Faculty & Staff

Our Data Systems: Taking Responsibility

As a world-class research institution, a critical component of the School’s success is its ability to collect and share data. To this end, members of the Mailman community maintain and access literally hundreds of data gathering/data storage systems. However, roles and responsibilities related to system usage, maintenance and ownership are not always clear. The School requires that each system have a designated Owner and Custodian. This advisory is designed to help you determine what role you have in protecting the School’s vital data assets, and to alert you to some resources to help.

What Might My Role Be?

CUMC defines three key systems roles: User, Custodian, and Owner, and each has its own responsibility for data security. For your reference, definitions of these roles and their responsibilities are excerpted (below) from CUMC’s Policies & Procedures Manual, EPHI1. Information Security Management Process.

User: A workforce member who access information using an application or system over institutional networks and computers

System Custodian (Includes System Administrator): A workforce member who operationally manages the application, systems and sub-systems deployed to store and process information

System Owner: A workforce member at a title of Director (or above) or a Faculty member or a CUMC-affiliated Physician who has the final responsibility for proper operation of an information system application

What Are My Responsibilities?

User Security Management Responsibilities

• Using information and computing resources that contain information only for appropriate purposes and consistent with their approved level of access and authorization.

• Being aware of and using approved security controls.

• Complying with appropriate information security policies, procedures and standards.

• Immediately reporting any information security violation to management and/or the Information Security Officer.

• Attending appropriate information security training. Note: The School will shortly be offering online Data Security Awareness Training for all faculty and staff. Access instructions to follow.

Owner and Custodian Security Management Responsibilities:
Protecting the confidentiality, integrity and availability of information for which they are responsible by managing security controls associated with the respective application or system.

• Identifying and approving the use of security procedures and controls for which they are responsible.

• Appropriately authorizing access to the information for which they are responsible to workforce members.

• Immediately reporting risks, security incidents and violations of policies, procedures and controls relating to the information for which they are responsible to appropriate authority.

• Supporting investigations of security violations with respect to the information for which they are responsible.

• Endorsing and enabling information security training and awareness for workforce members.

• Addenda:

1. Register systems with CUMC IT Security, noting if the system contains/will contain sensitive data. Security will assess the system, make recommendations as needed to make the system more secure, and certify it "approved" for network access. More information.

2. Take appropriate data security training as outlined in the School’s Data Security Curriculum section

If you have questions about any of this information, or any data security topic in general, please feel free to e-mail me at es2222@columbia.edu. Thank you.