Information Security Roles and Responsibilities Guideline

Senior Leadership Team (SLT)

The SLT is composed of the President and Vice-Presidents of the College. Regarding Information Security they are responsible for:

1. Reviewing and approving policies and standards related to Information Security
2. Providing guidance and oversight to Data Stewards and Data Custodians in their divisions

Chief Information Officer (CIO)

The CIO is the head of the Technology Services Division and a sitting member of the SLT. In addition to the responsibilities of Data Stewards, Data Custodians, and Users listed below, the CIO is responsible for:

1. Reviewing and approving the guidelines and procedures of the Technology Services Division
2. Presenting Information Security and Data related issues to the SLT

Data Stewards Group

Data Stewards are the primary authority for granting authorization to the College's information systems. The Data Steward serves as the first line of support for data maintained in their area and collectively form the Data Stewards Group. The members of this group discuss, review, and develop standards, guidelines, and procedures to ensure institutional data quality and security. In addition to user responsibilities outlined below, they are responsible for:

1. Serve as contact point within each area for requests to Technology Services regarding identifying and approving:
   1. new user accounts for their systems
   2. changes to existing user accounts for their systems
   3. accounts that should be disabled due to termination or other changes in access requirements
   4. changes to architecture, tools, or data in their systems that are beyond the scope of normal operations or that do not natively leave an audit trail in accordance with the Change Management Policy
2. Ensuring that their staff are using the information systems in accordance with the policies and procedures of the College, the Division, and their department
3. Develop campus standards for data entry of common data
4. Determine data "ownership" and "system of record" for common data
5. Develop and maintain guidelines, standards, and procedure to protect data integrity
6. Establish decision rights and responsibilities ("ownership") of institutional datasets 
7. Classify all data according to Data Classification Standard

Data Custodians

Data Custodians are the primary grantors of access to the College's information systems. In addition to user responsibilities outlined below, they are responsible for:

1. Provisioning and de-provisioning user accounts in all College information systems
2. Executing changes to system data that has been authorized by Data Stewards in accordance with College policies
3. Monitoring and troubleshooting all College information systems
4. Classifying data according to the Data Classification Standard
5. Creating new software and reports based on College data in accordance with the College's Information Security Policy

Users

All users of College owned information systems. Users are responsible for:

1. Adhering to policies, guidelines and procedures pertaining to the protection of Institutional Data
2. Reporting actual or suspected vulnerabilities in the confidentiality, integrity or availability of Institutional Data to a manager or the Technology Services Division.
3. Reporting actual or suspected breaches in the confidentiality, integrity or availability of Institutional Data to the Technology Services Division