IT-05: Data Access Review Policy

Summary

This policy outlines responsibilities of information owners, information custodians, and information security officers for standards, integrity and security of SHSU operational data.

Body

PURPOSE

The Sam Houston State University (SHSU) Guidelines for Data Standards, Data Integrity and Security document designates authority and responsibility for the ownership of the University enterprise operational data. Commensurate with these designated roles, the specified Information Owners and Information Custodians are designated the responsibility of ensuring the security of information is maintained by establishing controls to confirm compliance with official procedures and policies.  

SCOPE

The SHSU Data Access Review policy applies equally to all Information Owners and Information Custodians. 

POLICY STATEMENT

Information Owners and Information Custodians must: 

  1. No less than annually, document a complete review of parties having access to data under their authority.
  2. Ensure data access reviews are performed periodically, as deemed necessary by the Information Owner, relative to the risk of the data accessed.
  3. Ensure any staffing changes are reflected as necessary to access authorizations, in a timely manner.
  4. Ensure data access requests are reviewed and granted or denied as appropriate based on essential University documented need, in a timely manner.
  5. Ensure controls are established as required, or deemed necessary by the Information Owner, to ensure information security is maintained.
  6. Maintain documentation of compliance with this policy.

The SHSU Information Security Officer (ISO) is designated the authority for oversight of this policy.

The ISO will: 

  1. Perform periodic reviews to ensure compliance with this policy.  
  2. Notify the Information Resources Manager (IRM) of identified concerns and risks. 

REFERENCE

There are many individual laws, regulations, and policies that establish our information security requirements.   While it is not possible to list all potentially applicable laws and regulations, the most relevant are listed in the Texas State University System (TSUS) Rules and Regulations, Rule III Paragraph 19 and associated TSUS IT Policies.  

Version: 1.02
Approved By: President’s Cabinet, April 11, 2023 
Reviewed By: Heather Thielemann, Information Resources Manager, April, 2023 
Next Review: April, 2024 

Details

Details

Article ID: 20082
Created
Wed 1/29/25 4:34 PM
Modified
Wed 1/29/25 4:39 PM