Principle 1: Security is everyone’s responsibility

If you noticed your neighbor’s house was on fire, you would call the fire department. You would want to help the neighbor and also ensure that the fire doesn’t spread to other homes. It takes a lot of people to protect your neighborhood. Everyone in the neighborhood has some responsibility to ensure everyone’s safety.

Information has a life of its own. It travels by many different methods; it is collected on paper forms, through Web sites and over the phone. It is processed by people and used in business transactions, such as transferring money or mailing bank statements. Information resides on desktops, laptops and servers.

No single person is responsible for the security of the information. It is the responsibility of the whole to ensure the privacy and accuracy of the information.

Those responsible for securing information include:

Managers, data custodians and system owners

These groups collaborate with business partners, technologists, employees and users to ensure that policies, procedures and best practices are implemented. They are aware of the risks to managing the information and how it is processed. They identify resources for addressing these risks. They may lead efforts to:

  • Classify the information by understanding what information is vital to the organizational mission.
  • Document a security program to ensure that the organization understands the security controls and procedures.
  • Address risks as information systems are implemented, updated and taken off line.

Business partners

Business partners are responsible for processing the information. They collaborate with technologists to implement systems that digitally collect, store and transfer the information. Business Partners collaborate internally and externally to build and maintain information systems. Business partners may work with:

  • System owners to classify information and to identify and address risks.
  • Technologists to build requirements that include secure management of information.
  • Employees, system users and vendors to build awareness of how to securely manage information, including how to comply with policies and procedures.

Employees

Employees are responsible for following the policies and procedures for managing the information in a secure manner. Examples include but are not limited to:

  • Shred documents with restricted data such as Social Security numbers, bank and account numbers, and health information. Maintain documents in accordance with the policies and practices of the archives and records management services.
  • Manage/secure workstations by using a strong password or passphrase, using anti-virus software and not storing restricted information on local workstations or mobile devices.
  • Report risks and incidents to System Owners.

Technologists

Technologists develop, implement and maintain the information systems by setting up servers, developing code, administering applications, maintaining networks and building security controls and procedures. They implement controls and processes to protect the information. Their job functions include:

  • Implement access controls to enforce least privilege and separation of duties.
  • Establish good practices for managing changes to application code, servers and the network.
  • Protect the network by implementing network controls such as firewalls, intrusion detection/prevention devices and encryption of the information over the network.

Vendors

Business partners often rely on vendors as a solution for implementing services in a cost-effective manner. In contractual agreements, system owners and business partners should identify how the vendor should manage the information. Contractual agreements should include:

  • A statement of organizational policies and procedures that the vendor is responsible for following.
  • A statement that classifies the information.
  • Instructions for securing the information.

System users

System users are responsible for understanding policies and procedures that apply to them. Unlike employees, they might not work for the system swner (for example, applicants to UW use our system but are not employees). They should also be aware of how to protect their identity information. System Users will benefit from an understanding of:

  • The appropriate uses of the system.
  • Terms and usage agreements for the system
  • If and how their information may be shared with other parties in specific situations.
  • How to create and maintain a strong password.
  • How to identify a trusted web site or email.