Investigative Authority
CISO Investigative Access Authority Standard
Effective Date: February 1, 2020
Last Revision Date: 6/5/2026
Standard ID#: ISO-100-S1
Section 1. Purpose
Under Texas Administrative Code 202 and UT System Policy UTS 165, the CISO has enterprise authority to access systems and information necessary to perform security investigations, reviews, compliance monitoring and controls evaluation or testing. This access does not require prior approval from IT, data owners, or Legal. Denying or delaying access creates institutional risk and compliance exposure.
This Standard establishes the authority, scope, and procedures under which the Chief Information Security Officer (CISO) and authorized Information Security Office (ISO) personnel shall obtain unfettered and unobstructed access to institutional information systems, data, and resources for the purpose of:
- Information security investigations
- Incident response and containment
- Threat detection and monitoring
- Risk assessment and compliance activities
This Standard ensures that investigative access is conducted in a lawful, controlled, auditable, and risk-based manner while fulfilling Texas state and UT System requirements.
Section 2. Authority
Pursuant to:
- Texas Government Code §2054.136
- Texas Administrative Code (TAC) Chapter 202
- UT System Policy UTS 165
- -UTRGV HOP ADM 09-101
The CISO:
- Has enterprise-wide authority over information security
- Is responsible for protecting the confidentiality, integrity, and availability of institutional information resources
- Must investigate, assess, and respond to information security risks and incidents
- Must determine and ensure appropriate risk controls and mitigations are in place and functioning
Therefore:
The CISO and delegated ISO personnel are authorized to access institutional systems, data, and logs without prior approval from system owners, custodians, or departments when required for security investigations, response activities, or compliance reviews.
Section 3. Scope
3.1 Systems and Data
- All UTRGV-owned or managed information systems
- Cloud services, SaaS platforms, and vendor-hosted systems
- Network infrastructure, identity systems, and endpoints
- Logs, telemetry, security monitoring systems
Institutional data, including:
- Confidential and regulated data (FERPA, HIPAA, GLBA, etc.)
- Research and administrative data
- Security and audit records
3.2 Personnel
- Chief Information Security Officer (CISO)
- Information Security Office staff (RSOC, GRC, Operations, IR, etc.)
- Authorized designees formally approved by the CISO
Section 4. Investigative Access Authority
4.1 General Authority
The CISO and authorized ISO personnel may access systems, logs, and data necessary to:
- Investigate suspected or confirmed security incidents
- Identify vulnerabilities or threats
- Validate compliance with policies and regulations
- Perform monitoring, forensic analysis, and evidence collection
- Require cooperation from IT, system owners, and custodians
4.2 No Prior Approval Requirement
Investigative access shall not require prior approval from:
- System owners
- Data owners
- IT departments
- Individual business units
4.3 Mandatory Cooperation
All institutional personnel must:
- Provide timely access to systems, logs, and information upon request by the ISO
- Not delay, obstruct, or condition access on additional approvals
4.4 Immediacy in Incident Response
During active incidents the ISO is authorized to:
- Access systems immediately
- Isolate or contain systems if necessary
- Collect data and preserve evidence
Delays due to approval workflows are not permitted.
Section 5. Limitations and Safeguards
5.1 Minimum Necessary Principle:
The CISO or Designated Information Security Officer personnel will ensure that:
- Access will be limited to information relevant to the investigation or activity
- Over-collection or unnecessary exposure shall be avoided
5.2 Confidentiality and Data Protection
- All accessed data must be protected according to classification level
- Handled in accordance with FERPA, HIPAA, GLBA, and other regulations
- ISO personnel are subject to strict confidentiality obligations
5.3 Logging and Auditability
All investigative access activities must:
- Be logged where technically feasible
Including:
- User performing access
- Date/time
- Systems accessed
- Purpose (case, incident, or activity )
Logs shall be retained in accordance with institutional retention policies and available for audit.
5.4 Segregation of Duties
Where practicable:
- Investigative actions shall be peer-reviewed
- Documented and approved post hoc for audit defensibility
Section 6. Legal and Privacy Coordination
6.1 Internal Investigations
- Legal approval is not required for internal access by the ISO for security investigations
6.2 Involvement of Legal Counsel
Legal shall be engaged when:
- There is litigation risk
- Law enforcement involvement
- Regulatory reporting requirements
- Information is to be disclosed externally
6.3 Privileged Investigations
If directed by Legal:
- Investigations may be conducted under attorney-client privilege
Section 7. Ongoing and Emerging Technology Threats
7.1 Data Owners
- Maintain accountability for data governance
- Provide context and support investigation
- Shall not restrict ISO access
7.2 IT / Custodians
- Responsible for providing system-level access and technical support
- Must enable investigative activities
Section 8. Prohibited Actions
The following are strictly prohibited:
- Blocking or delaying ISO access
- Requiring Legal or management approval prior to fulfilling a request
- Blocking the creation of system-level accounts and access (the normal access processes will be observed)
- Altering or deleting data during investigation
- Retaliation against cooperating personnel
Section 9. Enforcement and Escalation
Non-compliance may result in:
- Escalation to executive leadership
- Formal policy violation
- Disciplinary action
Section 10. Review and Maintenance
- Reviewed annually
- Updated as required
Responsible UTRGV Office
Information Security Office
Contact Information
Questions of concerns should be directed to the Information Security Office by emailing is@utrgv.edu or calling 956-665-7823.