Data Security Roles and Responsibilities
|Information Security Officer
University official who has oversight responsibility for the University's data security program as well as
compliance with relevant regulations, security policies, standards and guidelines. The Information Security Officer(s):
- Review Clark data security policies to ensure alignment with current practices and regulatory requirements.
- Oversee data security policies and their enforcement
- Oversee risk assessments and document identified risks to data
- Works with Regulation Monitors and Data Managers to ensure all third party vendors with access to Clark data are compliant.
- Oversee reported policy violations and data security investigations; report suspected data breaches.
- Serve as the point person(s) for all external inquiries involving data security compliance issues.
- Annually review Clark's Information Security program.
- Pennie Turgeon, VP for Information Technology Services & CIO, is the University's Information Security Officer.
University officials who have oversight responsibility for one or more regulations. Regulation monitors stay
abreast of updates to their respective regulations, ensure policies are up to date and notify the Information Security
Officer and Data Managers about changes. Current Regulation Monitors are:
- FERPA –University Registrar (Rebecca Hunter)
- USA Patriot Act –Director of Administrative Systems (Sue Tellier)
- PCI DSS &PCA/DSS –Controller (Kathy Cannon)
- GLBA - Director of Financial Aid (Mary Ellen Severance)
- HIPAA –Director or Human Resources (Jackie Capomacchio)
- Federal Rules of Civil Procedure (specifically e-Discovery) - Director IT Systems and Security (Joe Kalinowski)
- Red Flags Rule –Director of Student Accounts (Tammy Hearnlaye)
- Massachusetts' Standards for the Protection of Personal Information –Director of Financial Aid (Mary Ellen Severance)
- Mass Crime Law –Director IT Systems and Security (Joe Kalinowski)
- Computer Fraud and Abuse Act - Director IT Systems and Security (Joe Kalinowski)
- Sarbanes-Oxley - Controller (Kathy Cannon)
- Personal Data Privacy and Security Act –Associate Dean (Kevin McKenna)
- Identity Theft Protection Act –Associate Dean (Kevin McKenna)
University officials who have planning and policy-level responsibilities for data in their functional areas are
considered Data Managers. The Data Managers, as a group, are responsible for recommending policies, establishing
procedures and guidelines for university-wide data administration activities, and training of Data Users on the
proper handling of data. Data Managers, as individuals, have operational-level responsibility for information management
activities related to the capture, maintenance, and dissemination of data. Data managers are responsible for developing
and applying standards for the management of institutional data, and for ensuring that Data Users are appropriately informed
of security obligations associated with their data access. For historical reasons –because data and the responsibility
for data have traditionally been organized along functional or subject-area boundaries –the Data Managers are established
according to this same subject-area organizing principle. Current Data Managers are:
- Financial Data: Controller (Kathy Cannon)
- Financial Aid Data: Director of Financial Aid (Mary Ellen Severance)
- Academic Data: University Registrar (Rebecca Hunter)
- System/Log Data: Director of IT Systems and Security (Joe Kalinowski)
- Constituent Data
- Prospective Students: Director of Admissions Operations (Terry Malone)
- Student –academic records: University Registrar (Rebecca Hunter)
- Student –non academic records: Dean of Students (Denise Darrigrand)
- Faculty/Staff: Director of Human Resources (Jackie Capomacchio)
- Alumni/Donor: Asst. VP, Advancement (Andrea Marth)
Responsible for providing a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges to system users as authorized by Data Managers, and implementing and administering controls over the information. In many cases at Clark, the role of Data Custodian is a shared responsibility with ITS being responsible for physical security support (secure facility, backup and recovery), and the applicable Data Manager having responsibility for access and control over the information.
A list of current Data Custodians and the systems that are reviewed annually for compliance is maintained by Clark's Information Security Officer (Pennie Turgeon).
View, copy or download data as part of their assigned duties or in fulfillment of their role in the university community. All Data Users have an obligation to understand the security responsibilities associated with their level of data access. They also may be asked to sign appropriate confidentiality statements.
Date of Creation: February 25, 2009
Date of Last Revision: September 23, 2014