Carnegie Mellon University Website Home Page
 

Information Security Roles and Responsibilities (cont.)

View/Download PDF
lvl_2colHorizontalRule

User

For the purpose of information security, a User is any employee, contractor or third-party Agent of the University who is authorized to access University Information Systems and/or Institutional Data. A User is responsible for the following:
a. Adhering to policies, guidelines and procedures pertaining to the protection of Institutional Data.
  The Information Security Office publishes various policiesguidelines and procedures related to the protection of Institutional Data and Information Systems.  They can be found on the Information Security Office website.  Business units and/or Data Stewards may also publish their own unique guidelines and procedures.  Information on requirements unique to your business unit or a system you have access to can be found by talking to your manager or system administrator.
b. Reporting actual or suspected vulnerabilities in the confidentiality, integrity or availability of Institutional Data to a manager or the Information Security Office.
  During the course of day-to-day operations, if a User comes across a situation where he or she feels the security of Institutional Data might be at risk, it should be reported to the Information Security Office.  For example, if a User comes across sensitive information on a website that he or she feels shouldn’t be accessible, that situation should be reported to the Information Security Office.  Additional notifications may be appropriate based on procedures unique to a business unit or defined by a Data Steward.  It may be appropriate to notify a local security point of contact that will in turn coordinate with the Information Security Office.
c. Reporting actual or suspected breaches in the confidentiality, integrity or availability of Institutional Data to the Information Security Office.
  Reporting a security breach goes hand in hand with reporting vulnerabilities.  See the Procedure for Responding to a Compromised Computer for more information on what constitutes a security breach and for what steps to take if you suspect a security breach.  Once again, it may be appropriate to notify a local security point of contact that will in turn coordinate with the Information Security Office.