UCI   Office of Information Technology

UCI Information Security
  1. Home
    2.  » 
  2. UCI Information Security Management Program
    3.  » Roles & Responsibilities

Roles & Responsibilities

Chancellor

The Chancellor appoints responsible parties to implement IS-3 at UC Irvine (UCI).

Cyber-risk Responsible Executive

The Cyber-risk Responsible Executive (CRE) is an individual in a senior management or academic position who reports to the UCI chancellor or top UCI executive. The CRE is accountable for all information risk assessments, security strategies, planning and budgeting, incident management, and information security implementation. The CRE:

  • Ensures that the responsible parties at UCI understand and execute their responsibilities under IS-3.
  • Ensures UCI-wide adoption of the Information Security Management Program (ISMP) and an information security risk management strategy.
  • Reviews UCI’s overall information security Risk Assessments and identifies key risks affecting UCI.
  • Evaluates UCI’s level of cyber risk to make decisions about risk mitigation and risk acceptance.
  • Approves UCI’s Security Exception process.
  • Participates in systemwide initiatives related to information security and information security risk management.
  • Evaluates information security risk and ensures appropriate funding for information security.

Chief Information Officer

The Chief Information Officer (CIO) is responsible for providing operational oversight for the delivery of information technology services that meet the requirements of IS-3. The CIO:

  • Plans and directs information security risk assessments for UCI.
  • Provides management oversight for information security planning, implementation, budgeting, staffing, program development and reporting.
  • Sets operational priorities and obtains alignment with the Cyber-risk Responsible Executive (CRE) and UCI leadership.

Chief Information Security Officer

The Chief Information Security Officer (CISO) is responsible for security functions throughout UCI, including assisting in the interpretation and application of IS-3. The CISO:

  • Establishes requirements and procedures to protect data and resources. Ensures that requirements are in place and clearly defined so that Workforce Members follow best practices. Establishes requirements for review processes, exception procedures, and a variety of other actions, such as disposal, encryption, and logging practices.
  • Approves procedures, methods, and requests involving the management of cybersecurity procedures. Uses expertise to ensure that best practices are being followed at UCI.
  • Communicates about a variety of actions and topics in the process of managing cybersecurity at UC. Receives reports, documents processes, and communicates issues to the appropriate role or office. Reports Information Security Incidents to UCOP, appropriate UCI leadership and the UCI CRE.
  • Provides management and execution oversight of the Information Security Management Program (ISMP) through collaborative relationships with CRE, CIO, academic, and administrative officials, using UCI governance structures and compliance strategies.
  • Manages the UCI exception process for IS-3.

Unit

A Unit is a point of accountability and responsibility for organizing and managing IS-3 compliance and IT security for the Institutional Information and IT Resources in their organization. At UCI, Units can include the various Schools, Divisions and some major Departments. Units have been defined at UCI, each with their own Unit Head and UISL(s). Additional Units may be considered if they meet IS-3 requirements and are specifically designated.

Unit Head

The Unit Head oversees the execution of IS-3 within the Unit. This is a senior management role with the authority to allocate budget and responsibility for Unit performance. The Unit Head:

  • Assigns one or more Unit Information Security Lead(s) (UISL(s)) with oversight of the execution of information security responsibilities within the Unit.
  • Identifies and inventories Institutional Information and IT Resources managed by the Unit.
  • Ensures that Risk Assessments are complete, and Risk Treatment Plans are implemented.
  • Specifies the Protection Level and Availability requirements to Service Providers who manage IT Resources on behalf of the Unit.
  • Through the risk management process, ensures that protection of Institutional Information and IT Resources managed by Service Providers meets the requirements of IS-3.
  • Through the risk management process, ensures that Institutional Information and IT Resources managed by Suppliers meet the requirements of IS-3.
  • Communicates with all those who share responsibility for the Unit’s compliance. This includes reviews, assessments, and reporting information.
  • Reports Information Security Incidents to the CISO. Reports to the CISO any information security policy or standard that is not fully met by the Unit, or by a Service Provider managing Institutional Information or IT Resources on behalf of the Unit.
  • Ensures the above responsibilities are included in the overall Unit planning and budgeting process.

 

Links to additional Unit Head information

Unit Information Security Lead (UISL)

The Unit Information Security Lead (UISL) is the Workforce Member assigned responsibility for tactical implementation of IS-3 and the coordination and oversight of information security activities within a Unit.

In consultation with the Unit Head, the UISL works with the Workforce Members within a Unit, Service Providers, Suppliers, OIT Security, and the CISO to ensure compliance with IS-3. The UISL:

  • Follows UCI’s Minimum Security Standards. Acts as an evangelist for good security practices and works with their Unit teammates to help tackle cybersecurity issues when they occur. Ensures the Unit embeds cybersecurity into all projects. Has a plan to regularly patch systems and applications.
  • Implements and complies with IS-3 requirements. Becomes familiar with the requirements for which they are responsible.
  • Follows the principle of least access privilege to ensure people only have access to the minimum applications needed to do their jobs. Removes access as needed when employees leave or change roles.
  • Takes a risk-based approach to decision-making. For example, when setting up security measures for a new application in the Unit, thinks through what could happen if someone outside UC got access. Ensures the right levels of protections are in place.
  • Stays connected to the UCI Chief Information Security Officer (CISO) and cybersecurity-related news and alerts. Looks for opportunities to learn about emerging cybersecurity threats and issues.
  • Reviews and updates Risk Assessments for the applications in the Unit.
  • Manages assets responsibly. Keeps a record of where the Unit’s sensitive information is located. Also keeps a record of where the Unit’s IT Resources are located and what types of data they handle.
  • Devises procedures for the proper handling, storage, and disposal of electronic media within the Unit.
  • Communicates with all those who share responsibility for the Unit’s compliance. This includes reviews, assessments, and reporting information.
  • Reports cybersecurity incidents to the UCI CISO. Monitors high-risk data and systems for signs of compromise.
  • Manages suppliers. Ensures Suppliers understand their responsibilities to protect UCI’s Institutional Information and IT Resources. Makes sure agreements have “Appendix DS” included.
  • Manages change responsibly. Reviews and approves changes before they are implemented.

 

Links to additional UISL information

Service Provider

The Service Provider is a UC group or organization providing specific IT services to a Unit. The Service Provider:

  • Delivers information technology services that comply with IS-3.
  • Documents and delivers IT services in compliance with IS-3, other UC policies and applicable UCI policies.
  • Notifies the Unit Head of any policy provisions that are unmet or require additional controls by the Unit.
  • Supports Units in completing Risk Assessments related to the services provided.
  • Coordinates with Units to implement appropriate security measures.
  • Coordinates with Units to respond to potential and confirmed Information Security Incidents.

Supplier

A supplier is an external, third-party entity that provides goods or services to a UC. These goods and services can include consulting services, hardware, integration services, software, systems, software-as-a-service (SaaS) and cloud services. Non-UCI entities that operate IT Resources or handle Institutional Information are considered Suppliers for the purposes of this policy. A Vendor is also a Supplier for the purposes of this policy. All Suppliers that have access to UC systems or data or who collect UC data on our behalf must undergo a Supplier Security Review.

Proprietor

The Proprietor is an individual accountable for the Institutional Information, IT Resources and processes supporting a UC function. The Proprietor:

  • Establishes the Protection Level and Availability Level and communicates these classifications to those needing access including Units, Service Providers and Suppliers.
  • Establishes and documents rules for use of, access to, approval for use of and removal of access to Institutional Information related to their area of responsibility.
  • Reviews and approves requests for access or transfers of Institutional Information under the control of the Proprietor.
  • Notifies Units, Service Providers and Suppliers of any changes in requirements set by the Proprietor.
  • Ensures that UC Records Retention Schedule requirements are being met.

IT Owner

The IT Owner is a UCI-specific role used to identify the primary technical person responsible for an IT asset. An IT Owner: 

  • Acts as the primary technical contact for an IT asset.
  • Ensures that an asset is managed in compliance with IS-3
  • Conducts or coordinates risk assessments on the asset. In OneTrust, the IT Owner is the default respondent for all risk assessments launched against the asset.

Workforce Manager

The Workforce Manager supervises/manages other personnel or approves work or research on behalf of the University. Workforce Managers are responsible for complying with IS-3. The Workforce Manager:

  • Follows UCI’s Minimum Security Standards. Factors cybersecurity duties into job descriptions. Embeds cybersecurity into recruiting practices and hiring decisions. Updates job descriptions periodically and makes sure information security duties are clear.
  • Ensures the team completes training required for their positions. Makes sure technical staff has access to the resources needed to complete security duties.
  • Reviews access rights annually. Follows the principle of least access privilege to ensure people only have access to the minimum applications needed to do their jobs. Removes access as needed when employees leave or change roles.
  • Separates duties when designing job duties so that requestor, approver, and implementer are separated. This is a critical step in reducing the risk of malicious activity with collusion.
  • Knows the location of Institutional Information and IT Resources. Knows about and approves of storage and work locations involving UCI assets.

Workforce Member

Workforce Members include all individuals who perform work for UCI in any capacity, including any employee, faculty, staff, volunteer, contractor, researcher, student worker, student supporting/performing research, medical center staff/personnel, clinician, student intern, student volunteer.

Workforce Members are responsible for complying with IS-3. The Workforce Member:

  • Follows UCI’s Minimum Security Standards.
  • Promptly reports violations to security@uci.edu. If you suspect or witness a Security Event, you should also report it to your Workforce Manager or Chief Information Security Officer (CISO).
  • Completes all required security-related training for your Unit and/or UCI. Ensures they have the training and resources needed to complete the assigned security duties.
  • Takes a risk-based approach to decision-making.
  • Asks questions. When unsure of the best way to protect Institutional Information or IT Resources, asks the Workforce Manager, UISL, or emails security@uci.edu.

Researcher

A Researcher conducts research on behalf of UC Irvine. Researchers comply with all responsibilities of Workforce Members. A Researcher:

  • Uses a UCI-approved Risk Treatment Plan or conducts a Risk Assessment to ensure that information security requirements are met.
  • Identifies the appropriate Institutional Information Protection Level defined in IS-3 for research data.
  • Identifies and meets confidentiality and data security obligations based on laws, regulations, policies, grants, contracts, and binding commitments (such as data use agreements and participant consent agreements) relating to research data.
  • Creates and maintains evidence that demonstrates how security controls were implemented and kept current throughout the project.
  • Develops and follows an information security plan that manages security risk over the course of their project.
  • Ensures that Suppliers who store or process Institutional Information during the project follow UCI policy for written contracts.
  • Ensures that Supplier agreements include approved terms supporting the information security controls specified in IS-3 and applicable UCI purchasing requirements.