This is draft documentation for the new Information Security Policy. We are actively developing this content and are soliciting feedback on it.
Every person at UMass Amherst has a responsibility to protect institutional information, research data, and information technology resources that they use or are otherwise within their control. These responsibilities vary based on the functional role of the individual. Depending on those functions, some individuals may have more than one role.
Information Security Program Management
The Chancellor has primary responsibility for campus information security and safety. The Chancellor may delegate authority for information security to the Vice Chancellor for Information Services and Strategy and Chief Information Officer.
Chief Information Officer
As a delegate of the Chancellor, the Vice Chancellor for Information Services and Strategy and Chief Information Officer (CIO), will provide executive oversight to the University of Massachusetts Amherst Information Security Program, will be apprised of Information Security activity, and will provide guidance and prioritization for Information Security efforts.
Chief Information Security Officer
The Chief Information Security Officer (CISO) is the University official with the authority to harmonize campus information security. The CISO is responsible for the development, implementation, and maintenance of a comprehensive information security program.
Vice Chancellors and Deans
The Vice Chancellors and Deans are responsible for program management oversight for the security of institutional information, research data, and information technology resources within their areas of purview, including taking steps to ensure the risks are appropriately managed.
Information Categorization and Management
Institutional information and research data will be categorized in alignment with federal regulations, contractual obligations, and information risk. For additional information, see Information Management
Information Security Program Implementation
Vice Chancellors and Deans
Vice Chancellors and Dean also have responsibility oversight for the implementation of the information security program within their areas of purview. This includes being aware of information risks (E.g. research projects within their college) and working to ensure appropriate controls are in place.
Department Chairs, Supervisors, etc.
Individuals who are responsible for a portion of the campus, such as a program, center, or line of business, shall develop, as needed, more restrictive information security controls for better management of risk to the institutional information or research data for which they are responsible.
Supervisors may, at their discretion, create specific forms outlining the duties of their direct reports under the Information Security Policy for review, signature, or workplace performance.
The unit security liaison is the person or persons designated by the unit head as the primary contact for the Chief Information Security Officer (CISO). Their primary role is to share information security training in a manner that works for their unit, to be available for incidents, and provide effective communication between the UMass Amherst IT Security Team and the college or division they represent. For more information, see Information Security Liaisons
Chief Technology Officer
For central information technology resources, the Chief Technology Officer, in coordination with the Chief Information Security Officer, draws up technology architectural outlines, issues standards, and develops uniform templates for use by central IT and the campus community. For current technical architectural outlines, standards, and templates, see: https://umass.edu/it/architecture
A Service Administrator (e.g., application administrator, system administrator, or network administrator) is the individual with principal responsibility for the installation, configuration, and ongoing maintenance of an information technology system. For additional details on Service Administrator roles and responsibilities, see the Service Administrator Quick Reference Guide
In accordance with the Information Security Policy, users must be aware of the value of information and they must protect information reasonably. Users must therefore follow the requirements for:
- Information technology resources;
- Institutional information; and
- Research data
In addition the Information Security Policy, users must comply with the Acceptable Use of Information Technology Resources Policy, and the Confidentiality of Institutional Information & Research Data Policy.