Data Security Executive Council

Cabinet members provide executive level guidance to the program, and will:

• Review deliverables from the Records Management Working Group and Data Owners Group, make decisions, and communicate decisions to the groups and campus.
• Review and guide the priorities of the Records Management and Data Owner groups.
• Consider requests for resources when needed.
• Ensure that major data security initiatives align with the University’s strategic goals.
• Formally designate and delegate official Data Owners for data records within their purview. (If a Data Executive does not formally designate a Data Owner for a particular data series, the Data Executive retains Data Owner responsibilities).

Data Security Executive Council (Cabinet) Operations

• Responsibilities can be conducted during regularly scheduled Cabinet meetings. Agenda items will be submitted to the President’s Office via a Cabinet member.

Data Owners Group

The Data Owners Group consists of 11 campus administrators who play a primary leadership role in ensuring the confidentiality and security of University data. They have policy‐level managerial responsibility for data within their functional areas, and are supported by a select group of information technology managers with data-related roles. Data Owners must have a formal designation or delegation from their Vice President/Cabinet member. This group will focus primarily on compliance and security issues, and will:

• Grant access to data and ensure appropriate controls are in place to protect information assets based on ISO Domain 9: Access Control Policy and ISO Domain 8: Asset Management Policy
• Classify data, define controls, authorize access, monitor compliance with campus security policies and standards, and specify levels of acceptable risk.
• Ensure development of appropriate role‐based or attribute‐based permissions and employment groups that allow appropriate access to be granted efficiently.
• Review and approve enterprise system security roles that define how appropriate access is provided to set(s) of data.
• Ensure that access to records is reviewed and/or removed when an individual with access is transferred to a different position/department on campus, or when separated from campus.
• Oversee records retention and disposition processes. The Data Owner is the campus-designated department head who maintains the official/original copy of the record/information series for retention purposes in compliance with EO 1031 Records Retention Policy. Please refer to the CSU Records Retention and Disposition Schedules.
  • Identify business units and systems that are not compliant with CSU records retention requirements, and ensure that those units/systems are aware of their non‐compliance.
  • Comply with CSU and University data classification and protection standards.
  • Ensure that the Annual Sensitive Data Inventory is completed by all units within their responsibility.
  • Contribute to the development/delivery of a campus security and awareness training program.
  • Designate official Data Managers for specific data sets within their purview. If a Data Owner does not designate a Data Manager for one or more data sets, the Data Owner retains Data Manager responsibilities.
  • Draft and recommend policies and standards to Cabinet.
  • Recommend campus data improvements and provide input to the Records Management Working Group to inform program documentation.
  • Review and discuss compliance and security issues to ensure that they are reasonably and consistently addressed within the University's information security technical and business guidelines, standards, and processes.

Data Owners Group Operations

• Meets quarterly, at minimum.

Data Managers

Data Managers oversee and support the day‐to‐day business processes used to maintain University data. Data Managers are typically considered subject matter experts on specific sets of data elements, and understand how data is used by Data Consumers. Data Managers are often designated by, and have an organizational reporting relationship to, Data Owners, and will:

• Comply with University and CSU policies and follow established business processes for data handling and records retention and disposition responsibilities for records in their care. Refer to the CSU Records Retention and Disposition Schedules and CSU EO 1031.
• Identify business units and systems that are not compliant with CSU records retention requirements and ensure that those units/systems are aware of their non‐compliance (in coordination with Data Owners when appropriate).
• Ensure that the Biennial Sensitive Data Inventory Survey is completed by all units under their responsibility (in coordination with Data Owners when appropriate).

Data Consumers

Data Consumers include the individuals, organizational units, and information systems that are granted access to data for specific uses such as analysis and reporting. This designation can also include downstream information systems that ingest and/or transform data for a specific purpose.

Data Consumers

• Provide input to Records Managers and/or Data Owners about data management and security needs.
• Review data security and management reports for the purpose of data‐driven decision‐making.
• Identify and report data quality issues.
• Attend training to clearly understand their data responsibilities, and follow procedures to ensure data security.

Records Management Working Group

The Records Management Working Group includes Data Owners, Data Managers, Data Consumers, and information technology managers who can identify critical campus data management needs, and create plans to meet those needs. The Working Group:

• Helps interpret and administer policies.
• Creates and maintains program documentation.
• Recommends appropriate resources (staff, technical infrastructure, etc.) and ensure that proper planning protocols are in place to support the data security and retention needs of the University.
• Advocates and promotes data stewardship across the University.
• Contributes to the development/delivery of a campus security awareness and training program.

Records Management Working Group Operations

• The group will meet bi‐monthly at minimum.
• A quorum is met if three quarters of the members are present.
• Formal recommendations to Cabinet and/or updates to the program documentation need to be ratified by a quorum.
• Minutes will be taken for each meeting and will be approved at the next meeting.

Computer Security Incident Response Team (CSIRT)

The Computer Security Incident Response Team (CSIRT) is a subgroup of the campus Critical Response Team charged with evaluating potential security incidents and breaches to provide recommendations to the President.

The CSIRT group works closely with the Chancellor’s Office, University Police, Campus Counsel, and with the IRT Information Security Office (ISO) during potential breaches to evaluate technical and administrative components, including breach containment and notification requirements. The ISO also provides the committee periodic reports concerning significant security incidents and overall institutional risks and vulnerabilities.

CSIRT Meeting Schedule

Meets periodically throughout the year for proactive tasks such as Disaster Recovery and Incident Response testing, and/or as-needed in the event of a security breach.