Roles and Responsibilities

This table provides roles and responsibilities in relation to specific standards.

Role Responsibilities Standard(s)
Account Administrator Those who support Accounts by adding, modifying, assigning account attributes such as passwords, access, roles, etc. Account Management
Account Holder The individual or group which is assigned the Account Account Management
Applications/Module Administrator Ensures that applications/modules are in compliance with RIT Information Security standards. Server
Application Owner Ensures that the application is supported by an application administrator and a systems administrator. Server
Business Continuity Office Provides guidance and assistance to process/function owners regarding the identification of processes/functions and vital records, particularly those classified as critical. Ensures critical processes/functions are included in the academic/business continuity system. Academic/Business Continuity and Disaster Recovery
Data Owner The data owner is the authority responsible for establishing standards/guidelines for granting and revoking access privileges. Account Management
End Users
  • Ensures that all assigned RIT-owned or leased desktop and portable computers that connect to the Institute network meet the minimum standards set forth above.
  • Ensures that all personally-owned portable media that may contain Private or Confidential information meet the minimum standards and follows the Information Access and Protection Standard.
  • In order to enhance compliance with the Standards, end users may engage support personnel such as systems administrators. The burden for compliance with each standard falls on each end user.
  • Report loss or compromise of portable media containing Private or Confidential information in accordance with the Computer Incident Handling Process standard.
  • End users who have administrator rights or the ability to share systems are defined as systems administrators.
  • Ensures that all passwords for accounts on computing and networked resources owned or leased by the Institute meet the minimum standard
  • Complies with the Information Access and Protection Standard and any management directives regarding the handling of Confidential or Private information
  • End users are responsible for reporting security incidents. End users whose failure to comply with relevant RIT Security Standards results in a security incident are subject to the sanctions provided in RIT’s Code of Conduct for Computer and Network Use.
All
Information Security Officer The person responsible for issuing security standards based on legal context, threats and the needs of the Institute for protection. The ISO champions implementation efforts, facilitates recognition and communication of best practices, offers acceptable alternatives, and provides exceptions as appropriate. The staff of the Information Security Office provides communication and training materials as appropriate. All
Information Trustee (VP or Provost)
  • Comprehends the risks associated with each security standard and information at RIT
  • Provides direction to all students, faculty, staff and contractors within his or her domain to ensure full compliance with the Standards, and with all otheer requirements the Information Trustee may wish to impose. The Information Trustee is encouraged to assign a member of his/her organizational unit the responsibility of coordinating compliance with this and other information security standards
  • Prioritizes Critical Processes/functions
All
Information Security Coordinator The person responsible for acting as an information security liaison to their colleges, divisions, or departments. Responsible for information security project management, communications, and training for their constituents. All
Institute Audit, Compliance & Advisement (IACA) IACA reviews compliance with this Security Standard (and all Security Standards) as part of departmental audits. All
IT Organization Build systems and processes/functions to ensure that certified and funded RTOs and RPOs identified by academic/business units are supported. Develop disaster recovery plans to support academic/business continuity and disaster recovery plans. Academic/Business Continuity and Disaster Recovery
IT Support Personnel Ensures that the incident handling processes detailed in Section 5.0 is followed. If an alternate plan is proposed, the IT support personnel should review the plan with the respective Information Trustee and the Information Security Office by the compliance date of the standard. Computer Incident Handling Process
Network Administrator
  • Ensures that all existing supported Network Devices are configured to support the minimum standard, or an alternate plan for risk management is provided to the CIO/Security Program Manager and the Information Security Office in accordance with the Exception Process
  • Ensures that all newly-supported Network Devices are configured to support the minimum standard.
Network
Process/Function Owners
  • Ensure that all academic/business processes/functions are identified and that each critical process/function is classified appropriately with an RTO and RPO (as applicable).
  • Ensure that vital records are identified. Ensure this information
  • is provided to the Business Continuity Office for entry into the academic/business continuity system.
  • Communicate IT support requirements to appropriate organization
Academic/Business Continuity and Disaster Recovery
Procurement May assist with RFP preparation and vendor selection. Reviews and revises contracts; negotiates contract terms. Solutions Life Cycle Managemen
Project Management Office (PMO) Coordinates the prioritization, evaluation and implementation of IT projects. Solutions Life Cycle Managemen
RIT Faculty or Staff Member ensures that all e‑mails they send that are related to Institute business comply with the standard. Signature Standard
Solution Administrator Ensures that all solutions are configured to support the minimum standards set forth above, or that an alternate plan for risk management is provided to their Information Trustee in accordance with the Exception Process. Solutions Life Cycle Management
Solution Owner Ensures that the proposed solution is submitted to the ISO for review, that any proposed changes are evaluated against security requirements, and that the solution is maintained by the solution administrator. Solutions Life Cycle Management
System(s) Administrator
  • Those who are members of an organization that supports enterprise, division, or department level IT services. System administrators within their area of responsibility facilitate end-user privilege management and implement operating procedures to conform to campus information security standards and guidelines.
  • Ensures that all existing RIT-owned supported portable media that may contain Private or Confidential information are configured to support the minimum standards set forth above, or that an alternate plan for risk management is provided to their Information Trustee.
Account Management, Information Access and Protection
Systems, Applications, or Web Page Administrator

Includes network and systems administrators who support systems containing Confidential or Private information. They may

  • implement technical access controls based on RIT Information Security Standards
  • verify the transition of data rights from departing or former employees or contractors to current employees or contractors
  • provide technical support for the information’s integrity, business continuity, and electronic data retirement or destruction.
Information Access and Protection
System Owner The system owner is ultimately responsible for providing the system’s service/functionality to the campus. Often the system owner is a manager/director, department chair, or dean. The system owner is responsible for ensuring that operating procedures are developed which meet the standards/guidelines outlined by the Data Owner. Account Management
Third Party Complies with the Information Access and Protection Standard and any RIT management directives regarding the handling of Confidential or Private information. Accesses Confidential or Legally-Regulated information only when specifically authorized. Information Access and Protection
Volunteers Includes trustees, agents, members of affiliate groups, etc., who are loosely affiliated with RIT but who are not employees. Volunteers comply with this standard and any RIT management directives regarding the handling of Confidential or Private information. Volunteers have limited access to Confidential or Private information Information Access and Protection
Web System Administrator The person responsible for ensuring the server providing web services and applications is compliant with the Server Standard. This person ensures that all web servers are configured to support the minimum standard . Web
Web Services/Application Administrator The person responsible for the administration of a web service or application. This person ensures that all web services and applications (including web tools) are configured to support the minimum standard. The web services/application administrator is responsible for ensuring that third-party applications meet the standard. Web
Web Content Administrator A person responsible for the development and administration of content in a web service or application. Web