Sec. 1 Purpose
The purpose of this Policy document is to establish the objectives and expectations for Information Security to support the University of Texas System (UTS) in achieving its mission, objectives, and applicable external and internal compliance obligations.
Sec. 2 Scope
This Policy is applicable to all UT System employees, users, third party service providers, research partners, and other authorized users of UT System information resources, information systems, assets, and data as contractually obligated and / or defined by UT System. All users who work within IT facilities at UT System, including authorized vendors, visitors, or contingent workers, must adhere to this Standard when utilizing UT System information resources unless otherwise contractually documented and agreed.
Sec. 3 Authority
The System Administration and Institutional roles that have the authority to implement, enforce, and support the Objectives set forth in the UTS 165 Policies are summarized as follows:
System Administration Roles: | |
Chancellor | Must designate an individual to serve as the University of Texas (UT) System Administration Chief Information Security (CISO), budget sufficient resources to fund ongoing information security remediation, implementation, and compliance activities that reduce compliance risk to an acceptable level and ensure that appropriate corrective and disciplinary action is taken in the event of non-compliance. |
UT System Administration Chief Risk Officer (CRO) | Must include information security and privacy strategies and risks in appropriate risk related forums and processes. |
UT System Administration Chief Information Security Officer (CISO) | Must provide leadership, strategic direction, and coordination for the systemwide Information security program including issuing of Policies and Standards, chairing and holding meetings of the UT System CISO Council at least quarterly, development and oversight a systemwide Information Security Compliance Program, and providing guidance to Institutions on information security best practices and strategic systemwide alignment. |
UT System Administration Chief Information Officer (CIO) | Must implement security controls for the entire Institution in accordance with the Institutional information security program developed by the Institutional Information Security Officer (ISO), review and approve or disallow the purchase, deployment, or implementation of information systems and services, and operationalize an Institution-wide system management practice based on the Institutional information security program and corresponding Standards for vulnerability management that ensures institutional accountability. |
UT System Administration Chief Privacy Officer (PO) | Must coordinate and collaborate with Institutional Privacy Officers (PO) to provide strategic direction, guidance, and alignment on the privacy objectives of the overarching UT System, to commit to and protect the privacy of UT System students, faculty, staff, clinicians, and patients in the handling of personal and confidential data. Must create and oversee the privacy awareness program within System Administration departments providing training and best practices periodically. |
UT System Administration Research Security Officer (RSO) | Must collaborate with and facilitate the work of the Institutional Research Security Officers (RSO). |
UT System Administration Data Management Officer (DMO) | Must coordinate and collaborate with Institutional Data Management Officers (DMO) to provide strategic direction, guidance, and alignment on the UT System objectives for the collection, storage, and use of data, ensuring that all data is appropriately classified, managed, and protected throughout its lifecycle. Must create and oversee the data governance program within System Administration departments providing training and best practices periodically. Facilitates systemwide meetings with Institutional DMOs to share guidance on data governance best practices. |
UT System Administration Risk Management Executive Committee (RMEC) | Must consider and designate certain assets that store, process, or transmit highly sensitive or confidential data from institutions or organizations other than the sponsoring institution to be ‘high risk’. |
Users | Must comply with all UT System Information security Policies and Standards* (UT Credential Required) (UTS165) for the use and security of information resources, otherwise will be subject to disciplinary action for non-compliance. |
Institution Roles: | |
Institutional Agency Head | Must ensure the Institution’s compliance with UTS 165 and associated Standards, designate an individual to serve as the Institutional (Chief) Information Security Officer (ISO), budget sufficient resources to fund ongoing information security remediation, implementation, and compliance activities (e.g., staffing, training, tools, and monitoring activities) that reduce compliance risk to documented acceptable levels, approve the Institution's information security program, and ensure appropriate corrective and disciplinary action is taken in the event of non-compliance. |
Institutional (Chief) Information Security Officer (ISO) | Responsible for their Institution’s Information security program and must work in partnership with the Institution community, Institutional Information Resource Managers (IRM), constituency groups, and systemwide leadership to establish effective and secure processes, Policies, Standard, and procedures, and information systems to promote information security as a core Institutional value. In addition, must provide information security oversight for all centralized and decentralized IT information resources, and develop and maintain a current and comprehensive information security program. The Institutional Information Security Officer (ISO) has a dotted line reporting relationship to the UT System Administration Chief ISO. The ISO must report to the Institution’s President or a member of the President’s cabinet and must not report directly to the IRM - the ISO must have a collaborative but independent relationship with the IRM. The budget for the Institution’s information security program must be independent of the IRM’s budget. The ISO must have unrestricted access to all event and audit records not dependent on the IRM’s organization sharing information. |
Institutional Information Resource Manager (IRM) | Must implement security controls for the entire Institution in accordance with the Institutional information security program developed by the Institutional Information Security Officer (ISO), review and approve of the implementation of information systems and services, and operationalize an Institution-wide system management practice based on the Institutional information security program and corresponding Standards for vulnerability management that ensures institutional accountability. |
Institutional Privacy Officer (PO) | Must support their Institutions by providing guidance and support to relevant departments regarding the safeguarding of university records, specifically confidential data, including maintaining transparency and building privacy principles into departmental programs in order to establish a systematic approach to privacy management, assess risks of sharing university records, implement and maintain privacy related Policies and Procedures, and respond to privacy-related inquiries and incidents. Institutions which are Hybrid or Covered Entities as defined by HIPAA must have a Legal and / or Privacy Officer (PO) oversee, manage, and provide guidance to the Institution on matters directly related to protected health information (PHI) as defined by HIPAA and as required by relevant regulations. Some institution Privacy Officers may also be Legal Officers within the institutions or have role or designation with a legal capacity or included in a compliance office, the term Privacy Officer is not intended to exclusive, but rather allow for flexibility of arrangement for the privacy function within an institution. |
Institutional Research Security Officer (RSO) | Must establish a research security program in conjunction with the Institutional Information Security Officer (ISO) that addresses key risk areas identified by federal and state governments which are applicable to each Institution’s research portfolio, including, but not limited to, intellectual property, cybersecurity, research and proprietary data security, clinical trial and patient data security, foreign collaborations, foreign travel, foreign visitors, foreign scholars and scientists, insider threats, and any other key risk areas. |
Institutional Chief Business Officer (CBO) | Must ensure that procurement policies and processes incorporate appropriate participation by the Institutional Information Security Officer (ISO) and Institutional Privacy Officers (PO) in third party risk assessments. Must ensure that the budget for the Institution’s information security program is independent of the Institutional Information Resource Manager’s (IRM) budget. |
Institutional Data Management Officer (DMO) | Must oversee the collection, storage, and use of their Institution’s data, ensure that all data is appropriately classified, managed, and protected throughout its lifecycle, and must work with the UT System Administration Data Management Officer (DMO), the Institutional Information Security Officer (ISO), and various stakeholders to develop and implement Institution-specific Policies, Standards, and processes for handling data. |
Institutional Information Resource Owners (IRO) | Must grant, control, and monitor access to their Institution’s information systems and data, work with the Institutional Information Security Officer (ISO) in collaboration with other stakeholders to conduct risk management processes, and administer and implement security requirements and processes for the protection of their Institution’s data, assets, and information resources. |
Institutional Information Resource Custodians (IRC) | Must implement approved risk mitigation strategies in conjunction with the Institutional Information Security Officer (ISO) to manage their Institution’s risk levels, control and monitor access to information resources based on sensitivity and risk, and ensure technical users are accurately equipped to protect the Institution’s information resources. |
Institutional Information Security Administrator (ISA) | In conjunction with the Institutional Information Resource Managers (IRM) and the Institutional Information Security Officer (ISO), must implement all information security Policies (UTS 165), Standards, and Procedures relating to assigned information systems, assist stakeholders in implementing and maintaining the necessary information security protections of their information systems, and assist in developing, implementing, and monitoring the information security program by establishing reporting guidance, metrics, and timelines to monitor effectiveness of the security strategy. |
Users | Must comply with all UT System information security Policies and Standards* (UT Credential Required) (UTS 165) for the use and security of information resources, otherwise will be subject to disciplinary action for non-compliance. |
IT Lead of High Risk Assets | Must ensure that the architecture, backup, and recovery strategy, are adequate and appropriate information security and privacy controls are implemented. The IT Lead of High Risk Assets must have a dotted line reporting relationship to the Information Resource Manager (IRM) of the sponsoring Institution. |
*Note: If you have accessed any of UT System’s resources in Office 365, you will already have access to this site. You can self-register for UT System guest access by sending a blank email from your UT institutional email address to utguest@utsystem.edu. After 15 minutes, your guest account will automatically be created and you will be able to access the UT Systemwide Contracts site with your UT institutional ID.
Policy Details
Responsible Office(s)
Information Security
