Ownership & Roles

EDUCAUSE published a Cybersecurity Governance Toolkit in 2024 - https://er.educause.edu/articles/2024/1/cybersecurity-governance-toolkit 

Content pulled from Cal Frye of Case Western Reserve University from the June 2nd, 2021 final workshop.

Ownership and Roles

• • Some of this is new to researchers

  • Some researchers will be new to thinking about compliance

  • Compliance isn’t just about IT. Other departments have a role

  • First, identify what roles will play in your program, and who fills those roles

  • Find a sponsor

  • Each institution may look very different

Identify Roles

• • Academic and Administrative leadership should all be on board

  • IT or Research Computing support building compliant environments

  • Finance, Grants and Contracts, both support the project and can apply brakes

  • Institutional Risk and Internal Audit help evaluate your progress to the goal

  • Training and Education are essential; this doesn’t come naturally to researchers

  • Research Administration already hosts similar processes and responsibilities

  • Your Institutional Review Board can be a model

Identify Ownership

• • Your organization does not look like mine. Adjust accordingly.

  • “I pay for it, I own it” can work, but may not be the best choice.

  • Information Security may be best equipped to take ownership, if you don’t have dedicated compliance resources.

  • Compliance or Risk Management may be suited for ownership.

  • Internal Audit could own it, but are better left to assess the results.

  • Research Administration may be best-received by the researchers as owners.

Assemble and Organize Your Team

• • Expect the makeup of your program team to change as it matures.

  • The implementation phase may require different offices and members than operation. 

  • An independent program manager may be quite useful. This could be a consultant.

  • Once in operation, bringing larger labs into compliance may also be best treated as formal projects with designated managers to steer toward success.

  • Attend to communications with offices outside the team. Report often.

Considerations

• Do your offices work together well enough to be successful?

• Is there a champion among senior leadership to instill a sense of purpose?

• Does your intended process owner have authority to make decisions?

• Have you defined roles and responsibilities clearly enough?

• Do your offices each take ownership of their portion of the task?

The ultimate success is when your researchers can easily obtain the grants, do the work, run their labs, and publish their results. They are responsible for compliance success. How do you best help them achieve the goal?