129 SPEC Kit 360: Learning Analytics UNIVERSITY OF MASSACHUSETTS AMHERST Information Security Policy - Draft http://www.umass.edu/it/policies/drafts Institutional information and research data will be categorized in alignment with federal regulations, contractual obligations, and information risk*. Specific technical controls adhere to each category. Data Stewards are responsible for the Categorization of institutional information and research data under their purview. Data Custodians are responsible for using the appropriate security controls associated with each data category. For more information regarding the categorization of institutional information and research data, see: https://www.umass.edu /it/security/data-categorization [3]. For more information regarding the specific technical controls that adhere to each category, see: https://www.umass.edu/it/security/controls [4]. * The standards are adapted from the Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems (FIPS 199) available at http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199- final.pdf [5]. III. To Whom This Policy Applies This policy applies to every user (including, but not limited to, all faculty, students, staff, contractors, visiting researchers, or guests and volunteers) who accesses, manages, or manipulates institutional information, research data, or information technology resources. IV. Responsible Parties Every person at UMass Amherst has a responsibility to protect institutional information, research data, and information technology resources that they use or are otherwise within their control. These responsibilities vary based on the functional role of the individual. Depending on those functions, some individuals may have more than one role. This section identifies roles and their corresponding responsibilities. For more information and examples, see: https://www.umass.edu/it/security/roles [6]. A. Information Security Program Management The following roles have responsibility for University of Massachusetts Amherst information security framework, oversight, and assistance. 1. Chancellor The Chancellor has primary responsibility for campus information security and safety. The Chancellor may delegate authority for information security to the Vice Chancellor for Information Services and Strategy and Chief Information Officer. 2. Vice Chancellor for Information Services and Strategy and Chief Information Officer (CIO) As a delegate of the Chancellor, the Vice Chancellor for Information Services and Strategy and Chief Information Officer, will provide executive oversight to the University of Massachusetts Amherst Information Security Program. 3. Chief Information Security Officer (CISO) The Chief Information Security Officer is the University official with the authority to harmonize campus information security. The CISO is responsible for the development, implementation, and maintenance of a comprehensive information security program. 4. Vice Chancellors and Deans The Vice Chancellors and Deans are responsible for program management oversight for the security of institutional information, research data, and information technology resources within their areas of purview. B. Information Categorization and Management As noted in Section II C, institutional information and research data will be categorized in alignment with federal regulations, contractual obligations, and information risk. Specific technical controls adhere to each category. Data Stewards are responsible for the categorization of institutional information and research data under their purview and the implementation of the specific technical controls that adhere to each category. Data Custodians are responsible for following the rules set by the Data Stewards. For more information see: https://www.umass.edu/it/security/information-management [7]. 1. Data Stewards
Previous Page Next Page