Data Governance Policy: IF
PURPOSE:
The SPC Guidelines for Data Standards, Data Integrity and Security document designates authority and responsibility for the ownership of the College enterprise operational data. Commensurate with these designated roles, the specified Data Owners and Data Custodians are designated the responsibility of ensuring the security of information is maintained by establishing controls to confirm compliance with official procedures and policies.
SCOPE:
The SPC Data Governance policy applies equally to all Data Owners and Data Custodians.
POLICY STATEMENT:
The following distinctions among owner, custodian, and user responsibilities guide determination of the roles:
Data Owner
The owner or his or her designated representative(s) are responsible for:
- classifying information under their authority, with the concurrence of the SPC President or his or her designated representative(s), in accordance with SPC’s established information classification categories;
- approving access to information resources and periodically review access lists based on documented risk management decisions;
- formally assigning custody of information or an information resource;
- coordinating data security control requirements with the Information Security Officer);
- conveying data security control requirements to custodians;
- providing authority to custodians to implement security controls and procedures;
- justifying, documenting, and being accountable for exceptions to security controls. The information owner shall coordinate and obtain approval for exceptions to security controls with the SPC ISO; and
- participating in risk assessments as provided under §202.75 of the Texas Administrative Code.
Data Custodian
Custodians of information resources, including third party entities providing outsourced information resources services to SPC shall:
- implement controls required to protect information and information resources required by this program based on the classification and risks specified by the information owner(s) or as specified by the policies, procedures, and standards defined by the SPC Information Security Program;
- provide owners with information to evaluate the cost-effectiveness of controls and monitoring;
- adhere to monitoring techniques and procedures, approved by the ISO, for detecting, reporting, and investigating incidents;
- provide information necessary to provide appropriate information security training to employees; and
- ensure information is recoverable in accordance with risk management decisions.
Users
The user of an information resource has the responsibility to:
- use the resource only for the purpose specified by SPC or information-owner;
- comply with information security controls and institutional policies to prevent unauthorized or accidental disclosure, modification, or destruction; and
- formally acknowledge that they will comply with the security policies and procedures in a method determined by the SPC President or his/her designated representative.
Data Owners and Data Custodians must:
- No less than annually, document a complete review of parties having access to data under their area of responsibility.
- Ensure data access reviews are performed more periodically, as deemed necessary by the Data Owner, relative to the risk of the data accessed.
- Ensure any staffing changes are reflected as necessary to access authorizations, in a timely manner.
- Ensure data access requests are reviewed, and granted or denied as appropriate based on essential College documented need, in a timely manner.
- Ensure controls are established as required, or deemed necessary by the Data Owner, to ensure information security is maintained.
- Maintain documentation of compliance with this policy.
Office of Institutional Research and Reports (IR)
The Office of Institutional Research aggregates, compiles, analyzes and reports college data. The IR Office serves as the primary source of accurate, consistent, definition-driven data at South Plains College. Data distributed by the IR Office is endorsed as correct and trustworthy and serves as the authoritative source of institutional information. Data used for strategic planning purposes and general research originate from the IR Office.
IR facilitates and supports data governance activities by:
- maintaining a record of data owners and data custodians;
- oversees data elements used for mandatory federal and state reporting;
- assisting with data care in the forms of communication, information access, record keeping and education/support for the data owners and data custodians;
- providing support to data owners and data custodians to help support data quality/integrity, validity, and reliability;
- facilitating and coordinating data analysis and issue analysis projects;
- collecting metrics and success measures and report them to data owners and data custodians;
- maintaining data governance records;
The Information Security Officer
The Associate Dean of Information Services at South Plains College serves as the Information Security Officer (ISO) and in that capacity shall report directly to executive level management through the Executive Director of Administrative Services to the Vice President for Business Affairs. The ISO has the authority for information security for the entire college and possesses training and experience required to administer the functions described below.
The ISO is responsible for:
- developing and maintaining a college-wide information security plan as required by §2054.133, Texas Government Code;
- developing and maintaining information security policies and procedures that address the requirements of this program and the institution's information security risks;
- working with the business and technical resources to ensure that controls are utilized to address all applicable requirements of this program and the institution's information security risks;
- providing for training and direction of personnel with significant responsibilities for information security with respect to such responsibilities;
- providing guidance and assistance to SPC senior officials, information owners, information custodians, and end users concerning their responsibilities under this program;
- ensuring that annual information security risk assessments are performed and documented by data owners;
- reviewing the SPC inventory of information systems and related ownership and responsibilities;
- developing and recommending policies and establishing procedures and practices, in cooperation with the SPC Information Resources Manager, Office of Institutional Research and Reports, data owners and data custodians, necessary to ensure the security of information and information resources against unauthorized or accidental modification, destruction, or disclosure;
- coordinating the review of the data security requirements, specifications, and, if applicable, third-party risk assessment of any new computer applications or services that receive, maintain, and/or share confidential data;
- verifying that security requirements are identified and risk mitigation plans are developed and contractually agreed and obligated prior to the purchase of information technology hardware, software, and systems development services for any new high impact computer applications or computer applications that receive, maintain, and/or share confidential data;
- reporting, at least annually, to the SPC President the status and effectiveness of security controls; and
- informing the parties in the event of noncompliance with this chapter and/or with SPC’s information security policies.
The ISO, with the approval of the SPC President, may issue exceptions to information security requirements or controls in this program. Any such exceptions shall be justified, documented and communicated as part of the risk assessment process.
The SPC Information Security Officer (ISO) is designated the authority for oversight of this policy.
The ISO will:
- Perform periodic reviews to assure compliance with this policy.
- Notify the executive council of identified concerns and risks.
Data Owners:
Module |
Title |
Academic Records |
Dean of Enrollment Services |
Admissions |
Dean of Enrollment Services |
Accounts Receivable |
Director of the Business Office |
Cash Receipts |
Director of the Business Office |
Curriculum Management |
Director of Institutional Research |
Financial Aid |
Director of Financial Aid |
Federal/State Reporting |
Director of Institutional Research |
Faculty Information |
Director of Human Resources |
Recruit |
Associate Dean of Marketing and Recruitment Dean of Enrollment Services |
Registration |
Registrar |
Residence Life |
Associate Dean of Students |
Retention Alert |
Director of Advising and Testing |
Human Resources |
Director of Human Recourses |
Payroll |
Payroll Coordinator |
Finance (GL, Fixed Assets) |
Vice President for Business Affairs |
Purchasing |
Director of Purchasing |
Advancement |
Vice President for Institutional Advancement |
Accounts Payable |
Vice President for Business Affairs |
Colleague Administration |
Director of Enterprise Applications |
Data Custodian:
Custodian |
Scope |
SPC IT |
System Administration including Colleague, Perceptive Content, SQL |
DEFINITIONS:
Data Access Review: The review and documentation of parties having access to data under the Data Owner’s area of responsibility.
Data Custodian: The person responsible for overseeing and implementing physical, technical, and procedural safeguards specified by the data owner.
Data Owner: Departmental position responsible for classifying business data, approving access to data, and protecting data by ensuring controls are in place.
Information Security Officer (ISO): The Associate Dean of Information Services will perform the duties of the ISO, and in this capacity reports to the Executive Director of Administrative Services.
Related Policies, References and Attachments:
An index of approved SPC-IS policies can be found on the SPC Policies website at https://www.southplainscollege.edu/human_resources/policy_procedure. The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.
DIR Security Controls Catalog Control Group: AR-1
Approved by Executive Council: September 9, 2019
Next Review: October 1, 2020