|(a) The institution of higher education head or his or her designated representative(s) shall review and approve information ownership and associated responsibilities to include personnel, equipment, or information technology hardware and software. (b) Institutions of higher education are responsible for defining all information classification categories except the Confidential Information category, which is defined in Subchapter A of this chapter, and establishing the appropriate controls for each. (c) Information owners, custodians, and users of information resources shall be identified, and their responsibilities defined and documented by the institution of higher education. In cases where information resources are used by more than one major business function, the owners shall reach consensus and advise the information security officer as to the designated owner with responsibility for the information resources. The following distinctions among owner, custodian, and user responsibilities should guide determination of these roles: (1) Information Owner Responsibilities. The owner or his or her designated representative(s) are responsible for and authorized to: (A) Approve access and formally assign custody of an information resources asset. (B) Determine the asset's value. (C) Specify data control requirements and convey them to users and custodians. (D) Specify appropriate controls, based on a risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources and services outsourced by the institution of higher education. (E) Confirm that controls are in place to ensure the confidentiality, integrity, and availability of data and other assigned information resources. (F) Assign custody of information resources assets and provide appropriate authority to implement security controls and procedures. (G) Review access lists based on documented security risk management decisions. (H) Approve, justify, document, and be accountable for exceptions to security controls. The information owner shall coordinate exceptions to security controls with the information security officer or other person(s) designated by the state institution of higher education head. (I) The information owner, with the concurrence of the institution of higher education head or his or her designated representative(s), is responsible for classifying business functional information. (2) Custodian responsibilities. Custodians of information resources, including third party entities providing outsourced information resources services to state institutions of higher education shall: (A) Implement the controls specified by the information owner(s); (B) Provide physical, technical, and procedural safeguards for the information resources; (C) Assist information owners in evaluating the cost-effectiveness of controls and monitoring; and (D) Implement monitoring techniques and procedures for detecting, reporting, and investigating incidents. (3) User responsibilities. Users of information resources shall use the resources only for defined purposes and comply with established controls. (d) The Information Security Officer. Each institution of higher education head or his or her designated representative(s) shall designate an information security officer to administer the institution of higher education information security program. The Information Security Officer shall report to executive management. (1) It shall be the duty and responsibility of this individual to develop and recommend policies and establish procedures and practices, in cooperation with information owners and custodians, necessary to ensure the security of information resources assets against unauthorized or accidental modification, destruction, or disclosure. (2) The Information Security Officer shall document and maintain an up-to-date information security program. The information security program shall be approved by the institution of higher education head or his or her designated representative(s). (3) The Information Security Officer is responsible for monitoring the effectiveness of defined controls for mission critical information. (4) The Information Security Officer shall report, at least annually, to the institution of higher education head or his or her designated representative(s) the status and effectiveness of information resources security controls. (5) The Information Security Officer with the approval of the institution of higher education head or his or her designated representative may issue exceptions to information security requirements or controls in this chapter. Any such exceptions shall be justified, documented, and communicated as part of the risk assessment process. (e) A review of the institution of higher education's information security program for compliance with these standards will be performed at least biennially, based on business risk management decisions, by individual(s) independent of the information security program and designated by the institution of higher education head or his or her designated representative(s).