All Towson University (“the university”) employees, students, affiliates, and others
granted access to university data or university information systems are responsible
for understanding the terms and conditions under which they may access and use university
data. These guidelines define the roles and their required responsibilities.
For data classification and definitions, please see the University’s Data Classification Standards.
Everyone at TU should follow the Cybersecurity Incident response process to report
any possible data breach. If you have questions or comments about these Roles and Responsibilities guidelines,
please contact us.
Email us
Report a Cybersecurity Incident
Roles and Responsibilities
University President
The President of the University has ultimate responsibility for the University’s Information
Security Program and, specifically, the protection of confidential and protected data
as part of the University’s Data Governance Program. The President has delegated responsibility
for the Information Security Program and the Data Governance Program to the Chief Information Officer and Data Trustees.
Chief Information Officer
The Chief Information Officer (CIO) is the individual designated to have executive
oversight of the University’s Information Security Program and Data Governance Program,
and for the evaluation and classification of data. The CIO is also responsible for
leading the Data Governance Committee (DGC).
Data Trustee
This senior-level employee (e.g. Provost, Vice Presidents, etc.) reports to the President
and has authority over policies, standards and guidelines, and overall university
strategy regarding the confidentiality, integrity, availability and quality of data
within their delegations of authority. Responsibilities of a Data Trustee include:
- Establish policies and direction for the overall security and privacy of all university
data, particularly highly sensitive data, within their respective areas of responsibility.
- Appoint and oversee a Data Steward(s) for data within their delegation of authority.
- Appoint appropriate representative individuals to the Data Governance Committee.
- Review appeals to decisions that denied access to university data within their area
of responsibility.
Data Steward
A Data Steward oversees the lifecycle of one or more subsets of university data and
is responsible for data access and policy implementation issues. The Data Steward
works closely with their Data Trustee to ensure proper classification and management
of the data they oversee. Responsibilities of a Data Steward should not be delegated,
should be performed by the appointed individual, and they include:
- Oversee access and protection requirements to ensure they are consistent with University
policies and that data classifications are in place.
- Monitor the integrity and quality of all data within their area of responsibility.
- Establish definitions of the data assigned to them.
- Establish the appropriate classification of data assigned to them and manages updates
to the classification based on changes in university policies and standards, as well
as USM, state, and federal regulations.
- Provide guidance to departments and individuals within the area of responsibility
on data access and policy implementation.
- Review and approve requests for data, as appropriate.
- Determine the appropriate criteria for obtaining access to university data.
- Identify and coordinate on an ongoing basis with Data Custodians utilizing data in
their delegation of authority.
Data Governance Committee (DGC)
The DGC is the managing authority for the University’s Data Governance Program. The
DGC strategically and proactively addresses issues related to data and information
management across the university. Specific oversight responsibilities include:
- Develop and implement a university-wide data governance program and documents and
disseminates data governance policies and procedures.
- Establish policies and direction related to the confidentiality, integrity, availability,
and quality of University data.
- Coordinate compliance requirements related to laws and regulations that have information
management implications.
- Recommend and approve controls or plans for assessing data management value and risk.
- Advise on university-wide data management practices for decision-making, including
master data management and business intelligence.
- Review and approve requests for data that would transition applications to a higher
risk level.
Chief Information Security Officer (CISO)
The CISO is the individual designated by the CIO as responsible for the development,
implementation, oversight, and maintenance of the University’s Information Security
Program. The CISO distributes Information Security Data Protection standards by data
classification level that assists Data Stewards in establishing the controls necessary
for the data in their delegation of authority.
Director of Enterprise Applications & Analytics
The Director of Enterprise Applications & Analytics is the individual designated by
the CIO as responsible for the IT processes and controls to ensure that information
at the data level is true and accurate, and unique (not redundant) and aligns with
the business objectives of the University by providing leadership, guidance, awareness,
and operational support for the data governance program.
Data Governance Lead
The Data Governance Lead is responsible for coordinating the formation and execution
of data governance framework, policy, standards, and communication. This role assists
in the implementation and maintenance of an enterprise data governance program and
will participate with projects that involve any of the data flows and processes.
University Data Custodian
University Data Custodians are responsible for protecting all University data from
unauthorized access, alteration, destruction, or usage and for providing Application
Data Custodians and Data Managers with requirements to protect the confidentiality,
quality, and availability of data within their application. Responsibilities include:
- Develop policies, procedures, and guidelines for management, security and access to
data according to University policies and standards as well as state and federal regulations.
- Provide guidance to the Data Manager on technical safeguards and requirements as required
by the Data Classification.
- Assist in establishing necessary security and access requirements for data in electronic
form.
- Coordinate activities of the Application Data Custodian and Data Manager when changes
made by the Data Trustee, Data Steward, or Data Governance Committee require alterations
to administrative, operational, and/or technical controls within the application.
- Audit all applications on a continuous basis to ensure compliance with requirements.
- Understand and report on security risks and their impacts.
- Provide guidance on awareness or training needs required by users for access to University
applications.
Application Manager
The Application Manager is responsible for operation and maintenance of a University
application or set of applications. With respect to Data Governance, the Application
Manager establishes security awareness and maintains compliance with federal and state
regulations, University policies, and data classification standards for the application(s)
in their delegation of authority. The Application Manager may also be an Application
Data Custodian. Responsibilities include:
- Oversee the confidentiality, integrity, and availability of the application(s) for
which they are responsible.
- Promote security awareness and training for users of the application(s).
- Maintain compliance with federal and state regulations, University policies, standards
and guidelines in all application activities.
- Designate and delegate responsibility to an Application Data Custodian and Data Manager
for the application.
Application Data Custodian
An Application Data Custodian implements, manages, and operates an application or
set of applications. The Application Data Custodian has responsibility for application-specific
technical considerations regarding the confidentiality, integrity, availability and
quality of data within a specific application. Depending on the size or complexity,
an application may have more than one Application Data Custodian. An application should
have both an Application Data Custodian and a Data Manager. To ensure proper separation
of duties, an Application Data Custodian should not be the same individual as the
Data Manager. Based on the risk profile the Director of Information Security may allow
both roles be managed by one individual. The Application Data Custodian may also be
the Application Manager. Responsibilities include:
- Provide a secure and stable infrastructure in support of the data, including usability,
reliability, integrity, physical security, and backup and recovery processes.
- Implement appropriate physical and technical safeguards to protect the confidentiality,
integrity, and availability of University data and identifies possible security risks/gaps.
- Implement technical controls at the direction of the University Data Custodian.
- Ensure appropriate handling of data given the data classification assigned by the
Data Steward.
- Understand how application data are stored, processed, and transmitted given the data.
- Provide user access to data as defined by the Data Steward and approved by Data Manager.
- Review user access and works with Data Manager to have role changes (e.g., new roles,
role changes, etc.) approved as appropriate and removes user access as necessary.
- Understand and report on security risks and their impacts.
- Ensure that responsibilities within their office and delegated to third party vendors
or other custodians are met.
Data Manager
A Data Manager has direct, day-to-day operational responsibility for university data
within an application or multiple applications. There may be multiple Data Managers
for a given application. To ensure proper separation of duties, a Data Manager and
Application Data Custodian should not be the same individual designated as the Data
Manager or the Application Manager. Special circumstances may be reviewed and approved
by the Data Governance Committee that allows that both roles be managed by one individual.
Responsibilities include:
- Implement appropriate procedural and operational safeguards to protect the confidentiality,
integrity, availability, and quality of University data working in conjunction with
the application data custodian.
- Perform analysis and provides recommendations in coordination with other Data Custodians
when requests for data are being considered.
- Ensure appropriate handling of data given the data classification assigned by the
Data Steward.
- Understand how application data are stored, processed, and transmitted.
- Ensure compliance with requirements as specified by the Data Stewards for the handling
of data processed by the application.
- Ensure users of the application are aware of and compliant with the data classification
standards and data governance policy.
- Ensure that responsibilities within their office and delegated to technical administrators,
third-party vendors, or other parties are met.
Data User
For the purpose of data governance, a Data User is any employee, contractor, or duly
authorized member of the community who is authorized to access university systems
or data. Individuals who are given access to sensitive data have a position of special
trust and as such are responsible for protecting the security and integrity of that
data. Any university employee with access to university data can be considered a Data
User. Responsibilities include:
- Protect all data and access to data in their care. Recipients of Confidential Data
are responsible for maintaining the restricted nature of the data.
- Use data and access to data only as required in the performance of legitimate University
functions and their job.
- Adhere to applicable Federal and State laws, requirements of any applicable contracts,
and University policies, standards and procedures as part of the University’s Data
Governance Program.
Responsible Executive and Office
Responsible Executive: Vice President for Administration & Finance and Chief Financial
Officer Responsible Office: Office of Technology Services (OTS)
Related Policies & Guidelines
Information Technology Security Policy, Data Governance Policy, Standards for Data Classification