BP.01.003 - Business Practice for Organization and Management of Information Security

Printable Version in PDF Format (Get Adobe Acrobat)

Table of Contents

History [top]

  • Business Practice Number: BP.01.003
  • Version: 2
  • Drafted By: Michael Berman
  • Approved By: Michael Berman
  • Approval Date: 08/03/2010
  • Latest Revision Date: 07/18/2016

Purpose [top]

Describes the organizational structure, roles, and responsibilities for the management of information security at Channel Islands.

Background [top]

The President delegates to the VP for Technology & Communication the authority to develop, implement, and document the organizational structure of the campus information security program, and the authority to appoint a campus information security officer (ISO). This document describes the information security program and the roles and responsibilities of the ISO, as required by ICSUAM Policy Number 8015.0.

The T&C Business Practice on the Organization and Management of Information Security complies with ICSUAM Policy Number 8015.0 and is modeled after that policy. Business practice details have been adapted to fit CI's campus needs, consistent with the ICSUAM Policy 8015.0 and language of the Standard.

Business Practice [top]

Accountability [top]

The VP for Technology & Communication has been designated by the President as the campus official responsible for the organization and management of information security at CI.

Applicability [top]

This business practice is applicable to any and all functions related to information security at the Channel Islands campus.

 

Definition(s) [top]

  1. ISO. Staff member appointed by the VP of Technology & Communication as the Information Security Officer.

Text [top]

The President designates the VP for Technology & Communication to have day-to-day management and oversight of the information security program at Channel Islands. Specifically, the roles and responsibilities defined by the CSU Standard for Information Security Roles and Responsibilities will be carried out as follows:

The VP for Technology & Communication designates the Director of Enterprise Services and Security as the ISO. The ISO has the following duties:

  • oversight of campus information security risk assessment activities;
  • develop procedures and processes which implement the CSU information security policy and standards, as directed by the President;
  • evaluate the risk introduced by any changes to campus operations and systems;
  • serving as the campus representative on the CSU Information Security Advisory Committee (ISAC);
  • oversee campus operations and systems to address security;
  • coordinating the campus information security program on behalf of the President;
  • advising the President and the Cabinet on all information security matters;
  • working closely with campus administrators and executive officers on information security matters;
  • providing input to the campus budget process regarding prioritization and required resources for information security risk mitigation activities and inputs regarding information security risks of proposed projects;
  • informing the VP for Technology & Communication of significant information security risks as they are identified;
  • oversight of the campus information security incident response program in coordination with appropriate campus personnel;
  • oversight of the campus information security awareness and training program, in coordination with appropriate campus personnel;
  • responding to information security related requests during an audit.

This business practice shall be reviewed each year in July; documentation of this review shall be maintained in the office of the VP for Technology & Communication.

Exhibit(s) [top]

Assessment History [top]

DescriptionFrequencyRole Assigned
General review of this business practice.                     Annual - July         VP for T&C