Effective: July 1, 2004
Updated/Revised: November 8, 2012
Contact: Office of the Chief Information Officer (CIO)
1. Policy Statement
2. Specific Roles and Responsibilities
2.1 Chief Information Officer (CIO)
2.2 Data Steward
2.3 Data Custodian
2.4 Data User
2.5 Colleges, Departments, and Other Units
2.6 Individuals Using Personally-Owned Computers and Other Network Devices
2.7 Third Party Vendors
2.8 Other Registered Entities
3. Risk Assessment
4. Data Protection Requirements
5. Reporting of Security Incidents
Iowa State University acknowledges its obligation to ensure appropriate security for information and IT (information technology) systems in its domain of ownership and control. Furthermore, the university recognizes its responsibility to promote security awareness among the members of the Iowa State University community.
Iowa State University develops, publishes, and enforces policies and standards in order to achieve and maintain appropriate protection of university information and information processing systems. This document along with related information security policies and standards (see Resources below) identifies key security issues for which individuals, colleges, departments, and units are responsible.
Every member of the university community is responsible for protecting the security of university information and information systems by adhering to the objectives and requirements stated within published university policies. Also, individuals are required to comply with the additional security policies, procedures, and practices established by colleges, departments or other units. If multiple policy statements or security standards are relevant for a specific situation, the most restrictive security standards will apply.
Failure to comply with established policies and practices may result in loss of computing privileges and/or disciplinary action.
All units—from the university level through the college, department, and unit level—must provide opportunities for individuals to learn about their roles in creating a secure IT environment.
The Office of the Chief Information Officer has overall responsibility for the security of the university's information technologies. Implementation of security policies is delegated throughout the university to various university services (noted below); to colleges, departments, and other units; and to individual users of campus IT resources.
The data steward is the university office represented by an executive officer charged with the primary responsibility and authority to ensure that Iowa State University meets external and internal requirements for privacy and security of specific types of confidential and business data owned by the university in their functional areas. These data stewards, as a group, are responsible for recommending policies, establishing standards and guidelines for university-wide data administration activities. Data stewards may delegate the implementation of university policies, standards, and guidelines to data custodians. They are also responsible for advising colleges, departments, units, and individuals in security practices relating to these areas:
The data custodian is the individual or entity (including outsourced services) in possession or control of data and is responsible for safeguarding the data according to the policies and procedures established by the associated data steward. The appropriate level of protection is based on the Data Classification policy (pending) and the Minimum Security Standards for Protected Data (pending: see Resources below).
The data user, synonymous with user, is the individual, automated application or process that is authorized by the data steward to create, enter, edit, and access data, in accordance with the data steward's policies and procedures. Users have a responsibility to:
Colleges, departments, and other units are responsible for securing any information they create, manage, or store, and for any information they acquire or access from other university systems (e.g., student educational records, personnel records, business information). This responsibility includes completing periodic risk assessments, developing and implementing appropriate security practices, and complying with all aspects of this policy.
Students, faculty, and staff who use personally-owned systems to access university resources are responsible for the security of their personally-owned computers or other network devices and are subject to the following:
Third party vendors providing hosted services and vendors providing support, whether on campus or from a remote location, are subject to Iowa State University security policies and will be required to acknowledge this in the contractual agreements. The vendors are subject to the same auditing and risk assessment requirements as colleges, departments, and other units. All contracts, audits and risk assessments involving third party vendors will be reviewed and approved by the university data steward based on their area of responsibility.
Any entity that is a registered user and connected to the university network is responsible for the security of its computers and network devices and is subject to the following:
Risk assessment is a systematic process used in determining potential for and impact of a negative event by evaluating the nature of the information and information systems.
All information systems must meet the Minimum Security Standards for Protected Information based on the Data Classification policy (the standards and policy are pending; see Resources below). Some selected systems will be designated for conducting a risk assessment at a prescribed frequency in the Schedule of Risk Assessments for Information Security (see Resources below). These selected systems will have the documented findings and any future actions placed on file for audit and accountability purposes.
Data is a valuable asset of the university, and some data must be protected with a higher level of attention and caution. The level of protection is based on the method defined by the Data Classification policy along with the Minimum Security Standards for Protected Data (the policy and standards are pending; see Resources below).
A critical component of security is to address security breaches promptly and with the appropriate level of action. All individuals are responsible for reporting incidents in which they suspect data, computer or network security may have been compromised. The IT Security Incident Reporting policy (see Resources below) outlines the responsibilities of colleges, departments, units, and individuals in reporting as well as defining procedures for handling security incidents.