130 Data Security Policies UNIVERSITY OF MASSACHUSETTS AMHERST Information Security Policy - Draft http://www.umass.edu/it/policies/drafts Stewards have the highest level of responsibility for overseeing the categorization of institutional information and research data, and administering the privacy, security, and regulatory compliance of data sets under their purview (e.g., education records, human resources, and financial data). In the case of research data, in additional to acting as a Data Custodian, the Principal Investigator acts as the steward in consultation with research staff. 2. Steward Delegate A steward may designate a delegate who will act on behalf of the steward for a portion or all the information and data under their purview. The delegate should be identified in writing to the Vice Chancellor for Information Services and Strategy and CIO as well as the Chief Information Security Oﬃcer, along with how long the delegation will be in place. 3. Data Administrators Data Administrators are those individuals who are responsible for a particular line of business or who may have special knowledge of and responsibility for the compliance requirements for certain information or datasets. They have responsibility to inform the appropriate Steward(s) of any requirements or considerations that may influence policy, and set procedures, standards, or guidelines. 4. Subject Matter Experts Subject Matter Experts are those individuals in roles with expertise such as risk, legal, compliance, privacy, and security who have a responsibility to inform the appropriate Steward(s) of any requirements or considerations that may influence policy, and set procedures, standards, or guidelines. 5. Data Custodians Custodians are any individuals (employees, volunteers, etc.) who access, manage, or manipulate institutional information or research data. Custodians must follow campus policy and stewardship rules for handling of institutional information and research data. C. Information Security Program Implementation 1. Vice Chancellors and Deans In addition to the responsibilities of Vice Chancellors and Deans as noted in Section IV A 4 above, Vice Chancellors and Dean also have responsibility oversight for the implementation of the information security program within their areas of purview. 2. Department Chairs, Directors, Supervisors, etc. Individuals who are responsible for a portion of the campus, such as a program, center, or line of business, shall develop, as needed, more restrictive information security controls for better management of risk to the institutional information or research data for which they are responsible. Supervisors may, at their discretion, create specific forms outlining the duties of their direct reports under this policy for review, signature, or workplace performance. 3. Security Liaisons The unit security liaison is the person or persons designated by the unit head as the primary contact for the CISO. Their primary role is to share information security training in a manner that works for their unit, to be available for incidents, and provide effective communication between the UMass Amherst IT Security Team and the college or division they represent. For more information see: https://www.umass.edu/it/security/liaisons . 4. Chief Technology Oﬃcer (CTO) For central information technology resources, the Chief Technology Oﬃcer, in coordination with the CISO, draws up technology architectural outlines, issues standards, and develops uniform templates for use by central IT and the campus community. For current technical architectural outlines, standards, and templates, see: https://www.umass.edu/it/architecture . (Protected by NetID) 5. Service Administrator A Service Administrator (e.g., application administrator, system administrator, or network administrator) is the individual with principal responsibility for the installation, configuration, and ongoing maintenance of an information technology system.