Information Security Roles & Responsibilities


Academic Personnel or Judicial Affairs

  • Supports the Information Security Officer and the Associate Vice President/Chief Information Officer in the reporting, investigating, assessing and resolving potential security violations.


Associate Vice President, Information Technology Services & Chief Information Officer

  • Provides policy and operational guidance to the university.
  • Provides security standards and guides for protecting information assets.
  • Ensures compliance to existing campus information security policies, standards and procedures.
  • Coordinates with Information Security Officer to develop and implement information security policies, standards and procedures.
  • Coordinates with the Information Security Officer, if needed, on the investigation, assessment, tracking, resolution and reporting of security issues involving information technology resources and reports potential criminal violations to the appropriate entities in a timely manner.
  • Coordinates with the campus Information Security Officer to evaluate the risk introduced by any changes to campus operations and systems.
  • Serves as the chairperson for the SJSU Information Technology Management Advisory Committee.
  • Notifies the Assistant Vice Chancellor for Information Technology Services if a breach of level 1 data has occurred.
  • Reviews information security risks at least annually.
  • Reviews Information Security Annual Report provided by the Information Security Officer.


Campus Information Security Committee

  • Reviews, provides feedback and recommends action to the Associate Vice President / Chief Information Officer to improve security policies and practices to protect SJSU’s digital information assets and the information technology resources used to access, transmit and store them.


Human Resources/Academic Personnel/Judicial Affairs

  • Investigates alleged security violations by individual students, faculty and staff to determine if disciplinary action is appropriate.
  • Interprets, recommends and imposes sanctions and discipline regarding security violations in accordance with existing policy and practice.


Information Authority/Owner

The Information Authority is identified by law, contract or policy with responsibility for granting access to and ensuring appropriate use of the information.

  • Responsibilities are identified in the SJSU Information Classification, Handling, Retention, and Inventory Standards.


Information Custodian/Steward

The information custodian/steward has operational responsibility for the physical and electronic security of information.

  • Responsibilities are identified in the SJSU Information Classification, Handling, Retention, and Inventory Standards.


Information Security Officer

  • Coordinates, administers, communicates and maintains the Information Security Program on behalf of the President.
  • Advises the President and campus leadership on information security matters.
  • Consults with campus administrators to ensure campus information security policies and standards meet campus goals.
  • Investigates, assesses, tracks, resolves and reports suspected violations of policies and procedures in coordination with appropriate entities.
  • Confers with Associate Vice President/Chief Information Officer and Information Authorities on information security policies, standards, procedures, security violations, campus security risks and other security matters, as needed.
  • Provides input to the campus budget process regarding prioritization and required resources for security risk mitigation.
  • Responds to information security related requests during an audit and coordinates the CSU information security audits.
  • Serves as the campus representative on the CSU Information Security Advisory Committee.
  • Serves as chairperson for the SJSU CISC.
  • Reviews and approves application data requests and authentication requests.
  • Notifies the CSU Chief Information Security Officer if a breach of level 1 data has occurred.
  • Oversees the campus incident response program, the information security awareness and training program, and annual self-assessment inventory processes.
  • Reviews computing equipment loss reports and security incidents and determines action needed, if any.
  • Provides annual Information Security Report, and Risk Assessment and Action Plan to the President, the Vice President of Administration and Finance and the Associate Vice President/Chief Information Officer.


Information Security Management Team

Membership: AVP/Chief Information Officer, Information Security Officer, Identity and Information Security Manager, Managing Sr. Director Infrastructure Services, and Sr. Director Information Services.

  • Reviews information security policies, incidents, audit responses and recommendations from CISC.
  • Determines need for information security product and service proposals.
  • Makes information security recommendations for policies, products and service implementation.
  • Provides information security training for campus staff (attendees at information security forum, LAN coordinator meetings, etc.).
  • Makes recommendations for information security training materials.


Information Users

Individuals who need and use university information as part of their assigned duties, or in fulfillment of assigned roles, or functions within the university community.

  • Responsibilities are identified in the SJSU Information Classification, Handling, Retention, and Inventory Standards.


IT Management Advisory Committee

  • Reviews, provides feedback, and recommends action to the Associate Vice President/Chief Information Officer to improve security policies and practices to protect SJSU’s digital information assets, and the information technology resources used to access, transmit and store them.


President

  • Establishes an information security program, which is compliant and consistent with the CSU information security policy.
  • Reviews information security risks at least annually.
  • Reviews Information Security Annual Report provided by the Information Security Officer.
  • Notifies the Chancellor if a breach of level 1 data has occurred.


Property Office

  • Provides a copy of the Computing Equipment Loss Report to the Information Security Officer that contains information about lost or stolen computing.


University Police

  • Receives and investigates all reports of potential criminal law violations involving any computing device containing university information and any university information resources.


Users

  • Observes all laws, regulations, policies and procedures related to security of information and systems.
  • Protects the privacy rights of university faculty, staff and students.
  • Protects the physical security of information and systems assigned to them.
  • Reports suspected violations of security policies and procedures for university information to their supervisor, who will then report it to the Information Security Officer and/or Information Technology Services, depending on the nature of the violation.


Vice President for Administration and Finance

  • Notifies the CSU Office of General Counsel of a breach of security to California residents whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person.
  • Reviews information security risks at least annually.
  • Reviews Information Security Annual Report provided by the Information Security Officer.