Policy Number: 
Date Drafted: 
Date Drafted: 
Date Posted for Review: 
Date Posted for Review: 
Approved Date: 
Revision Date: 
Revision Date: 
Revision Date: 
Revision Date: 
To define the roles and responsibilities of the University community who are responsible for information assets and security at the University of Iowa.


Policy Statement:
The University of Iowa is responsible for implementing a comprehensive enterprise information security program.  This responsibility is delegated to the following groups and individuals:

University Level Roles: Data Steward
                                      Information Security Committee
                                      Chief Information Security Officer
Unit Level Roles:          Business Owner
                                     Department Security Liaison
                                     Data Custodian
                                     Authorized User

Data Steward
The enterprise vice-president or top-level executive having policy-level responsibility for a particular set of information assets. The Data Steward will:

  1. Establish standards for business use of information.
  2. Assign administrative responsibility to Business Owners.
  3. Monitor compliance and periodically review violation reports.

Information Security Committee (ISC)
The Information Security Committee is responsible for governance and oversight of the enterprise information security program. The ISC will:

  1. Analyze and manage institutional risks.
  2. Review and recommend policies, procedures, and standards.
  3. Ensure consistency in disciplinary processes for violation.

Chief Information Security Officer
The official responsible for directing implementation of the enterprise information security program. The Chief Information Security Officer will:

  1. Coordinate the development and maintenance of information security policies and standards.
  2. Investigate security incidents and coordinate their resolution as defined in the IT Security Incident Escalation Policy.
  3. Assist Business Owners in assessing their data for classification as defined in the Institutional Data Access Policy and advise them of available controls.
  4. Implement an information security awareness program.
  5. Serve as liaison to the Information Security Committee, law enforcement, Internal Audit, and University Legal Services.
  6. Provide consulting services for information security throughout the enterprise.

Business Owner The senior official within a college or departmental unit (or his/her designee) accountable for managing information assets. The Business Owner will:

Approve business use of information.
Identify Data Custodian(s) (see below) for each segment of information under his/her control.
Ensure implementation of policies, and documentation of process and procedures for guaranteeing availability of systems, including:

  • Risk assessment
  • Disaster recovery
  • Operating in an emergency
  • Software testing and revision controls
  1. Determine security classification of each segment of data as described in the Institutional Data Access Policy. 
  2. Define departmental access roles and assign access for individuals based on their need to know.
  3. Ensure that all department/unit personnel with access to information assets are trained in relevant security and confidentiality policies and procedures.
  4. Ensure the protection of health information assets under his/her control, including:
  • Register all health information assets containing individually identifiable health information (e.g., Protected Health Information, or "PHI") in any medium with the University HIPAA Privacy Officer.
  • Ensure that validated corrections to health information are implemented.
  • Ensure compliance with federal and state laws and University policy regarding the use of individually identifiable health information in directed communication/solicitation.
  • Require the completion of an information sharing agreement before access to health information assets is granted to external entities.

Network Security Contact (NSC)
The individual within a department/unit who acts as a liaison for timely and relevant information flow between central networking and IT security personnel and the department/unit. 

The NSC will:

Receive all security vulnerability reports for departmental/unit computer systems and disseminate such information to appropriate technical staff for resolution.
Receive network alerts, outage notifications, or other networking issues affecting the department/unit and disseminate such information to appropriate staff.
Coordinate departmental response to computer security incidents.

Data Custodian
The technical contact(s) that have operational-level responsibility for the capture, maintenance, and dissemination of a specific segment of information, including the installation, maintenance, and operation of computer hardware and software platforms. The data custodian may or may not be IT staff.  The Data Custodian will:

Define and implement processes for assigning User access, revoking User access privileges, and setting file protection parameters.
Implement data protection and access controls conforming to the Institutional Data Access Policy, Information Security Framework Policy, and the Computer Data and Media Disposal Policy.
Define and implement procedures for backup and recovery of information as defined in the Backup and Recovery Policy.
Ensure processes are in place for the detection of security violations.
Monitor compliance with information security policy and standards.
Limit physical access to information assets, including:

Equipment control (inventory and maintenance records), and physical security of equipment (locks, HVAC).
Authorization procedures prior to physical access to restricted areas, such as data centers, with sign-in or escort of visitors, as appropriate.

Implement a system for software change management and revision controls.
Maintain ongoing internal audit processes (to the extent technologically practical), which record system activity such as log-ins, file accesses, and security incidents.
Maintain records of those granted physical access to restricted areas (i.e., key card access lists).
Provide special handling and physical protection for health information assets, including:

Operating and maintenance personnel are given access only as necessary to perform system maintenance responsibilities. Authorized persons supervise all external personnel performing maintenance activities.

Authorized User
Individuals who have been granted access to specific information assets in the performance of their assigned duties are considered Authorized Users ("Users"). Users include, but are not limited to faculty and staff members, trainees, students, vendors, volunteers, contractors, or other affiliates of the University of Iowa.  Users will:

Seek access to data only through the authorization and access control process.
Access only that data which s/he has a need to know to carry out job responsibilities.
Disseminate data to others only when authorized by the Business Owner.
Report access privileges inappropriate to job duties to the Business Owner for correction.
Attend training in security and confidentiality policies/procedures.
Access to Level III data must be individually authorized by the Business Owner and an annual confidentiality agreement must be acknowledged or signed by all authorized users.
Perform all responsibilities of Data Custodian when placing institutional data on personally owned or managed devices.

Related Policies, References and Attachments:
This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
They are incorporated into the University of Operations Manual (http://www.uiowa.edu/~our/opmanual/index.html) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://opsmanual.uiowa.edu/community-policies/acceptable-use-information-technology-resources)

Backup and Recovery Policy
Computer Data and Media Disposal Policy
Information Security Framework Policy
Institutional Data Access Policy
IT Security Incident Escalation Policy