Policy Statement

Background

The University of Houston relies heavily on computers to meet its operational, financial, and information requirements. These computer systems, related data files and the information derived from them are important assets of the University. A system of internal controls exist to safeguard these assets. Information is processed in a secure environment and all computer account owners share the responsibility for the security, integrity, and confidentiality of information. It is the responsibility of owners, custodians and users to comply with the Texas Administrative Code, Title 1 (TAC 202), Gramm Leach Bliley Act (GLB Act), Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). This policy covers both accidental and intentional disclosure of, or damage to, University information.

Scope

This policy statement applies to the security, integrity, and confidentiality, of information obtained, created, or maintained, by university employees. The definition of information, includes paper documents and all computer-related activities involving mainframes, micro and mini computers, and service bureaus.

Definitions

Owner/Program Manager

The owner of a collection of information is the person responsible for the business results of that system, or the business use of the information. In cases where information resources are used by more than one major business function, owners must reach consensus and advise the Information Security Officer as to the designated owner with responsibility for the information resources.

Custodian

The custodian is responsible for the processing and storage of the information. For mainframe, micro and mini applications, the owner or user may retain custodial responsibilities.

User

The user is any person who has been authorized to read, enter, or update information by the owner of the information.

Data

Information that is stored in any form by the university that is used as a basis for official reasoning, discussion, presentation, or calculation.

Information

Source documents, electronic data files, and any data or reports derived from them.

Responsibilities

Owner

Information processed by a computerized system must have an identified owner, and this assignment must be formally documented. The owner may delegate ownership responsibilities to another individual. The owner of information has the authority and responsibility to:

  1. Judge the value of the information and classify it.
  2. Authorize access and formally assign custody of information.
  3. Specify data controls and communicate the control requirements to the custodian and users of the information.
  4. Determine the statutory requirements regarding retention and privacy of the information, and communicate this information to the custodian.
  5. Specify appropriate controls, based on risk assessment, to protect the state's information resources from unauthorized modification, deletion or disclosure. Controls shall extend to information resources outsourced by the University.
  6. Confirm that controls are in place to ensure the accuracy, authenticity and integrity of data.
  7. Ensure compliance with applicable controls.
  8. Assign custody of information resources assets and provide appropriate authority to implement security controls and procedures.
  9. Review access lists based on documented security risk management decisions.
  10. Approve, justify, document and be accountable for exceptions to security controls. The information owner shall coordinate exceptions to security controls with the Information Security Officer.
  11. The information owner, with the concurrence of the President (or designee) is responsible for classifying business functional information.
Custodian

The custodian is responsible for the implementation and administration of controls as specified by the owner. This includes:

  1. Providing physical and technical safeguards.
  2. Providing procedural guidelines for the users.
  3. Administering access to information.
  4. Assist owners in evaluating the cost-effectiveness of controls and monitoring.
  5. Implement the monitoring techniques and procedures for detecting, reporting and investigating incidents.
User

A user of information has the responsibility to:

  1. Use the information only for the purpose intended by the owner.
  2. Comply with all controls established by the owner and custodian.
  3. Ensure that classified or sensitive information is not disclosed to anyone without permission of the owner.
  4. Ensure that his/her individual passwords are not disclosed to, or used by others.
  5. Become familiar with and abide by the General Computing Policies.
Enforcement

A violation of standards, procedures or guidelines established pursuant to this policy shall be presented to Management for appropriate action and could result in disciplinary action, including expulsion, dismissal, and/or legal prosecution.