Transcript Data Stewardship @ UVa
Evolution of Data Use and Stewardship
Recent University-wide Data Stewardship Enhancements
Integrated System Data Stewardship
Shirley C. Payne, CISSP, CRISC UVa Assistant VP for Information Security, Policy, and Records [email protected]
July, 2012
Data Dark Ages A D M I S S I O N S Centralized Stovepipe Data Stores A C A D E M I C R E C O R D S F I N A N C I A L A I D H I R I N G R O L L P A Y A C C O U N T S P A Y A B L E
etc.
A D M I S S I O N S Data Floodgates Opened In Early 90’s A C A D E M I C R E C O R D S F I N A N C I A L A I D H I R I N G I NFORMATION W AREHOUSE R O L L P A Y A C C O U N T S P A Y A B L E
etc.
Clarified data ownership:
University is owner of all administrative data Organizational units may have stewardship responsibilities for portions of those data
Set high level conditions of data use:
Use only for University business Comply with confidentiality and privacy policies and laws Comply with “reasonable protection and control procedures” Present data accurately
Defined roles and responsibilities for
(initially)
:
Data Stewards – data use planning/policy Data Custodians – data creators/updaters Data Users – data viewers ITC – technical underpinning
New roles and responsibilities added over time and existing ones renamed and/or updated
Last update was in 2001
Cloud Computing Departmental Systems Web Apps Escalating Security Threats Increasing Public Awareness & Concern ERPs Mobile Computing New Laws & Regulations
Data Minimization Initiative
Highly sensitive data requested only when essential
University Processes & Supporting Systems
Highly sensitive data provided only when essential Highly sensitive data access authorized to least # of people Clear data use policies and standards exist Responsibilities for data protection well communicated Compliance verification processes in place Highly sensitive data stored only in well secured devices and file cabinets
Redefined Data Classifications
Highly Sensitive Moderately Sensitive Not Sensitive - Data that enables identity theft - Personally identifiable medical data Everything In between Public Data such as: - University financial statements - Summary statistics, e.g. employees by gender
Redefined Data Classifications Protection and Use of SSNs Policy
Redefined Data Classifications Protection and Use of SSNs Policy Electronic Storage of Highly Sensitive Data Policy
Redefined Data Classifications Protection and Use of SSNs Policy Electronic Storage of Highly Sensitive Data Policy Institutional Data Protection Standards By Classification
Redefined Data Classifications Protection and Use of SSNs Policy Electronic Storage of Highly Sensitive Data Policy Institutional Data Protection Standards By Classification Revision of Administrative Data Access Policy
Current Policy
“Administrative Data Access Policy Addresses administrative electronic data shared across departments Roles and responsibilities do not reflect current practice; unclear how to fulfill
Planned Revision
“Institutional Data Stewardship Policy” Addresses all data owned by the institution wherever they are created and used and whatever the form Roles and responsibilities are updated and clearer Clear linkage made between data classifications and data protection standards
Data Domain Roles
System-Specific Roles
Other Data Domains Human Resources Data Student Records Data Procurement Data Development Data Accounts Receivables Data Payroll Data
Benefits System Other Systems Integrated System Human Resources Data Domain Time and Leave System Lead@UVa System
Budget Data Domain Other Data Domains Procurement Data Domain Accounts Receivables Data Domain Integrated System Payroll Data Domain Hunan Resources Data Domain
Senior university officials having planning and policy-level responsibilities for a large subset of the institution’s data resource. They:
Oversee the implementation of the Institutional Data Stewardship Policy for their data domains Determine the appropriate classification of institutional data within their domains in consultation with executive management and appropriate others Appoint Data Stewards for their data domains
University officials having responsibility for determining purposes and functions of data within their assigned data domains. They: Work to ensure accuracy, integrity, and (as appropriate) confidentiality of data Establish criteria for meeting the “need to know” requirement for data access. Have final sign-off authority for users seeking to access data for their respective data domains. May delegate final sign-off authority to Deputy Data Stewards they appoint, but retain accountability for results.
Work to ensure users understand the data to which they have access
Authorize or reject access requests based upon approval criteria established by the Data Stewards who appoint them
Data Users
– acknowledge acceptance that they are accountable for protecting and appropriately using data to which they are given access meet all prerequisite requirements, e.g. attend training on system use, before being granted approved access.
Supervisors
– confirm that their employees’ job duties require system access privileges assure system access privileges are removed when employees no longer need them.
Data Access Approvers
– develop in-depth understanding of various responsibilities established within a given system confirm that data access requests for a given system are completed correctly, e.g. that appropriate system responsibilities are selected for the stated purpose(s).
Provisioners
– central IT staff who implement the requested access authorizations.
http://its.virginia.edu/security/dataprotection
Protection & Use of SSNs Policy
Electronic Storage of Highly Sensitive Data Policy
Institutional Data Protection Standards
http://its.virginia.edu/policy/admindataaccess.html
Administrative Data Access Policy (under revision)
http://www.its.virginia.edu/policy
Additional IT Policies