5.23.3 Information Security Requirements and Controls

Responsible Position

Chief Information Officer


Minnesota State Board Policy

Minnesota State System Procedure

Minnesota Statutes Chapter 13, Minnesota Government Data Practices Act



This procedure defines the roles and responsibilities regarding information security requirements and the methods for determining the appropriate security controls to meet information security requirements.



This procedure applies to all institutional data, wherever located, regardless of media type or format (electronic, paper, or other physical form), and to all uses of that data. This procedure and associated operating instructions establish minimum requirements for classifying institutional data.

Nothing in this procedure shall be interpreted to expand, diminish, or alter academic freedom, articulated under Minnesota State board policy and collective bargaining agreements, or the terms of any charter establishing a system library as a community or public library.



For purposes of this procedure, the following definitions apply:

Data custodian: The data custodian is appointed by the data owner to assign the security classifications for institutional data and ensuring that the appropriate controls are implemented.

Data owner: An individual with authority and accountability for specified information (e.g., a specific business function) or type of institutional data. Included in this authority is the ability to grant and deny access to data or portions of institutional data under his or her authority. This individual shall assign responsibility to the appropriate data custodian(s) to ensure the protection of institutional data. The data owner is typically in a senior or high-level leadership position. There may be more than one data owner, depending on the authority and accountability for specified information (e.g., a specific business function) or type of institutional data.

Institutional data: Data collected, manipulated, stored, reported, or presented in any format, on any medium, by any unit of the college that are created, received, or maintained by the institution.

Information security controls: Technical, administrative, management, or physical methods or safeguards that, when applied, satisfy information security requirements.

Information security requirements: Information security obligations that must be met or implemented. Information security requirements are defined by, for example, federal or state law or regulation, industry regulations, state statute, Minnesota State board policy or procedures, third-party contracts, ATCC policy, or any other information security protection requirement identified by the data owner.

Information technology service provider: An internal or external entity that provides or manages an information technology system.

Information technology system (IT system): Any computer, server, software application, networking infrastructure, storage device, or medium, etc. that provides for information processing, transfer, storage, or communications.



Responsibilities for determining information security requirements

It is the responsibility of the data owner to identify information security requirements applicable to any institutional data or IT system for which they are responsible. Additionally, the data owner is responsible to ensure that any information technology service provider that provides an IT service meets applicable requirements.

Determining appropriate information security controls.

Data custodians, acting on the data owner’s behalf, shall use Minnesota State Operating Instructions Information Security Controls to determine the appropriate security controls to meet information security requirements for the IT systems and data for which they are responsible. Minnesota State Operating Instructions prescribes minimal controls needed to protect institutional data.

Application of information security controls

ATCC implements all required information security controls identified in Minnesota State Operating Instructions and any other operating instructions under this procedure for institutional data and IT systems for which they are responsible.

Operating Instructions Development Responsibilities

Data owners and authorized administrators shall develop operating instructions to implement these procedures per Minnesota State Board Policy 1A.1.

Related ATCC Documents:

Approved by: Leadership Council

Effective Date: 7/20/2022

Next Review Date: July 2025