slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Data Stewardship @ uva PowerPoint Presentation
Download Presentation
Data Stewardship @ uva

Loading in 2 Seconds...

play fullscreen
1 / 23

Data Stewardship @ uva - PowerPoint PPT Presentation


  • 155 Views
  • Uploaded on

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship. Data Stewardship @ uva. Shirley C. Payne, CISSP, CRISC UVa Assistant VP for Information Security, Policy, and Records payne@virginia.edu July, 2012.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Data Stewardship @ uva' - yuval


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
Evolution of Data Use and Stewardship

Recent University-wide Data Stewardship Enhancements

Integrated System Data Stewardship

Data Stewardship @ uva

Shirley C. Payne, CISSP, CRISC

UVa Assistant VP for Information Security, Policy, and Records

payne@virginia.edu

July, 2012

slide2

Data Dark Ages

Admissions

Academic

Records

Financial

Aid

Hiring

Payroll

Accounts

Payable

etc.

Centralized Stovepipe Data Stores

Limited Data Distributed To

Departments Via

Hard Copy Reports

slide3

Data Floodgates Opened In Early 90’s

Admissions

Academic

Records

Financial

Aid

Hiring

Payroll

Accounts

Payable

etc.

Information Warehouse

Goal:

Make Data Available

To Widest Audience

Possible

administrative data access policy issued june 1994
Administrative Data Access Policy Issued June 1994
  • Clarified data ownership:
    • University is owner of all administrative data
    • Organizational units may have stewardship responsibilities for portions of those data
  • Set high level conditions of data use:
    • Use only for University business
    • Comply with confidentiality and privacy policies and laws
    • Comply with “reasonable protection and control procedures”
    • Present data accurately
administrative data access policy issued june 1994 continued
Administrative Data Access Policy Issued June 1994 - continued
  • Defined roles and responsibilities for (initially):
    • Data Stewards – data use planning/policy
    • Data Custodians – data creators/updaters
    • Data Users – data viewers
    • ITC – technical underpinning
  • New roles and responsibilities added over time and existing ones renamed and/or updated
  • Last update was in 2001
slide6

Departmental Systems

ERPs

Cloud Computing

Escalating Security Threats

Mobile

Computing

Web

Apps

New Laws &

Regulations

Increasing Public Awareness & Concern

slide7

Data Minimization Initiative

University

Processes &

Supporting

Systems

Highly sensitive data requested

only when essential

Highly sensitive data

provided only

when essential

Highly sensitive data access

authorized

to least # of people

Clear data use policies and standards exist

Highly sensitive data stored

only in well secured

devices and file cabinets

Responsibilities for data protection well communicated

Compliance verification processes in place

key supporting policies standards
Key Supporting Policies & Standards
  • Redefined Data Classifications
redefined data classifications
Redefined Data Classifications

Highly

Sensitive

Moderately

Sensitive

Not

Sensitive

  • - Data that enables identity theft
  • Personally-identifiable medical data

Everything

In between

  • Public Data such as:
  • - University financial statements
  • Summary statistics, e.g. employees by gender
key supporting policies standards1
Key Supporting Policies & Standards
  • Redefined Data Classifications
  • Protection and Use of SSNs Policy
key supporting policies standards2
Key Supporting Policies & Standards
  • Redefined Data Classifications
  • Protection and Use of SSNs Policy
  • Electronic Storage of Highly Sensitive Data Policy
key supporting policies standards3
Key Supporting Policies & Standards
  • Redefined Data Classifications
  • Protection and Use of SSNs Policy
  • Electronic Storage of Highly Sensitive Data Policy
  • Institutional Data Protection Standards By Classification
key supporting policies standards4
Key Supporting Policies & Standards
  • Redefined Data Classifications
  • Protection and Use of SSNs Policy
  • Electronic Storage of Highly Sensitive Data Policy
  • Institutional Data Protection Standards By Classification
  • Revision of Administrative Data Access Policy
revision of administrative data access policy
Revision of Administrative Data Access Policy

Current Policy

Planned Revision

  • “Administrative Data Access Policy
  • Addresses administrative electronic data shared across departments
  • Roles and responsibilities do not reflect current practice; unclear how to fulfill
  • “Institutional Data Stewardship Policy”
  • Addresses all data owned by the institution wherever they are created and used and whatever the form
  • Roles and responsibilities are updated and clearer
  • Clear linkage made between data classifications and data protection standards
data stewardship
Data Stewardship
  • Data Domain Roles
  • System-Specific Roles
data domain roles executive data stewards
Data Domain Roles: Executive Data Stewards
  • Senior university officials having planning and policy-level responsibilities for a large subset of the institution’s data resource. They:
    • Oversee the implementation of the Institutional Data Stewardship Policy for their data domains
    • Determine the appropriate classification of institutional data within their domains in consultation with executive management and appropriate others
    • Appoint Data Stewards for their data domains
data domain roles data stewards
Data Domain Roles: Data Stewards
  • University officials having responsibility for determining purposes and functions of data within their assigned data domains. They:
    • Work to ensure accuracy, integrity, and (as appropriate) confidentiality of data
    • Establish criteria for meeting the “need to know” requirement for data access.
    • Have final sign-off authority for users seeking to access data for their respective data domains. May delegate final sign-off authority to Deputy Data Stewards they appoint, but retain accountability for results.
    • Work to ensure users understand the data to which they have access
data domain roles deputy data stewards
Data Domain Roles: Deputy Data Stewards
  • Authorize or reject access requests based upon approval criteria established by the Data Stewards who appoint them
system specific roles
System-Specific Roles
  • Data Users–
    • acknowledge acceptance that they are accountable for protecting and appropriately using data to which they are given access
    • meet all prerequisite requirements, e.g. attend training on system use, before being granted approved access.
  • Supervisors –
    • confirm that their employees’ job duties require system access privileges
    • assure system access privileges are removed when employees no longer need them.
  • Data Access Approvers–
    • develop in-depth understanding of various responsibilities established within a given system
    • confirm that data access requests for a given system are completed correctly, e.g. that appropriate system responsibilities are selected for the stated purpose(s).
  • Provisioners – central IT staff who implement the requested access authorizations.
references
References
  • http://its.virginia.edu/security/dataprotection
    • Protection & Use of SSNs Policy
    • Electronic Storage of Highly Sensitive Data Policy
    • Institutional Data Protection Standards
  • http://its.virginia.edu/policy/admindataaccess.html
    • Administrative Data Access Policy (under revision)
  • http://www.its.virginia.edu/policy
    • Additional IT Policies