Information Resources Roles and Responsibilities Overview (IT)

The university and state, among others invest annually in electronic information resources to allow each of us to be effective in our day to day activities. These resources including computer systems, networks, and data, all of which are vulnerable to a variety of threats which have the potential to compromise the confidentiality, integrity, and availability of the information.  Each of us is responsible to ensure that appropriate safeguards remain in place to protect these investments.

Texas A&M University Rules and Standard Administrative Procedures (SAPs) exist to ensure compliance with State and Federal laws regarding the protection of electronic information resources. Where necessary, the College of Geosciences has procedures which describe the implementation of university rules and SAPs regarding information resources. These College of Geosciences information resource procedures will be reviewed annually to ensure compliance with TAMU Rules or SAPs.

This document, identifies the essential elements of the applicable university Rules and SAPs.  Included in several of the explanations are the procedures which the IT Staff uses to meet the requirements for the information resources for which they are custodians. Also included are the forms used by the staff to provide the necessary documentation of compliance. Per University policy resource owners or custodians of information resources are responsible for complying with university policies, how individuals ensure compliance is ultimately left up to the individual. The Geoscience IT procedures and forms are provided as a courtesy. If you have questions about a specific SAP, please refer to the relevant Rule of SAP or contact the Geosciences Web Helpdesk (help@geos.tamu.edu) or the university IT support group (helpdesk@tamu.edu). 

To whom does this apply?

In short, everyone that uses or accesses electronic information resources (the procedures, computer equipment, computing facilities, software and data which are purchased, designed, built, operated and maintained to collect, record, process, store, retrieve, display, report and transmit information) has some role in information resource security. University Rule 29.01.03.M1 provides details, but if you have a computer, resource application or email account at Texas A&M University, you are responsible to some degree concerning system security and are expected to abide by all applicable parts of the University Rules and SAPs.

Two specific roles for are defined by the university in regard to information resources:

  • The Owner of an information resource is responsible for determining the safeguards for and access to his or her information resources.

(If you are responsible for determining who has an account on an information system and what they can access, you are likely an owner.)

  • The Custodian of an information resource is responsible for implementing the owner-defined safeguards and access controls to an information resource.

(If you are responsible for creating accounts, installing software, configuring controls, and similar administrative functions for the owner, you are a custodian.)

An individual may have both roles for a given information system. These two roles have specific responsibilities to ensure compliance as discussed below.

What are my responsibilities as a resource owner, custodians and user?

All information resource owners, custodians and users must:

  • Classify the university data under their control according to university guidelines and protect it accordingly.
  • Immediately report breaches of security through the established reporting chain

In addition, individuals having ownership or custodial responsibility for electronic information resources of Texas A&M University must:

  • Afford the appropriate safeguards to all information resources in accordance with TAC 202 and applicable University Rules and SAPs.
  • Assess their security posture and measure their compliance with TAC 202 and applicable University Rules and SAPs on an annual basis using tools provided by the university.
  • File the security assessment report on an annual (fiscal year) basis using tools provided by the university.
  • Meet information resource hygiene requirements which may include, but is not limited to:
  • Computer platform management - security updating and patch management, remote access controls
  • User Account Management and documentation – creation, modification, removal, review & expiration
  • Privileged and special account management and documentation
  • Password based authentication rules – length, complexity, expiration
  • Acceptable use and responsible computing
  • Scanning and vulnerability assessments
  • Authorized software
  • Network access and configuration
  • Physical security
  • Security incident reporting
  • Portable device protection
  • Privacy
  • Third party access and security
  • Encryption of confidential, sensitive, payment card and protected heath information
  • Wireless network access
  • Disaster recovery and business continuity

How do I meet my responsibilities?

Meeting your responsibility for data resources requires knowing the classification of the data you use (for example, Confidential, Sensitive or Public) and following university policies and procedures for protecting this data as appropriate. Certain classifications of data such as Confidential have specific protections which must be afforded. Other classifications, such as Public, have very few specific protections that must be afforded to keep the data out of the public eye.

Resource owners are responsible to see that accurate, annual assessments of IT risk are performed on their resources and that any found deficiencies are addressed as part of a risk management process. Resource custodians are required to submit an annual risk assessment through the university-provided assessment and reporting system (ARCHER). The college has created procedures and forms to assist meeting these university requirements. The college procedures provide a documentation framework to ensure compliance with university requirements. Implementation of these or individual procedures is the responsibility of the resource owner. 

What if I don't?

The consequences posed by a lack of compliance are real. Improperly protected information resources expose the individual, college and university to increased risk which could result in violation of state and federal law, loss of funding opportunities, degradation of individual and institutional reputation, civil litigation, or even criminal prosecution. Access to university networks may be removed for individuals failing to comply with the university requirements.

University SAPS and Rules Pertaining to Information Resources

Below are links to relevant university SAPs and Rules pertaining to resource information.

Security of Electronic Information Resources

29.01.03.M1

Network Scanning and Vulnerability Assessments

(SAP)29.01.03.M1.01

Information Resources - Acceptable Use

(SAP)29.01.03.M1.02

Information Resources - Account Management

(SAP)29.01.03.M1.03

Information Resources - System Administrator and Special Access

(SAP)29.01.03.M1.04

Information Resources - Authorized Software

(SAP)29.01.03.M1.05

Information Resources - Backup and Recovery

(SAP)29.01.03.M1.06

Information Resources - Change Management

(SAP)29.01.03.M1.07

Information Resources - E-mail Use

(SAP)29.01.03.M1.08

Information Resources - Crisis Management

(SAP)29.01.03.M1.09

Information Resources - Internet and Intranet Use

(SAP)29.01.03.M1.10

Information Resources - Intrusion Detection

(SAP)29.01.03.M1.11

Information Resources - Network Access

(SAP)29.01.03.M1.12

Information Resources - Network Configuration

(SAP)29.01.03.M1.13

Information Resources - Password-based Authentication

(SAP)29.01.03.M1.14

Information Resources - Physical Security

(SAP)29.01.03.M1.15

Information Resources - Portable Devices: Information Security

(SAP)29.01.03.M1.16

Information Resources - Privacy

(SAP)29.01.03.M1.17

Information Resources - Security Monitoring

(SAP)29.01.03.M1.18

Information Resources - Security Awareness and Training

(SAP)29.01.03.M1.19

Information Resources - Platform Management

(SAP)29.01.03.M1.20

Information Resources - Security Life Cycle for Information Systems

(SAP)29.01.03.M1.21

Information Resources - Vendor, Third Party, and Cloud Services Security

(SAP)29.01.03.M1.22

Information Resources - Compromises and Vulnerability

(SAP)29.01.03.M1.23

Information Resources - Notification of Unauthorized Access, Use or Disclosure of Sensitive Personal Information

(SAP)29.01.03.M1.24

Information Resources - Use of Peer-to-Peer File Sharing Software

(SAP)29.01.03.M1.25

Information Resources - Information Security Risk Assessment Reviews

(SAP)29.01.03.M1.26

Exclusions from Required Risk Mitigation Measures

(SAP)29.01.03.M1.27

Information Resources - Security Surveillance

(SAP)29.01.03.M1.28

Data Classification and Protection

(SAP)29.01.03.M1.29

Information Resources - Wireless Access

(SAP)29.01.03.M1.30

Encryption of Confidential, Sensitive, and Protected Health Information

(SAP)29.01.03.M1.31

Information Resources - Disaster Recovery Planning

(SAP)29.01.03.M1.32

Information Resources - Firewalls

(SAP)29.01.03.M1.33

Information Resources - Project Management

(SAP)29.01.03.M1.34

Information Resources - Electronic and Digital Signatures

(SAP)29.01.03.M1.35

Rules for Responsible Computing

29.01.03.M2

Employee Email

(SAP)29.01.03.M2.01

Official University Photos

(SAP)29.01.03.M2.02

Incidental Computer Use

29.01.03.M3

Accessibility of Electronic Information Resources

29.01.04.M1

Web Accessibility and Usability Procedures

(SAP)29.01.04.M1.01