New Data Access Model – Briefing for Internal Audit Personnel 12/15/20081New Data Access Model Pat Burns, VP for IT Thom Hadley, Dir. of Fin. & Strategic Srvcs, CVMBS Don Hesser, Director of IS Ken Johnston, Assoc. Director of IS

Business Intelligence Analyzing pertinent data in an appropriate format, to inform decisions that result in improved business management A strategic imperative that must be balanced against privacy and IT security concerns ◦ A ‘hot’ topic at the spring 2008 strategic planning meeting 12/15/20082New Data Access Model

Data Access - Distinction Official System of Record reporting – Institutional Research and Systems of Record functional units ◦ Maintain ‘business as usual’ Business Intelligence – individuals in units throughout the University ◦ This is the focus of today’s discussion 12/15/2008New Data Access Model3

Current Data Access Model Apply for access, using a hardcopy form ◦ Approval of department head ◦ 4 central signatures required, usually with very little direct knowledge of need  SIS, HR, ACNS (eID), and IS (implementation)  Currently, there are in excess of 1,600 individuals who have access to massive amounts of central data After access is authorized, typically ◦ Large data sets are downloaded to local storage and manipulated thereafter 12/15/20084New Data Access Model

Current Data Access Model We manage access to our data ◦ Need is generally not questioned during the application process ◦ Annual review of access privileges is conducted by department heads We do not do a good job of managing users’ behaviors associated with data access ◦ A significant vulnerability 12/15/2008New Data Access Model5

Proposal for a New, Managed, Decentralized Model for Data Access Institute a new, improved, ‘managed decentralized’ model for ◦ Granting access to University data and ◦ Managing users who have access to University data 12/15/20086New Data Access Model

Elements of the New Model Centralized data repositories/services ◦ eThority ◦ ODS System of Record Data Stewards (DSs) ◦ Define data access privileges Data Access Managers (DAMs) ◦ One per VP/Dean (more if specifically needed) Data Users (DUs) Coordinated by the VP for IT 12/15/2008New Data Access Model7

System of Record Data Stewards For each System of Record, Data Stewards (or designates) will define data elements and scope: ◦ Default data – access can be granted to data users by Data Access Managers (DAMs) ◦ Protected data – DAM must petition DS for access by Data User (DU) ◦ Private data – data not to be shared, e.g. SSNs, CCN’s, etc. 12/15/2008New Data Access Model8

Data Access Managers Understand need for data access ◦ Brief Data User on proper behaviors ◦ Obtain signature on data access application Approve access to default data Petition for access to protected data Coordinate training and communications Recognize and communicate changes in roles that would trigger a reevaluation of access privileges Refer inappropriate behavior to department head, Data Steward, and VP for IT 12/15/2008New Data Access Model9

A Specific Example College Business Officer (CBO) is trained and trusted ◦ CBO has access to all college data CBO grants default, partitioned access to department level analysts ◦ Department-level analysts authorized to view only their unit’s data ◦ Department-level analysts who desire access to ‘protected’ data must be authorized by CBO and then system’s Data Steward 12/15/2008New Data Access Model10

Oracle or SQL– Data Mart eThority or ODS Data Data Users Data Feeds - Examples 11New Data Access Model Financial HR ResearchFoundationPurchasingSIS Data can be partitioned at any level of granularity Authorization can be distributed at any level of granularity 12/15/2008 Database & Database Server eThority or Oracle Discoverer Web Access Internet

ETHORITY - FRAMEWORK - BETA TRIAL - STEADY-STATE MODEL 12/15/2008New Data Access Model12

Current Data Feeds to the eThority Data Mart Financial Information Financial Transactions (2003 – Present) Financial Summary by Account (1992 – Present) Foundation Summary by Account Human Resources Employee Demographics Data Employee Restricted Data (Salary, DOB, Gender, etc) Research Pre-Proposal Grant Information Proposal Grant Information Funded/Approved Grant s Purchasing Vendor Information SciQuest Invoice Header Information SciQuest Invoice Detail Information Student/Class Course Catalog Class Demographics (Enrollment, Instructor, etc) Clinical Procedures (1992 – Present) Invoice Information (Payments, Credits, Transfers, etc) Inventory (Pharmacy and Central Supply) 12/15/200813New Data Access Model

Proposed Beta Trial for eThority The College of Veterinary Medicine and Biomedical Sciences will host the system on CVMBS servers (security approved by ACNS) Access to data will be authorized by the data custodians for each individual participating in the beta test Training and support will be provided by the College of Veterinary Medicine and Biomedical Sciences The beta test will be conducted for at least six months 12/15/200814New Data Access Model

Steady-state Model for eThority Servers will be in secure, main data facility, behind the administrative systems’ firewall ACNS/IS will operate and manage ◦ The firewall, hardware, OS & DB ◦ Data feeds, in cooperation with CVMBS CVMBS will operate and manage ◦ Data feeds, in cooperation with IS ◦ The application ◦ Training users ◦ Supporting users 12/15/2008New Data Access Model15

Current Approach Parallel projects ◦ eThority beta trial ◦ Oracle Discoverer access to IS’ central data warehouse We feel both will be beneficial to the institution, and we need to gain additional experience with both approaches to determine a model for user access to each system 12/15/2008New Data Access Model16

IA Feedback Solicited We seek IA’s approval for the concept of the new data access model ◦ We request IA’s participation as we ‘flesh out’ additional details  Policies, procedures and operations Any concerns with the Current Approach? ◦ eThority beta trial ◦ Oracle Discoverer access to central data 12/15/2008New Data Access Model17