About Information Security
Our Mission
The mission of the Information Security Function is to ensure a secure computing environment to support the Institution’s research, patient care, teaching, and public service missions. Consultation, coordination and support services include:
- Provide leadership for compliance with UT Health San Antonio, UT System, and the State of Texas information security related policies and procedures, as well as external (Federal, State and Local) regulatory mandates.
- Establish and maintain an information security program.
- Proactively perform security investigations, analysis, and monitoring.
- Support policy and procedure development and recommend technology solutions, while minimizing any negative impact on university missions.
- Maintain a compilation of information protection resources in support of continuous information security awareness, education and training.
Our Function
Information security policy is set forth in the Handbook of Operating Procedures (HOP), Chapter 2.2.2 – Information Security. The President is responsible for the protection of resources and delegates the Information Security Function of that responsibility to the Manager of Information Security. The President has identified the following:
- Risks to information resources must be managed. The expense of security safeguards must be commensurate with the value of the assets being protected.
- The integrity of data, its source, its destination, and processes applied to it must be assured. Changes to data must be made only in authorized and acceptable ways.
- Information resources must be available when needed. Continuity of information resources supporting critical governmental services must be ensured in the event of a disaster or business disruption.
- Security requirements shall be identified, documented and addressed in all phases of development or acquisition of information resources.
Our Mandates
State of Texas:
The Texas Administrative Code, Chapter 202.71, Responsibilities of Information Security Officer, paragraph (a) stated below, provides the mandate of the University’s Chief Information Security Officer (CISO).
(a) Each institution of higher education shall have a designated Information Security Officer (ISO), and shall provide that its Information Security Officer:
(1) reports to executive level management;
(2) has authority for information security for the entire institution;
(3) possesses training and experience required to administer the functions described under this chapter; and
(4) whenever possible, has information security duties as that official’s primary duty.
(b) The Information Security Officer shall be responsible for:
(1) developing and maintaining an institution-wide information security plan as required by §2054.133, Texas Government Code;
(2) developing and maintaining information security policies and procedures that address the requirements of this chapter and the institution’s information security risks;
(3) working with the business and technical resources to ensure that controls are utilized to address all applicable requirements of this chapter and the institution’s information security risks;
(4) providing for training and direction of personnel with significant responsibilities for information security with respect to such responsibilities;
(5) providing guidance and assistance to senior institution of higher education officials, information owners, information custodians, and end users concerning their responsibilities under this chapter;
(6) ensuring that annual information security risk assessments are performed and documented by information-owners;
(7) reviewing the institution’s inventory of information systems and related ownership and responsibilities;
(8) developing and recommending policies and establishing procedures and practices, in cooperation with the institution Information Resources Manager, information-owners and custodians, necessary to ensure the security of information and information resources against unauthorized or accidental modification, destruction, or disclosure;
(9) coordinating the review of the data security requirements, specifications, and, if applicable, third-party risk assessment of any new computer applications or services that receive, maintain, and/or share confidential data;
(10) verifying that security requirements are identified and risk mitigation plans are developed and contractually agreed and obligated prior to the purchase of information technology hardware, software, and systems development services for any new high impact computer applications or computer applications that receive, maintain, and/or share confidential data;
(11) reporting, at least annually, to the state institution of higher education head the status and effectiveness of security controls; and
(12) informing the parties in the event of noncompliance with this chapter and/or with the institution’s information security policies.
(c) The Information Security Officer, with the approval of the state institution of higher education head, may issue exceptions to information security requirements or controls in this chapter. Any such exceptions shall be justified, documented and communicated as part of the risk assessment process.
University of Texas System
University of Texas System Policy 165 (Information Resources Use and Security Policy), Standard 1 (Information Resources Use and Security Policy) implements the State of Texas requirement in section 1.7 (Institutional Information Security Officer (Institutional ISO)). This position is filled as the Chief Information Security Officer (CISO).
Our Charter
In accordance with UT Health San Antonio’s Policy, HOP 2.2.2, the President mandates that the Information Security Function establish an organization, processes, and procedures to:
- Manage the defined risk to UT Health San Antonio’s information resources by implementing security safeguards commensurate with the value of the assets being protected.
- Protect the integrity of data, its source, its destination, and processes applied to it by assuring that changes to data must are made only in authorized and acceptable ways.
- Ensure that availability and continuity of information resources supporting critical governmental services in the event of a disaster or business disruption.
- Identify, document and address security requirements in all phases of development or acquisition of information resources.
- Implement information security measures to protect information assets against:
- Accidental or unauthorized access
- Disclosure
- Modification or destruction
- Implement measures to assure UT Health San Antonio’s information:
- Confidentiality
- Integrity
- Availability
- Utility
- Authenticity
Who We Are
Chief Information Security Officer (CISO) | Michael Schnabel | Schnabel@uthscsa.edu | 210-567-0652 |
Infrastructure Security & Engineering | Jay Villarreal | VillarrealJM@uthscsa.edu | 210-450-4150 |
Stephen Hargrove | HargroveS@uthscsa.edu | 210-567-2456 | |
Randy Todd | ToddR@uthscsa.edu | 210-567-0642 | |
Julian Martinez | MartinezJ32@uthscsa.edu | 210-450-0222 | |
Andrew Moreno | MorenoMA@uthscsa.edu | 210-562-5607 | |
Dan Vidales | VidalesD@uthscsa.edu | 210-562-6895 | |
Governance, Risk, and Compliance | Mike Runnels | RunnelsM@uthscsa.edu | 210-567-2094 |
Angelife Pardo | PardoA@uthscsa.edu | 210-562-6829 |