation with IT, ensure processes are in place to ensure the availability of the data under their purview including disaster recovery, system continuity, and backups of data
-
Ensure data follows record retention and disposition procedures in line with regulatory requirements and the sensitivity of the data
-
Follow policies (ISP-09: Data Classification, ISP-16: Information Lifecycle Policy), related standards, and any departmental procedures relating to the storage and transmission of sensitive information
-
Ensure that risk assessments related to the data and systems over which they have authority are performed on a regular basis and any mitigations required are implemented, including vendors and other third parties who may be storing or processing data
Section 2c – Information Resource or Data Custodians
Disambiguation: The custodian of data or information resources is the person or entity responsible for the protection of the applications, data, and systems under their charge.
-
Implement approved risk mitigation strategies and adhere to information security policies, standards, and procedures to manage risk levels for information resources under their care
-
Implement monitoring controls for detecting improper activity
-
Report any incidents identified through monitoring and telemetry
-
Control and monitor access to Information Resources under the custodian’s care based on sensitivity and risk
-
Implement and adhere to the approved Parkland’s Change Management (ISP-07: Change Management) processes
-
Encrypt high-risk computing devices and Confidential data in accordance with published policies and standards
-
Provide appropriate technical training to employees performing support for information resources under their purview
-
Ensure that staff under their authority are qualified to perform their assigned duties
Section 2d – Security Administrators
Disambiguation: Security Administrators are any individuals who set operational security settings on systems or data and have direct responsibility for implementing security controls on these assets. They are not necessarily information security staff.
-
Implement and comply with all IT and security policies, standards, and procedures related to assigned systems or data regardless of form, whether digital or physical
-
Implement directives from the Information Security Office
-
Ensure the completeness of control implementation and verify effectiveness
-
Assist data owners with applying appropriate controls to secure their data
-
Monitor implemented controls and reports any violation to the Information Security Office
Section 2e – Service Administrators
Disambiguation: Service Administrators are all operational administrators who install, configure, and perform day-to-day management and maintenance of systems and processes. They are also often referred to as systems administrators, network administrators, application administrators, technical administrators, and the support titles of all the above.
-
Ensure the system or service is set up and configured in a secure manner
-
Follow consistent, documented, and repeatable change management processes and procedures
-
Ensure the confidentiality, integrity, and availability of the systems and data under their control
Section 2f – Users
-
Users must be aware of the value of information security and the value of the data that they are using and accessing. As such, users have a responsibility to protect systems data reasonably and to use systems and data in a manner appropriate to their role within Parkland College.
-
Users must follow the Information Security policies and standards and must comply with the published Responsible Use Policy as well as any policies, standards, or procedures related to the use, processing, or treatment of systems and data.
-
In addition, users must be aware of the sensitivity and classification of the systems and data they are accessing and using and must treat that data accordingly.