Oversight and maintenance of the Written Information Security Program is the responsibility of the VP of Information Systems & Technology, the Vice President of General Counsel and the Institute Auditor. This group will carry out responsibilities as described in Appendix A.
Business Process Owners
Senior MIT Managers ("Business Process Executives") who have the functional or organizational responsibility for process(es) involving PIRN are expected to designate one or more Business Process Owners. Business Process Owners should have awareness of the relevant regulatory and compliance issues, as well as the responsibility and authority for defining the rights of others to collect, use, or store data during the process execution. To the extent that IT systems are used as part of the process, Business Process Owners will work with System Owners (see role below) to ensure that appropriate tools and controls are in place to enforce the desired policies. Business Process Owners may further delegate specific responsibilities; however, in the event of a data incident or questions about policy, both the Business Process Executive and the Business Process Owner are accountable for the outcome.
Senior IT Managers who have responsibility for the systems supporting business process(es) involving PIRN are expected to designate one or more System Owners. System Owners should have awareness of IT parameters used to support the regulatory and compliance issues, and the technology used to implement the policies with regard to collecting, using or storing the data during the process execution. System Owners will generally take policy direction from the Business Process Owner. System Owners may delegate specific responsibilities, however, in the event of a data incident or questions about controls, the System Owner and Senior IT Manager are expected to be part of the discussions.
Department Heads and Other Managers
Department Heads and other Managers have a responsibility for ensuring that the individuals in their areas who are accessing or dealing with business processes involving PIRN are aware of the requirements for handling PIRN, and to provide them with awareness, training, and education opportunities. Department Heads and Managers are also expected to provide appropriate technical support such as software tools and fully trained IT support staff to facilitate compliance.
Individuals with Access to PIRN
Individuals with access to PIRN should be aware of this Program so that they can follow appropriate steps to protect PIRN in hard copy, electronic or other forms. Computer security is of particular importance when protecting electronic files. Individuals are encouraged to work with the System Owners or local technical support staff who can provide security solutions or recommendations. Many departments have a local IT support group or an arrangement with Information Systems and Technology (IS&T).
Data Incident Response Team (DIRT)
The Data Incident Response Team (DIRT) is notified when a possible breach of PIRN or other sensitive information is suspected. DIRT coordinates MIT's response, if any, to a possible security breach. Appendix B outlines the proper response to a possible data breach incident.
Security and Resilience
Security and Resilience is a support team within IS&T. It is the first technical team notified in the event of a suspected computer or network intrusion that may involve PIRN or other sensitive information covered by MIT policy. The team evaluates the technical specifics of each event and notifies DIRT when a breach of PIRN is suspected.