DATA STEWARDSHIP @ UVA Evolution of Data Use and Stewardship

Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship

Shirley C. Payne, CISSP, CRISCUVa Assistant VP for Information Security, Policy,

and Recordspayne@virginia.edu

July, 2012

ADMISSIONSACADEMICRECORDS

FINANCIALAID

HIRING PAYROLLACCOUN

TSPAYABLE

etc.

Limited Data Distributed ToDepartments ViaHard Copy Reports

Data Dark Ages

Centralized Stovepipe

Data Stores

ADMISSIONSACADEMICRECORDS

FINANCIALAID

HIRING PAYROLLACCOUN

TSPAYABLE

etc.

Goal: Make Data AvailableTo Widest AudiencePossible

Data Floodgates Opened In Early 90’s

INFORMATION WAREHOUSE

Administrative Data Access Policy Issued June 1994

Clarified data ownership: University is owner of all administrative data Organizational units may have stewardship

responsibilities for portions of those data

Set high level conditions of data use: Use only for University business Comply with confidentiality and privacy

policies and laws Comply with “reasonable protection and

control procedures” Present data accurately

Administrative Data Access Policy Issued June 1994 - continued

Defined roles and responsibilities for (initially): Data Stewards – data use planning/policy Data Custodians – data creators/updaters Data Users – data viewers ITC – technical underpinning

New roles and responsibilities added over time and existing ones renamed and/or updated

Last update was in 2001

Departmental Systems

ERPs

Escalating Security Threats

WebApps

New Laws &

Regulations

Increasing Public

Awareness &

Concern

Cloud Computi

ng MobileComputi

ng

Highly sensitive data requested only when essential

Highly sensitive data provided only when essential

Highly sensitive data access authorized

to least # of people

Highly sensitive data stored only in well secured

devices and file cabinets

UniversityProcesses &SupportingSystems

Data Minimization Initiative

Clear data use policies and standards exist

Responsibilities for data protection well communicated

Compliance verification processes in place

Key Supporting Policies & Standards Redefined Data

Classifications

Redefined Data Classifications

Highly Sensitive

ModeratelySensitive

Not Sensitive

- Data that enables identity theft

- Personally-identifiable medical data

EverythingIn between

Public Data such as:

- University financial statements

- Summary statistics, e.g. employees by gender

Key Supporting Policies & Standards Redefined Data

Classifications Protection and Use of

SSNs Policy

Key Supporting Policies & Standards Redefined Data

Classifications Protection and Use of

SSNs Policy Electronic Storage of

Highly Sensitive Data Policy

Key Supporting Policies & Standards Redefined Data

Classifications Protection and Use of

SSNs Policy Electronic Storage of

Highly Sensitive Data Policy

Institutional Data Protection Standards By Classification

Key Supporting Policies & Standards Redefined Data

Classifications Protection and Use of

SSNs Policy Electronic Storage of

Highly Sensitive Data Policy

Institutional Data Protection Standards By Classification

Revision of Administrative Data Access Policy

Revision of Administrative Data Access Policy Current Policy

Planned Revision

“Administrative Data Access Policy

Addresses administrative electronic data shared across departments

Roles and responsibilities do not reflect current practice; unclear how to fulfill

“Institutional Data Stewardship Policy”

Addresses all data owned by the institution wherever they are created and used and whatever the form

Roles and responsibilities are updated and clearer

Clear linkage made between data classifications and data protection standards

Data Stewardship Data Domain Roles System-Specific Roles

Institutional Data Domains

Human Resources

Data

Procurement Data

Payroll Data

Accounts Receivable

s Data

Development Data

Student Records

Data

Other Data Domains

One Data Domain : Multiple Systems

Human Resource

s Data Domain

Integrated System

Time and Leave

System

Lead@UVa System

Other Systems

Benefits System

Multiple Domains : One System

Integrated

System

Procurement Data Domain

Accounts Receivable

s Data Domain

Hunan Resources

Data Domain

Payroll Data

Domain

Other Data Domains

BudgetData

Domain

Data Domain Roles:Executive Data Stewards

Senior university officials having planning and policy-level responsibilities for a large subset of the institution’s data resource. They: Oversee the implementation of the Institutional

Data Stewardship Policy for their data domains Determine the appropriate classification of

institutional data within their domains in consultation with executive management and appropriate others

Appoint Data Stewards for their data domains

Data Domain Roles:Data Stewards

University officials having responsibility for determining purposes and functions of data within their assigned data domains. They: Work to ensure accuracy, integrity, and (as appropriate)

confidentiality of data Establish criteria for meeting the “need to know”

requirement for data access. Have final sign-off authority for users seeking to access data

for their respective data domains. May delegate final sign-off authority to Deputy Data Stewards they appoint, but retain accountability for results.

Work to ensure users understand the data to which they have access

Data Domain Roles:Deputy Data Stewards

Authorize or reject access requests based upon approval criteria established by the Data Stewards who appoint them

System-Specific Roles Data Users –

acknowledge acceptance that they are accountable for protecting and appropriately using data to which they are given access

meet all prerequisite requirements, e.g. attend training on system use, before being granted approved access.

  Supervisors –

confirm that their employees’ job duties require system access privileges

assure system access privileges are removed when employees no longer need them.

  Data Access Approvers –

develop in-depth understanding of various responsibilities established within a given system

confirm that data access requests for a given system are completed correctly, e.g. that appropriate system responsibilities are selected for the stated purpose(s).

  Provisioners – central IT staff who implement the requested access

authorizations.

References http://its.virginia.edu/security/dataprotection

Protection & Use of SSNs Policy Electronic Storage of Highly Sensitive Data Policy Institutional Data Protection Standards

http://its.virginia.edu/policy/admindataaccess.html Administrative Data Access Policy (under revision)

http://www.its.virginia.edu/policy Additional IT Policies