Roles and Responsibilities
Chief Information Officer
Responsible for ensuring the development and adoption of the Information Security Plan. Assign responsibility of Information Security Officer and Information Security Architect. Identify and make strategic decisions on information risk and risk acceptance.
Information Security Officer
Designated by the CIO, responsible for building, maintaining, and educating the campus on the Information Security Plan. Facilitate Plan compliance through collaborative relationships with academic and administrative officials, consistent with campus governance structure and policy compliance strategies.
Information Security Architect
Designated by the CIO, responsible for architecting and implementing technical controls based on the Information Security Plan, best practices, and collaborative business analysis.
Information Security Coordinator
A person assigned responsibility for coordinating information security in a UCI division or school. This includes maintaining an inventory of computing systems containing protected data, participating in campus-wide information security coordination activities, and facilitating security in the division or school.
Data Proprietor (Administrative official)
A person who has responsibility for oversight of data or computing systems with access to protected data and with primary responsibility for determining the purpose and function of any data resource; often the chief administrative official of the Office of Record for the data resource (individuals with administrative responsibility for campus organizational units (e.g., control unit heads, deans, department chairs, principal investigators, directors, or managers) or individuals having functional ownership of data).
- identify the electronic information resources within areas under their control
- define the purpose and function of the resources and ensure that requisite education and documentation are provided to the campus as needed
- establish acceptable levels of security risk for resources by assessing factors such as:
- how sensitive the data is, such as research data or information protected by law or policy,
- the level of criticality or overall importance to the continuing operation of the campus as a whole, individual departments, research projects, or other essential activities
- how negatively the operations of one or more units would be affected by unavailability or reduced availability of the resources
- how likely it is that a resource could be used as a platform for inappropriate acts towards other entities
- limits of available technology, programmatic needs, cost, and staff support
- ensure compliance with relevant provisions of the UCI Information Security Plan
- ensure that requisite security measures are implemented for the resources
Data Custodian (Technical staff)
A technical partner (individuals who design, manage, and operate campus electronic information resources, e.g., IT directors, project managers, system designers, application programmers, or system administrators) of the Data Proprietor who is responsible for the implementation of data systems and the technical management of data resources, as directed by the Data Proprietor.
- become knowledgeable regarding relevant security requirements and guidelines
- analyze potential threats and the feasibility of various security measures in order to provide recommendations to Data Proprietor
- implement security measures that mitigate threats, consistent with the level of acceptable risk established by administrative officials
- establish procedures to ensure that privileged accounts are kept to a minimum and that privileged users comply with privileged access agreements
- establish procedures to implement relevant provisions of the UCI Information Security Plan
- communicate the purpose and appropriate use for the resources under their control