Data Ownership
Responsibilities & Procedures
The University of Texas at Tyler
Diane Garrett, Information Security Officer
1
Why Do I need training?
• In the past Information Resources (central
IT) managed & owned most of the data on
our campus
• Several areas have information resources
outside of central IT’s operations in
outlying areas of our University have set
up resources
• With decentralized data ownership, the
need for training is essential to comply
with state law and UT System policy
2
Basis for training:
• Data ownership is required by Texas state
law & UT System Policy
 TAC 202
 UTS 165
• Provides accountability for the data
which is gathered, stored, & transmitted
by the University
• Data owners will be able to identify
security requirements that are most
appropriate for their data.
3
At the end of training you:
• Will have been presented with the state
and UT System requirements for data
ownership
• Will be able to classify the data on your
resource & provide an initial value for
your asset
• Will have a basic understanding of the
Risk Assessment requirements
• Will formally acknowledge your
resources, the custodians, & ISA’s
4
Legal Jargon & Policy Talk
• Exposure to Texas Administrative Code
(TAC) 202
• Exposure to UT System (UTS) Policy 165
• Attack low-lying fruit (things we can
accomplish now or in a short period of
time)
• Talk about future actions on the road to
full compliance
5
THE BORING
BUT
NECESSARY
EVILS
6
TAC 202 Language
Data Owner Definition:
• A person with statutory or operational
authority for specified information (e.g.,
supporting a specific business function)
and responsibility for establishing the
controls for its generation, collection,
processing, access, dissemination, and
disposal
7
TAC 202 Data Owner Responsibilities
The owner or his or her designated
representative(s) are responsible for and
authorized to:
• Approve access
• Formally assign custody of the
information resource asset
• Determine the asset's value
• Specify data controls and convey to
users and custodians
8
• Specify appropriate controls, based
on a risk assessment, to protect the
information resource from:
 unauthorized modification
 unauthorized deletion
 unauthorized disclosure
• These controls extend to resources
and services outsourced by UT Tyler
9
• Confirm that controls are in place
to ensure the confidentiality,
integrity, and availability of data
and other assigned information
resources.
• Assign custody of information
resources assets
• Provide appropriate authority to
implement security controls and
procedures.
10
• Review access lists based on
documented risk management
decisions.
• Approve, justify, document, and be
accountable for exceptions to
security controls.
• The information owner shall
coordinate exceptions to security
controls with the agency
information security officer
11
• The information owner, with the
concurrence of the state agency
head or his or her designated
representative(s), is responsible for
classifying business functional
information.
12
UTS 165 Language
Data Owner Definition:
The manager or agent responsible for the
business function that is supported by the
information resource or the individual upon
whom responsibility rests for carrying out
the program that uses the resources. The
owner is responsible for establishing the
controls that provide the security and
authorizing access to the information
resource.
13
Definition continued:
The owner of a collection of information is
the person responsible for the business
results of that system or the business use of
the information. Where appropriate,
ownership may be shared.
14
UTS 165 Responsibilities
• Grants access to the Information System
under his/her responsibility.
• Classifies Digital Data based on Data
sensitivity and risk.
• Backs up Data under his/her responsibility
in accordance with risk management
decisions and secures back up media.
15
− Owner of Mission Critical Information
Resources
• Designates an individual to serve as an
Information Security Administrator (ISA)
to implement information security
policies and procedures and for reporting
incidents to the ISO.
• Performs an annual information security
risk assessment and identifies,
recommends, and documents acceptable
risk levels for information resources
under his/her authority.
16
Data Classification
• To determine to what extent a resource
needs to be protected, the data which
resides on the system must be classified
• UT Tyler adopted UT Austin’s data
classification guidelines
• http://www.uttyler.edu/ISO/dataclassifi
cation.html
17
3 Categories of Data
18
Category I data:
• University data protected specifically by
federal or state law or University of Texas
at Tyler rules and regulations.
− Examples of Laws:
• FERPA
• HIPPA
• Texas Identity Theft Enforcement &
Protection Act
19
Examples of Category I data:
• Social Security number
• Credit Card Numbers
• Grades (including test scores,
assignments, and class grades)
• Personal vehicle information
• Access device numbers (building access
code, etc.)
• Biometric identifiers and full face images
20
More Cat I data:
• Patient Medical/Health Information
(HIPPA) protected data
• Payment Guarantor's information
• Human subject information
• Sensitive digital research data
21
Category II data:
• University data not otherwise identified
as Category-I data, but which are
releasable in accordance with the Texas
Public Information Act (e.g., contents of
specific e-mail, date of birth, salary,
etc.) Such data must be appropriately
protected to ensure a controlled and
lawful release.
22
Examples of Category II data:
• The calendar for a university official or
employee
• The emails of a university official or
employee containing sensitive
information
• Date of birth, place of birth of students
or employees
• Internal audit data
23
More Cat II data:
• Student evaluations of a specific faculty
member
• Human subjects research data with no
personal identifying information
24
Category III data:
• University data not otherwise identified
as Category-I or Category-II data (e.g.,
publicly available).
25
Examples of Category III data:
• Departmental Web site
• Blogs
• Library data and holdings
• Public phone directory
• Course catalog and curriculum
information
• General benefits information
26
More Cat III data:
• Enrollment figures
• Publicized research findings
• State budget
• All public information
27
Road Map
To
Compliance
28
Compliant
8
2011 FY
Monitor/ensure compliance
7
6
5
4
2010 FY
3
2
1
Prepare/update disaster recovery
plans
Review and approve system access
periodically
Identify security controls based on risk
Complete annual/biennial risk
assessments
Assign system custodian/sign acknowledgement
Assess and classify information
Training
29
2009-2010 (Now)
• Training (Done)
• Assess and classify information
 Classify the data on your systems (Cat I,
Cat II, Cat III) & determine if mission
critical (to dept or institution)
 Assign a monetary value to your system
(replacement value of system)
 If you are able to assign a monetary value
to the data, that is even better (very hard
to do)
30
• Assign system custodian/sign
acknowledgement
 Will do this at end of training
• Complete annual/biennial risk
assessments
 Purchased Risk Watch
 Surveys will be sent out
 Will build on questions each year
31
2010-2011
• Update resource list and reclassify data
and value of assets as needed
• Identify security controls based on risk
(from previous year’s risk assessment)
• Review and approve system access
periodically
• Perform annual risk assessments if
mission critical resource
32
2010-2011 continued
• Prepare/update disaster recovery plans
(only if necessary)
• Monitor/ensure compliance
33