10.03.06 – College/Division Responsibilities for Information Technology Resources
Section: Information Technology
Area: User Guidelines
I. PURPOSE AND SCOPE
This document delineates responsibilities of the colleges and divisions for the management of information technology resources under their purview. Business and academic processes are dependent on computers and computer-based information systems. The application of federal and state laws, industry standards and contractual obligations require management oversight and uniform policies for the governance of information technology resources. Given this environment, roles and responsibilities for managing departmental information systems will be developed at the unit level to ensure implementation of controls, safeguarding of departmental information technology resources, and compliance with related university policies.
II. POLICY
A. The management of each college, division and unit is responsible for the administration and protection of its information technology resources, and for ensuring compliance with this and other university information technology policies, and the Texas Administrative Codes applicable to institutions of higher education, which are administered by the Texas Department of Information Resources (http://www.sos.state.tx.us/tac/index.shtml). College and division management will develop departmental policies and procedures, and establish internal controls to address the use of information technology resources in the following areas:
1. Risk Management: Assess departmental functions and activities at risk; develop strategies and implement plans to mitigate risk, including the protection of data, and incident handling and priority notification procedures; justify and document areas where unit management has chosen not to implement comprehensive risk mitigation measures (acceptance of risk).
2. Resource Security: Develop appropriate administrative, technical and physical security controls over information resources; ensure proper information back-up and record retention procedures.
3. Service Continuity Management: Develop and implement plans to ensure the timely restoration of essential departmental information technology functions (administrative, research, instruction, etc.) and information in the event of a disaster or significant interruption of normal business activities.
4. Resource Management: Plan for lifecycle management – acquisition, maintenance, and disposal – of information resources (hardware and software).
5. Project Management: Plan and manage projects using practices with appropriate levels of integration, scope, schedule, cost, quality, resources, communications, risk, and procurement management.
B. Each college and division will assign the following roles for the management of information technology resources:
1. College/Division Information Resource Manager (C/D-IRM): The most senior administrator who is responsible for managing, acquiring and/or developing, and securing the college or division's information resources, including related information technology planning, technology project and portfolio management, and compliance processes. This role is often filled by a college's assistant/associate dean or a division's assistant/associate vice president. For the scope of their job that involves management of information resources, they shall have a dotted reporting line to the university's chief information officer. The C/D-IRM is responsible for ensuring an Information Resource Management Plan is created and maintained for their area.
2. College/Division Technology Manager (C/D-TM): An IT professional who is responsible for managing the college or division's daily information technology operations and projects, including the definition of IT opportunities and needs for review/approval by the C/D-IRM, and the execution of approved projects in accordance with established policies and standards. This role is often filled by a director or manager and should report to the C/D-IRM.
3. College/Division Information Security Officer (C/D-ISO): The employee responsible for managing the college or division's information security functions in accordance with the established policies and guidelines. This role is often filled by a director or manager and should report to the C/D-IRM or directly to the vice president of the division or dean of the college. For the scope of their job that involves information security functions, they shall have a dotted reporting line to the university's chief information security officer.
C. In addition to on-going services to students, faculty and staff, and oversight of enterprise-level software and systems, the University Information Technology (UIT) Department will provide to college/division information technology providers consultative, best practice services for the areas described in Section II.A., including:
1. Facilitating university-wide coordination and planning related to the information technology areas described in Section II.A.
2. Training to college/division-based technical support staff.
3. Templates, guidelines, and reference materials.
4. Coordination of meetings of the C/D-IRMs, C/D-TMs, C/D-ISOs, and relevant subject matter experts.
5. As-needed facilitation of college-based IT initiatives.
D. The university will safeguard its information assets in all areas of operation. Therefore, each unit will adhere to applicable requirements of:
1. Gramm-Leach-Bliley Act (GLBA) : Requirement of institutions engaged in financial transactions to protect the security and confidentiality of customers' nonpublic personal information.
2. Family Educational Rights and Privacy Act (FERPA) : Protects the privacy of student education records.
3. Health Insurance Portability and Accountability Act (HIPAA) : Health information privacy and security standards.
4. Texas Administrative Code - Information Security Standards (1 TAC 202) : Texas state regulations for the protection of the information assets of state agencies and universities.
5. Texas Administrative Code: Project Management Practices (1 TAC 216) : Texas state regulations for the management of IT projects conducted by state agencies and universities.
6. Payment Card Industry (PCI) Data Security Standard : Credit card company's information security standard for the protection of cardholders' data required of all merchants and entities accepting credit cards or processing credit card transactions.
7. Other applicable statutory requirements, contractual obligations and industry standards regarding the protection of information and information assets.
III. GENERAL PROVISIONS
A. UIT will provide materials and training to facilitate departmental compliance with this policy. UIT is available for consultation upon request.
B. Colleges and divisions will review their procedures annually and update them as appropriate.
Issued: 04/07/2008
Last Reviewed/Revised: 11/22/2022
Responsible Office(s): University Information Technology