Handbook of Operating Procedures > Series 700 Information Resources > 7.5.8 Data Owner Policy

7.5.8 Data Owner Policy

A. Purpose

This policy outlines which systems require Data Owners, their responsibilities, and the responsibilities of the ISO related to Information Resources Owners.

B. Persons Affected

This policy applies to any University of Texas at Tyler Data Owner (also known as "Information Owner" and Information Resources Owner) of an application that directly or indirectly deals with or supports the financial, clinical, educational, research, administrative, or other integral mission of University of Texas at Tyler (the "University") as identified by the Information Security Officer (ISO).

C. Definitions

Data Owner: The manager or agent responsible for the business function that is supported by the information resource or the individual upon whom responsibility rests for carrying out the program that uses the resources. The owner is responsible for establishing the controls that provide the security and authorizing access to the information resource. The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared.

Information Security Program: The policies, procedures, elements, structure, strategies, plans, metrics, reports and resources that establish an information resources security function within an entity.

D. Policy

Systems necessitating data owners are those on which institutional sensitivity and security rest. Personal systems which have no greater reaching effect on the function of the University do not require assigned data ownership. However, if a system effects the institution by means of breaching confidentiality, harming health care, risking information security or financial assets or other consequences that could net harmful effects on the University at large, these systems must be assigned a data owner.

Information technology systems, modules, and dictionaries meeting the above criteria and all grants or clinical trials will be assigned Data Owners.

Information Security Officer (ISO) Responsibilities

Ensure resource Data Owners are designated to all applicable systems.

Maintain a database of Owners and their systems.

Establish and administer the Information Security Program.

Provide adequate data ownership training.

Data Owner Responsibilities

Grant access to Information Systems and Data.

Control, review, and monitor access to Data based on Data sensitivity and Risk; User access will be reviewed at least annually.

Classify Data based on the Institution’s Data Classification Standard.

Conduct Risk assessments that identify the Information Resources under their authority and the level of Risk associated with the Information Resources and the vulnerabilities, if any, to the Institution’s information security environment.

Define, recommend, and document acceptable Risk levels for Information Resources and Risk mitigation strategies.

Document and justify, in collaboration with the ISO, any exceptions to specific program requirements due to extenuating circumstances within the Owner’s area of responsibility.

Ensure that Data is securely backed up in accordance with Risk management decisions.

Ensure that Data is maintained in accordance with the applicable University records retention schedule and Procedures.

Provide documented permission and justification for any User who is to store Confidential University Data on a Portable Computing Device or a Non-University Owned Computing Device.

Ensure that High Risk Computing Devices and Confidential Data are encrypted in accordance with requirements specified in UTS165 Standard 11 - Safeguarding Data.

Ensure that Information Resources under their authority are assigned to and administered by qualified Information Resources Custodians.

Ensure that a Risk assessment is performed prior to purchase of any software that has not been previously assessed by the Institution for use under similar circumstances.

Ensure that a third-party Risk assessment is performed prior to purchase of Vendor services that involve hosting or accessing University Data; and ensure that contracts involving products or services that impact Information Resources contain information security language appropriate to the Risk.

Specify appropriate controls, based on a risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources and services outsourced by the institution of higher education. Coordinate data security control requirements with the ISO.

Convey data security control requirements to custodians, providing authority to custodians to implement security controls and procedures.

Notify the ISO of any ownership changes of the information system.

If applicable, maintain the system's test environment.

Determine the asset's value.

E. References

Data Owner SharePoint Folder

Data Owner List

UT System Policy - UTS 165

Texas Administrative Code - Chapter 202

F. Review Responsibilities and Dates

The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.