Compliance
Tracking, Measuring, and Reporting
ISO must initiate mechanisms for tracking compliance with this policy and must produce reports representing these measures to support University decision making.
Recourse for Noncompliance
ISO is authorized to limit network access for individuals or Units not in compliance with this policy, the University Privacy Statement, or any supplemental provisions. In cases where University resources are actively threatened, the CISO should act in the best interest of the University by securing the resources in a manner consistent with the Information Security Incident Response Plan. In an urgent situation requiring immediate action, the CISO is authorized to disconnect affected individuals or Units from the network. In cases of noncompliance with this policy, the University may apply appropriate employee sanctions or administrative actions, in accordance with relevant administrative, academic, and employment policies.
In cases where employees, DCCs, or other University-Related Persons violate this policy, the University Privacy Statement, or any supplemental provisions, the University may apply appropriate employee sanctions or administrative actions, in accordance with relevant administrative, academic, and employment policies.
Exceptions
Any requests for exceptions must be submitted to the CISO for review and approval pursuant to the exception procedures published by ISO (or other unit subsequently designated by the Senior Vice President for Academic Affairs and Provost).
Frequency of Policy Review
The CISO must review this policy and the University Privacy Statement annually, at minimum. This policy is subject to revision based upon findings of these reviews.
Responsibilities
University-Related Persons
All University-Related Persons who collect, process, maintain, or transfer personal data or information collected or maintained by or on behalf of the University are responsible for being familiar with, and treating all such information and data in compliance with, the University Privacy Statement and any related Unit Privacy Notices that may apply.
University Compliance Personnel
Compliance personnel with designated responsibility for interpreting the University Privacy Statement (e.g., the HIPAA Privacy Office, the University Registrar, the CISO, the ISO, and the University Compliance Office) are authorized to make determinations regarding violations of this policy. Information regarding designated compliance personnel and reporting avenues is available at privacy.arizona.edu.
Information Security Office
ISO (or other unit subsequently designated by the Senior Vice President for Academic Affairs and Provost) must:
- publish and update the University Privacy Statement, in consultation with relevant University stakeholders; and
- delegate individual responsibilities and authorities specified in this policy or associated standards and procedures, as necessary.
Vice Presidents, Deans, Directors, Department Heads, and Heads of Centers
All Vice Presidents, Deans, Directors, Department Heads, and Heads of Centers must take appropriate actions to comply with information technology and security policies, including the University Privacy Statement and any Unit Privacy Notices. These individuals have ultimate responsibility for University resources, for the support and implementation of this policy and related privacy practices within their respective units, and, when requested, for reporting on policy compliance to ISO. While specific responsibilities and authorities noted herein may be delegated, this overall responsibility may not be delegated.