ITS维护了许多 standards that support the 信息安全 Program at ODU. A key standard is the IT Security Roles and Responsibilities standard. This standard describes responsibilities for those who own on-premises systems or contracts for hosted applications, 负责数据所有权的人, 以及那些负责数据管理的人, 等. 随着越来越多的服务通过托管应用程序提供, the roles of the contract administrator (acting as the system owner), the data owner and the data administrator become key to ensuring the security of the data that is being hosted.
系统所有者
The 系统所有者 is the manager or department head that is responsible for operation and maintenance of a University IT system or who is the contract owner for a hosted system. The 系统所有者 must be an employee of the Commonwealth of Virginia and can own multiple systems. 系统所有者的IT安全责任包括:
- Require that system users complete IT security awareness and training activities prior to, or as soon as practicable after receiving access to the system, 而且不少于每年一次, 之后.
- Manage system risk and risk documentation via a system risk assessment, and develop additional IT security policies and procedures required to protect the system in a manner commensurate with risk.
- Understand the type(s) of data handled by the University IT system and determine whether each type of data is also subject to other regulatory requirements. Maintain and implement the University's data classification requirements as spelled out in University Policy 3504 - Data 政府 and Classification and supporting Standards, 包括ITS 08.1.0标准-系统风险评估标准.
- Classify the IT system as sensitive if any type of data handled by the IT system has a sensitivity of high on any of the criteria of confidentiality, 完整性, 或可用性. Use the Data 政府 and Classification Standard as the standard for understanding the classification of data and systems.
- Through adherence to the IT Security Program or similar practices, follow industry standards such as the 国际 Standards 组织's ISO-27000 series of standards, best practices and the practices of similar higher education institutions.
- Maintain compliance with requirements specified by 数据所有者s for the handling of data processed by the system.
- Designate 系统, Application and\or Database Administrators for the system.
- Participate in the development of the University's Business Impact Analysis (BIA).
- Develop and maintain an IT 系统 Security Plan via the 系统 Risk Assessment.
- 与数据所有者协商, 记录与之共享数据的IT系统, including the types of shared data or direction(s) of data flow.
- Ensure an appropriate agreement is in place for any data shared with an external system.
数据所有者
The 数据所有者 is the manager responsible for the policy and practice decisions regarding data. The 数据所有者 must be an employee of the Commonwealth of Virginia and can own data in multiple systems. 数据所有者被限制不能作为系统, 他们拥有的系统的应用程序或数据库管理员. 数据所有者的IT安全责任包括:
- Know and understand the data for which they are responsible.
- Maintain and implement the University's data classification requirements as spelled out in University Policy 3504 - Data 政府 and Classification and supporting Standards, including the ITS Data 政府 and Classification Standard.
- Provide input to the 系统所有者 on data classification for input into the 系统 Risk Assessment.
- Communicate data protection requirements to the 系统所有者.
- Determine the potential damages to the University if the data was compromised.
- 定义数据的保护要求, 在系统所有者的支持下, 系统, Application and\or Database Administrators and the Security Administrator, 基于数据的敏感性, 法律或法规要求, 商业需求.
- Develop procedures and define requirements for access to the data
- Review and approve requests for access to data under their jurisdiction.
- 参与安全访问审计.
- 建立关于操作的策略, 修改, or reporting of institutional data elements and for creating derived elements, 哪些也是机构数据.
- Coordinate with the University Records Manager to determine data retention requirements and archiving strategies for storing and preserving historical operational data.
应用程序管理员
应用程序管理员s are individuals or organizations in physical or logical possession of data, 通过应用程序, 资料拥有人须知. Unless the application is hosted with an agreement that the vendor will fill this role and an appropriate contract is in place, the 应用程序管理员 must be an employee of the Commonwealth of Virginia and can fill this role for multiple systems. The 应用程序管理员's IT security responsibilities include:
- Protect the data in their possession from unauthorized access, 变更, 破坏, or usage per the requirements established by the 系统 and 数据所有者s.
- 建立, 监控, and operate the application in a manner consistent with security policies and standards.
- Provide 数据所有者s and 系统所有者s with reports, when necessary and applicable.