BP.01.003 - Business Practice for Organization and Management of Information Security

Printable Version in PDF Format (Get Adobe Acrobat)

Table of Contents

History [top]

  • Business Practice Number: BP.01.003
  • Version: 1
  • Drafted By: Michael Berman
  • Approved By: Michael Berman
  • Approval Date: 08/03/2010
  • Latest Revision Date: 11/13/2012

Purpose [top]

Describes the organizational structure, roles, and responsibilities for the management of information security at Channel Islands.

Background [top]

The President delegates to the VP for Technology & Communication the authority to develop, implement, and document the organizational structure of the campus information security program, and the authority to appoint a campus information security officer (ISO). This document describes the information security program and the roles and responsibilities of the ISO, as required by ICSUAM Policy Number 8015.0.

CI participates in the California State University's Virtual Information Security Center (VISC). The VISC enables CI to develop a highly effective and professional information security program while conserving campus resources. This policy delineates the roles and responsibilities of campus personnel and the VISC for information security.

A related standard, “4.0 Information Security Roles and Responsibilities” (currently in draft), provides further guidance and definitions for the roles each campus should define. The T&C Business Practice on the Organization and Management of Information Security complies with ICSUAM Policy Number 8015.0 and is modeled after the draft standard. Policy details have been adapted to fit CI's campus needs, consistent with the ICSUAM Policy 8015.0 and language of the Standard.

Business Practice [top]

Accountability [top]

The VP for Technology & Communication has been designated by the President as the campus official responsible for the organization and management of information security at CI.

Applicability [top]

This business practice is applicable to any and all functions related to information security at the Channel Islands campus.

 

Definition(s) [top]

  1. Virtual Information Security Center (VISC). The VISC consists of CSU employees from multiple campuses working together to provide information security services to a group of participating campuses.
  2. VISC Director. The VISC Director is the senior manager responsible for the operation of the VISC.
  3. VISC Liaison. The administrator at a VISC-participating campus responsible for coordinating the relationship between the campus and the VISC.
  4. ISO. Staff member appointed by the VP of Technology & Communication as the Information Security Officer.

Text [top]

The President designates the VP for Technology & Communication to have day-to-day management and oversight of the information security program at Channel Islands. Generally, the duties of the campus Information Security Officer (ISO) at Channel Islands are carried out in concert with the VISC Director. Specifically, the roles and responsibilities defined by the CSU Standard for Information Security Roles and Responsibilities will be carried out as follows:

The VP for Technology & Communication designates the Director of Enterprise Services and Security as the ISO and VISC Liaison. The Director has the following duties:

  • working with the VISC Director to develop procedures and processes which implement the CSU information security policy and standards, as directed by the President;
  • working with the VISC Director to evaluate the risk introduced by any changes to campus operations and systems;
  • serving as the campus representative on the CSU Information Security Advisory Committee;
  • consulting with the VISC Director regarding campus operations and systems to address security;
  • coordinating the campus information security program on behalf of the President;
  • advising the President and the Cabinet on all information security matters;
  • working closely with campus administrators and executive officers on information security matters;
  • providing input to the campus budget process regarding prioritization and required resources for information security risk mitigation activities and inputs regarding information security risks of proposed projects.

The VISC Director in concert with the ISO has the following duties:

  • oversight of campus information security risk assessment activities;
  • informing the VP for Technology & Communication of significant information security risks as they are identified;
  • oversight of the campus information security incident response program in coordination with appropriate campus personnel;
  • oversight of the campus information security awareness and training program, in coordination with appropriate campus personnel;
  • responding to information security related requests during an audit.

The VISC Director does not have direct responsibility for information processing or technology operations for Channel Islands programs that employ protected information.

This business practice shall be reviewed each year in July; documentation of this review shall be maintained in the office of the VP for Technology & Communication.

Exhibit(s) [top]

Assessment History [top]

Description Frequency Role Assigned
General review of this business practice.                        Annual              VP for T&C          
©