Skip to main content

Policy 8060 Data CISO Detail

Updated February 2016

The CISO is responsible for:

Policy oversight

The CISO must stay abreast of current legislation and how it affects security policy, standards, guidelines and planning. Additionally, the CISO must monitor activities and best practices relating to security at other institutions and follow the activities of organizations in higher education such as NACUBO and Educause.

User training and awareness

Effective information security requires a high level of participation from all members of the university and all must be well informed of their responsibilities as information custodians, users, managers and service providers. In cooperation with managers, OIT, and Human Resources the CISO is responsible for managing a university training and awareness program for all members of the university.

The CISO must manage efforts to ensure this policy as well as related policies, standards and procedures are distributed to the university community, using training classes and materials to instill the importance of proper information handling and the implications of this policy.

Oversight authority for university networks and systems
The CISO is responsible for overseeing network and system security for resources managed by or connected to any university computer or network.

Enhancements and revisions

In cooperation with other members of the university, the CISO must periodically reassess this policy and the related standards, procedures and guidelines to determine if revisions are needed to keep pace with the fast changing nature of information technology. If policy revisions become necessary, the CISO should seek input from all relevant constituencies within the university and then propose recommended policy changes to the Chief Information Officer and the Vice President for Finance and Administration.

Incident handling and reporting

If information resources are compromised, the university must take steps to remediate, respond to and recover from the incident. Depending on the nature of the incident, this could involve collecting and analyzing evidence, determining the responsible party, assessing damage, restoring data from backup files, closing security holes, installing stronger security measures, revising security guidelines and procedures, taking disciplinary action in accordance with university policies, reporting incidents to law enforcement. The CISO will further investigate incidents and work with the Cyber Incident Response Team(CIRT) in accordance with the Incident Response Procedure.

Internal audit

By conducting regular audits, the CISO is responsible for working with Internal Audit to determine whether information is being protected in conformance with this policy.