Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Published byKobe Alderson Modified over 10 years ago

Similar presentations

Presentation on theme: "Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,"— Presentation transcript:

1 Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP, CRISC UVa Assistant VP for Information Security, Policy, and Records payne@virginia.edu July, 2012

2 etc. Data Dark Ages Centralized Stovepipe Data Stores

3 etc. Data Floodgates Opened In Early 90s I NFORMATION W AREHOUSE

4 Clarified data ownership: University is owner of all administrative data Organizational units may have stewardship responsibilities for portions of those data Set high level conditions of data use: Use only for University business Comply with confidentiality and privacy policies and laws Comply with reasonable protection and control procedures Present data accurately

5 Defined roles and responsibilities for (initially) : Data Stewards – data use planning/policy Data Custodians – data creators/updaters Data Users – data viewers ITC – technical underpinning New roles and responsibilities added over time and existing ones renamed and/or updated Last update was in 2001

6 Departmental Systems ERPs Escalating Security Threats Web Apps New Laws & Regulations Increasing Public Awareness & Concern Cloud Computing Mobile Computing

7 Highly sensitive data requested only when essential Highly sensitive data provided only when essential Highly sensitive data access authorized to least # of people Highly sensitive data stored only in well secured devices and file cabinets University Processes & Supporting Systems Data Minimization Initiative Clear data use policies and standards exist Responsibilities for data protection well communicated Compliance verification processes in place

8 Redefined Data Classifications

9 Highly Sensitive Moderately Sensitive Not Sensitive - Data that enables identity theft - Personally- identifiable medical data Everything In between Public Data such as: - University financial statements - Summary statistics, e.g. employees by gender

10 Redefined Data Classifications Protection and Use of SSNs Policy

11 Redefined Data Classifications Protection and Use of SSNs Policy Electronic Storage of Highly Sensitive Data Policy

12 Redefined Data Classifications Protection and Use of SSNs Policy Electronic Storage of Highly Sensitive Data Policy Institutional Data Protection Standards By Classification

13 Redefined Data Classifications Protection and Use of SSNs Policy Electronic Storage of Highly Sensitive Data Policy Institutional Data Protection Standards By Classification Revision of Administrative Data Access Policy

14 Current Policy Planned Revision Administrative Data Access Policy Addresses administrative electronic data shared across departments Roles and responsibilities do not reflect current practice; unclear how to fulfill Institutional Data Stewardship Policy Addresses all data owned by the institution wherever they are created and used and whatever the form Roles and responsibilities are updated and clearer Clear linkage made between data classifications and data protection standards

15 Data Domain Roles System-Specific Roles

16 Human Resources Data Procurement Data Payroll Data Accounts Receivables Data Development Data Student Records Data Other Data Domains

17 Human Resources Data Domain Integrated System Time and Leave System Lead@UVa System Other Systems Benefits System

18 Integrated System Procurement Data Domain Accounts Receivables Data Domain Hunan Resources Data Domain Payroll Data Domain Other Data Domains Budget Data Domain

19 Senior university officials having planning and policy-level responsibilities for a large subset of the institutions data resource. They: Oversee the implementation of the Institutional Data Stewardship Policy for their data domains Determine the appropriate classification of institutional data within their domains in consultation with executive management and appropriate others Appoint Data Stewards for their data domains

20 University officials having responsibility for determining purposes and functions of data within their assigned data domains. They: Work to ensure accuracy, integrity, and (as appropriate) confidentiality of data Establish criteria for meeting the need to know requirement for data access. Have final sign-off authority for users seeking to access data for their respective data domains. May delegate final sign-off authority to Deputy Data Stewards they appoint, but retain accountability for results. Work to ensure users understand the data to which they have access

21 Authorize or reject access requests based upon approval criteria established by the Data Stewards who appoint them

22 Data Users – acknowledge acceptance that they are accountable for protecting and appropriately using data to which they are given access meet all prerequisite requirements, e.g. attend training on system use, before being granted approved access. Supervisors – confirm that their employees job duties require system access privileges assure system access privileges are removed when employees no longer need them. Data Access Approvers – develop in-depth understanding of various responsibilities established within a given system confirm that data access requests for a given system are completed correctly, e.g. that appropriate system responsibilities are selected for the stated purpose(s). Provisioners – central IT staff who implement the requested access authorizations.

23 http://its.virginia.edu/security/dataprotection Protection & Use of SSNs Policy Electronic Storage of Highly Sensitive Data Policy Institutional Data Protection Standards http://its.virginia.edu/policy/admindataaccess.html Administrative Data Access Policy (under revision) http://www.its.virginia.edu/policy Additional IT Policies

Download ppt "Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,"

Similar presentations

Introduction to Records Management Policy

Introduction to Records Management Policy
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
SIU School of Medicine Identity Protection Act and Associated SIU Policy.

SIU School of Medicine Identity Protection Act and Associated SIU Policy.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Use of Working Titles Broad unit authority with periodic central HR/unit review Used in directories, verification of work and business cards Working Title.

Use of Working Titles Broad unit authority with periodic central HR/unit review Used in directories, verification of work and business cards Working Title.
Supportive Services for Veteran Families (SSVF) Data Bigger Picture Updated 5/22/14.

Supportive Services for Veteran Families (SSVF) Data Bigger Picture Updated 5/22/14.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google