The mission of the Information Security Function is to ensure a secure computing environment to support the Institution’s research, patient care, teaching, and public service missions. Consultation, coordination and support services include:
- Provide leadership for compliance with UTHSCSA, UT System, and the State of Texas information security related policies and procedures, as well as external (Federal, State, and Local) regulatory mandates.
- Establish and maintain an information security program.
- Proactively perform security investigations, analysis, and monitoring.
- Support policy and procedure development and recommend technology solutions, while minimizing any negative impact on University missions.
- Maintain a compilation of information protection resources in support of continuous information security awareness, education, and training.
Information security policy is set forth in the Handbook of Operating Procedures (HOP), Chapter 2.2.2 – Information Security. The President is responsible for the protection of resources, and delegates the Information Security Function of that responsibility to the Manager of Information Security. The President has identified the following:
- Risks to information resources must be managed. The expense of security safeguards must be commensurate with the value of the assets being protected.
- The integrity of data, its source, its destination, and processes applied to it must be assured. Changes to data must be made only in authorized and acceptable ways.
- Information resources must be available when needed. Continuity of information resources supporting critical governmental services must be ensured in the event of a disaster or business disruption.
- Security requirements shall be identified, documented, and addressed in all phases of development or acquisition of information resources.
State of Texas:
Paragraph (d), as quoted below, of Texas Administrative Code, Chapter 202.71, Management and Staff Responsibilities, provide the mandate of the Chief Information Security Officer (CISO).
(d) The Information Security Officer. Each institution of higher education head or his or her designated representative(s) shall designate an information security officer to administer the institution of higher education information security program. The Information Security Officer shall report to executive management.
(1) It shall be the duty and responsibility of this individual to develop and recommend policies and establish procedures and practices, in cooperation with information owners and custodians, necessary to ensure the security of information resources assets against unauthorized or accidental modification, destruction, or disclosure.
(2) The Information Security Officer shall document and maintain an up-to-date information security program. The information security program shall be approved by the institution of higher education head or his or her designated representative(s).
(3) The Information Security Officer is responsible for monitoring the effectiveness of defined controls for mission critical information.
(4) The Information Security Officer shall report, at least annually, to the institution of higher education head or his or her designated representative(s) the status and effectiveness of information resources security controls.
(5) The Information Security Officer with the approval of the institution of higher education head or his or her designated representative may issue exceptions to information security requirements or controls in this chapter. Any such exceptions shall be justified, documented, and communicated as part of the risk assessment process.
University of Texas System
In accordance with UT System Guidelines, UTS 165, the President maintains ultimate responsibility for security and the risk management program to protect information resources. Procedural responsibility has been delegated to the Vice President and Chief Information Officer, as the UT Health Science Center's Information Resources Manager (IRM). Implementation consists of an Information Security “Function” headed by the Chief Information Security Officer. Responsibility for this function shall report to the IRM and is responsible for directing policies and procedures designed to protect Information Resources.
In accordance with UT Health Science Center's Policy, HOP 2.2.2, the President mandates that the Information Security Function establish an organization, processes, and procedures to:
- Manage the defined risk to UT Health Science Center's information resources, by implementing security safeguards commensurate with the value of the assets being protected.
- Protect the integrity of data, its source, its destination, and processes applied to it by assuring that changes to data must are made only in authorized and acceptable ways.
- Ensure that availability and continuity of information resources supporting critical governmental services in the event of a disaster or business disruption.
- Identify, document, and address security requirements in all phases of development or acquisition of information resources.
- Implement information security measures to protect information assets against:
- Accidental or unauthorized access
- Modification or destruction
- Implement measures to assure UT Health Science Center's information:
|INFORMATION SECURITY AND ASSURANCE
||MED Rm 411L
|Chief Information Security Officer
|Michael Schnabel, CISSP