Data Ownership

1

Data Ownership

The University of Texas at TylerDiane Garrett, Information Security Officer

Responsibilities & Procedures

2

Why Do I need training?• In the past Information Resources

(central IT) managed & owned most of the data on our campus

• Several areas have information resources outside of central IT’s operations in outlying areas of our University have set up resources

• With decentralized data ownership, the need for training is essential to comply with state law and UT System policy

3

Basis for training:• Data ownership is required by Texas

state law & UT System Policy TAC 202 UTS 165

• Provides accountability for the data which is gathered, stored, & transmitted by the University

• Data owners will be able to identify security requirements that are most appropriate for their data.

4

At the end of training you:• Will have been presented with the

state and UT System requirements for data ownership

• Will be able to classify the data on your resource & provide an initial value for your asset

• Will have a basic understanding of the Risk Assessment requirements

• Will formally acknowledge your resources, the custodians, & ISA’s

5

Legal Jargon & Policy Talk

• Exposure to Texas Administrative Code (TAC) 202

• Exposure to UT System (UTS) Policy 165

• Attack low-lying fruit (things we can accomplish now or in a short period of time)

• Talk about future actions on the road to full compliance

6

THE BORINGBUT

NECESSARYEVILS

7

TAC 202 Language

Data Owner Definition:• A person with statutory or

operational authority for specified information (e.g., supporting a specific business function) and responsibility for establishing the controls for its generation, collection, processing, access, dissemination, and disposal

8

TAC 202 Data Owner Responsibilities

The owner or his or her designated representative(s) are responsible for and authorized to:

• Approve access • Formally assign custody of the

information resource asset• Determine the asset's value• Specify data controls and

convey to users and custodians

9

• Specify appropriate controls, based on a risk assessment, to protect the information resource from:

unauthorized modification unauthorized deletion unauthorized disclosure

• These controls extend to resources and services outsourced by UT Tyler

10

• Confirm that controls are in place to ensure the confidentiality, integrity, and availability of data and other assigned information resources.

• Assign custody of information resources assets

• Provide appropriate authority to implement security controls and procedures.

11

• Review access lists based on documented risk management decisions.

• Approve, justify, document, and be accountable for exceptions to security controls.

• The information owner shall coordinate exceptions to security controls with the agency information security officer

12

• The information owner, with the concurrence of the state agency head or his or her designated representative(s), is responsible for classifying business functional information.

13

UTS 165 Language

Data Owner Definition:The manager or agent responsible for the business function that is supported by the information resource or the individual upon whom responsibility rests for carrying out the program that uses the resources.  The owner is responsible for establishing the controls that provide the security and authorizing access to the information resource. 

14

Definition continued:The owner of a collection of information is the person responsible for the business results of that system or the business use of the information.  Where appropriate, ownership may be shared.

15

UTS 165 Responsibilities

• Grants access to the Information System under his/her responsibility.

• Classifies Digital Data based on Data sensitivity and risk.

• Backs up Data under his/her responsibility in accordance with risk management decisions and secures back up media.

16

−Owner of Mission Critical Information Resources

• Designates an individual to serve as an Information Security Administrator (ISA) to implement information security policies and procedures and for reporting incidents to the ISO.

• Performs an annual information security risk assessment and identifies, recommends, and documents acceptable risk levels for information resources under his/her authority.

17

Data Classification• To determine to what extent a

resource needs to be protected, the data which resides on the system must be classified

• UT Tyler adopted UT Austin’s data classification guidelines

• http://www.uttyler.edu/ISO/dataclassification.html

18

3 Categories of Data

19

Category I data:• University data protected specifically

by federal or state law or University of Texas at Tyler rules and regulations.

−Examples of Laws:• FERPA• HIPPA• Texas Identity Theft Enforcement &

Protection Act

20

Examples of Category I data:

• Social Security number • Credit Card Numbers• Grades (including test scores,

assignments, and class grades) • Personal vehicle information • Access device numbers (building

access code, etc.) • Biometric identifiers and full face

images

21

More Cat I data:

• Patient Medical/Health Information (HIPPA) protected data

• Payment Guarantor's information • Human subject information • Sensitive digital research data

22

Category II data: • University data not otherwise

identified as Category-I data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) Such data must be appropriately protected to ensure a controlled and lawful release.

23

Examples of Category II data:

• The calendar for a university official or employee

• The emails of a university official or employee containing sensitive information

• Date of birth, place of birth of students or employees

• Internal audit data

24

More Cat II data:

• Student evaluations of a specific faculty member

• Human subjects research data with no personal identifying information

25

Category III data: • University data not otherwise

identified as Category-I or Category-II data (e.g., publicly available).

26

Examples of Category III data:

• Departmental Web site • Blogs • Library data and holdings • Public phone directory • Course catalog and curriculum

information • General benefits information

27

More Cat III data:• Enrollment figures • Publicized research findings • State budget • All public information

28

Road Map To

Compliance

291

Compliant

2

3

4

56

Training

Assess and classify information

Assign system custodian/sign acknowledgement

Complete annual/biennial risk assessments

7

Identify security controls based on risk

Review and approve system access periodically

Prepare/update disaster recovery plans

8 Monitor/ensure compliance

2010 FY

2011 FY

30

2009-2010 (Now)• Training (Done)• Assess and classify information

Classify the data on your systems (Cat I, Cat II, Cat III) & determine if mission critical (to dept or institution)

Assign a monetary value to your system (replacement value of system)

If you are able to assign a monetary value to the data, that is even better (very hard to do)

31

• Assign system custodian/sign acknowledgement Will do this at end of training

• Complete annual/biennial risk assessments Purchased Risk Watch Surveys will be sent out Will build on questions each year

32

2010-2011 • Update resource list and reclassify

data and value of assets as needed• Identify security controls based on

risk (from previous year’s risk assessment)

• Review and approve system access periodically

• Perform annual risk assessments if mission critical resource

33

2010-2011 continued • Prepare/update disaster recovery

plans (only if necessary)• Monitor/ensure compliance