Who is responsible for the security of departmental data and systems?
Everyone at Indiana University has some responsibility for the security of information. This includes all levels of the organization from the Board of Trustees to the end user of information. This includes faculty, staff, students, affiliates, and those under contract. In short, information security is part of everyone's job.
Departments are encouraged to hire qualified information technology technicians, but the department is still responsible for the technicians' behavior. Therefore, it's important that all employees in the department understand their responsibilities in handling their systems and the data on those systems. As a supervisor, you must ensure that all of your employees:
- Understand that the data they work with could cause institutional or individual harm
- Secure their own passwords, accounts, and workstations
- Ensure that only appropriate individuals have access to departmental data
One way to ensure employees know their responsibilities is to have them complete the Acceptable Use Agreement for Access to Technology and Information Resources. This agreement is required for all employees with direct access to institutional systems, but, it can be completed by anyone with an active IU network ID. See https://kb.iu.edu/data/ahxz.html for how to have your employees access and assent to this agreement. You can verify when an employee completes the agreement by using the Data Access Service in OneStart. See https://kb.iu.edu/data/auod.html to learn how to use that tool to verify that an employee has this agreement on file.
As a supervisor, you must also know how the systems and data under your oversight are being secured. For a computer system to be managed securely, you as a supervisor must:
- Fully understand the sensitivity of the function or operation being supported by the system and the data being stored and/or manipulated on the system.
- Hire technicians with the expertise necessary to appropriately maintain the hardware, operating systems, systems software, programs and other associated components of the systems to which they are assigned.
- Ensure that technicians understand their responsibilities and the consequences of poorly managed systems (compromise of local or other systems, damage to data or systems, disclosure of sensitive data, potential legal liability for the department and Indiana University, possible loss of Federal and other funding for the department and Indiana University, etc.).
- Provide necessary initial and refresher training to technicians as hardware or software components are revised or added.
- Ensure that assignments and job plans account for time required for systematic and periodic audit and maintenance of systems.
If you do not directly hire or supervise the technicians supporting the systems and data that your unit uses, you must ensure that someone is doing the above things. Find out who that person is, and meet with them to ensure that you have informed them of the sensitivity of the data and functions your area uses. Ask how they are doing the above things and how they are adhering to security policies and best practices. Work with them to improve processes if necessary. Meet periodically to review practices and update them as needed.
If you are unable to ensure that the above things are being completed adequately, take your concerns to your management. You are also encouraged to contact the University Information Policy or Security Offices for advice and assistance.
Tips:
- Document and understand the local technical and data environment
- Know the sensitivity of the data being used, and restrict access appropriately
- Do not collect or store data unnecessarily
- Store data on secure servers that are administered by qualified technicians
- Do not sacrifice data protection to offer users convenience
- Do not send sensitive material via email
- Report security breaches or compromises immediately to the University Information Police Office (UIPO)
More Information
This information is based on the UIPO's Best Practices and FAQs and Policy IT-12: Security of Information Technology Resources.
For help in securing your systems and data, see the Information Security Office (UISO) Best Practices for Securing IT Resources.
Feel free to contact us if you would like more information.
