Technology Standard

 

Contingency Planning and Business Recovery Program

IT Security Roles and Responsibilities

Version: 1.0
Status: Approved: 2/21/07
Contact: Director, Technology Services

PURPOSE

To provide guidance in assigning key IT security roles. Information technology security roles are assigned to individuals to ensure accountability and compliance among the information technology processes. The role or working title and assignment of personnel for each security role may differ at each college however it is critical that each function be identified and the individuals assigned have the appropriate skill sets. Individuals may be assigned multiple roles, as long as the multiple role assignments provide adequate separation of duties, provide adequate protection against the possibility of fraud, and do not lead to a conflict of interests.

SCOPE

The IT Security Roles and Responsibilities Standard cover all VCCS and college business processes and the related Information Technology infrastructure. 

APPLICABILITY

The IT Security Roles and Responsibility Standard is applicable to the System Office and all Colleges.

STANDARD

One of the key components in building a strong IT security organization is to clearly identify all the primary roles and responsibilities. To support the VCCS security infrastructure and the local college security infrastructure the following roles and associated responsibilities are required:

Required:

College Presidents – Each College President is responsible for college’s IT systems and data. Their IT security responsibilities include:

  1. Designate via e-mail to an ISO for the College and providing the employees name, title and contact information to VCCS annually or as personnel changes are made. The College President is strongly encouraged to designate at least one backup for the ISO, as well.


  2. Determine the optimal place of the IT security function within the College hierarchy with the shortest practicable reporting line to the College President.


  3. Maintain an IT security program that is sufficient to protect the College’s IT systems, and that is documented and effectively communicated.


  4. Review and approve the College’s Business Impact Analyses (BIA), a Risk Assessment (RA), and a Continuity of Operations Plan (COOP), to include an IT Disaster Recovery Plan, if applicable.


  5. Accept residual risk as described in section 2.5 of the IT Security Audit Standard (COV ITRM Standard SEC502-00).

  6. Maintain compliance with IT Security Audit Standard (COV ITRM Standard SEC502-00) and the guidance provided in the VCCS Contingency Planning and Business Recovery Program. This compliance must include, but is not limited to:


    1. Requiring development and implementation of the College Contingency Planning and Business Recovery Program, and submitting the Annual Statement of Compliance to the System Office;
    2. Requiring that the planned IT security audits are conducted;
    3. Receiving reports of the results of IT security audits;
    4. Requiring development of Corrective Action Plans to address findings of IT security audits; and
    5. Reporting to the System Office all IT security audit findings and progress in implementing corrective actions in response to IT security audit findings. 

  7. Facilitate the communication process between IT staff and those in other areas of the College.


  8. Establish a program of IT security safeguards.


  9. Establish an IT security awareness and training program.


  10. Provide the resources to enable employees to carry out their responsibilities for securing IT systems and data.

  11. Ensuring managers in the colleges at all levels provide for the IT security needs under their jurisdiction and they take all reasonable actions to provide adequate IT security and to escalate problems, requirements, and matters related to IT security to the highest level necessary for resolution.

VCCS Information Security Officer – The System Office ITS Office has been designated as the primary liaison for developing and managing the VCCS IT security program and the supporting shared security infrastructure. As such, this office will perform the following duties:

  1. Administers the VCCS Contingency Planning and Business Recovery Program and periodically assesses whether the program is implemented in accordance with COV IT Security Policies and Standards.


  2. Prepares requested exceptions to COV IT Security Policies, Standards and Procedures.


  3. Provides solutions, guidance, and expertise in IT security.


  4. Maintains awareness of the security status of sensitive IT systems.


  5. Facilitates effective implementation of VCCS Planning and Business Recovery Program, by:


  1. Preparing, disseminating, and maintaining IT security, policies, standards, guidelines and procedures as appropriate;
  2. Collecting data relative to the state of IT security in VCCS and communicating as needed;
  3. Providing consultation on balancing an effective IT security program with college needs.
  1. Provides networking and liaison opportunities to the College Information Security Officers (ISOs).

  2. Serves as the VCCS primary security liaison with VITA and the Chief Information Security Officer (CISO) facilitating the required communications on all IT matters that may impact the System Office and the twenty three colleges.

College Information Security Officer (ISO) - The ISO is responsible for the development and administration of the college Contingency Planning and Business Recovery Program as well as the college local IT security architecture. They are expected to perform the following duties:

  1. Develop and manage the college IT security program that meets or exceeds the requirements of VCCS and COV IT security policies and standards in a manner commensurate with risk.


  2. Develop and maintain an IT security awareness and training program for the college staff, including contractors and IT service providers.


  3. Coordinate and provide IT security information to the VCCS ISO as required.


  4. Implement and maintain the appropriate balance of protective, detective and corrective controls for college and VCCS IT systems commensurate with data sensitivity, risk and systems criticality.


  5. Mitigate and report all IT security incidents in accordance with §2.2-603 of the Code of Virginia and related VCCS requirements and take appropriate actions to prevent recurrence.


  6. Maintain liaison with the VCCS ISO.

System Administrators - The System Administrator is an analyst, engineer, or technician who implements, manages, and/or operates a system or systems. The System Administrator assists College and System Office management in the day-to-day administration of the IT systems, and implements security controls and other requirements of the local IT security program on IT systems for which the System Administrator have been assigned responsibility. Typically in the VCCS these are SIS Security Officers, LAN Administrators, Network Security Engineers, etc.

IT System Users - All users of COV IT systems including employees and contractors are responsible for the following:

  1. Read and comply with VCCS Contingency Planning and Business Recovery program requirements as well as VCCS and college IT polices, standards, and guidelines.


  2. Report breaches of IT security, actual or suspected, to their college management and/or the ISO.


  3. Take reasonable and prudent steps to protect the security of IT systems and data to which they have access.

Recommended:

System Owner - The System Owner is the manager responsible for operation and maintenance of an IT system. With respect to IT security, the System Owner’s responsibilities include the following:

  1. Require that all IT system users complete required IT security awareness and training activities prior to, or as soon as practicable after, receiving access to the system, and no less than annually, thereafter.


  2. Manage system risk and developing any additional IT security policies and procedures required to protect the system in a manner commensurate with risk.


  3. Maintain compliance with VCCS and COV IT security policies and standards in all IT system activities.


  4. Maintain compliance with requirements specified by Data Owners for the handling of data processed by the system.


  5. Designate a System Administrator for the system.

Data Owner - The Data Owner is the manager responsible for the policy and practice decisions regarding data, and is responsible for the following:

  1. Evaluate and classify sensitivity of the data.


  2. Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs.


  3. Communicate data protection requirements to the System Owner.


  4. Define requirements for access to the data.

Data Custodian - Data Custodians are individuals or organizations in physical or logical possession of data for Data Owners. Data Custodians are responsible for the following:

  1. Protect the data in their possession from unauthorized access, alteration, destruction, or usage.


  2. Establish, monitoring, and operating IT systems in a manner consistent with VCCS and COV IT security policies and standards.


  3. Provide Data Owners with reports, when necessary and applicable.

Separation of Duties

When assigning security roles the security concept of separation of duties should be maintained whenever possible. This includes assigning roles so that:

  1. The ISO is not a System Owner or a Data Owner.


  2. The System Owner and the Data Owner are not System Administrators for systems or data they own.


  3. The ISO, System Owners, and Data Owners are Commonwealth of Virginia employees.

Return to Information Security Program