Automating Data Governance and Stewardship to Build Data Trust
Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements...
-
Upload
kobe-alderson -
Category
Documents
-
view
218 -
download
6
Transcript of Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements...
![Page 1: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/1.jpg)
DATA STEWARDSHIP @ UVA Evolution of Data Use and Stewardship
Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship
Shirley C. Payne, CISSP, CRISCUVa Assistant VP for Information Security, Policy,
July, 2012
![Page 2: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/2.jpg)
ADMISSIONSACADEMICRECORDS
FINANCIALAID
HIRING PAYROLLACCOUN
TSPAYABLE
etc.
Limited Data Distributed ToDepartments ViaHard Copy Reports
Data Dark Ages
Centralized Stovepipe
Data Stores
![Page 3: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/3.jpg)
ADMISSIONSACADEMICRECORDS
FINANCIALAID
HIRING PAYROLLACCOUN
TSPAYABLE
etc.
Goal: Make Data AvailableTo Widest AudiencePossible
Data Floodgates Opened In Early 90’s
INFORMATION WAREHOUSE
![Page 4: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/4.jpg)
Administrative Data Access Policy Issued June 1994
Clarified data ownership: University is owner of all administrative data Organizational units may have stewardship
responsibilities for portions of those data
Set high level conditions of data use: Use only for University business Comply with confidentiality and privacy
policies and laws Comply with “reasonable protection and
control procedures” Present data accurately
![Page 5: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/5.jpg)
Administrative Data Access Policy Issued June 1994 - continued
Defined roles and responsibilities for (initially): Data Stewards – data use planning/policy Data Custodians – data creators/updaters Data Users – data viewers ITC – technical underpinning
New roles and responsibilities added over time and existing ones renamed and/or updated
Last update was in 2001
![Page 6: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/6.jpg)
Departmental Systems
ERPs
Escalating Security Threats
WebApps
New Laws &
Regulations
Increasing Public
Awareness &
Concern
Cloud Computi
ng MobileComputi
ng
![Page 7: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/7.jpg)
Highly sensitive data requested only when essential
Highly sensitive data provided only when essential
Highly sensitive data access authorized
to least # of people
Highly sensitive data stored only in well secured
devices and file cabinets
UniversityProcesses &SupportingSystems
Data Minimization Initiative
Clear data use policies and standards exist
Responsibilities for data protection well communicated
Compliance verification processes in place
![Page 8: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/8.jpg)
Key Supporting Policies & Standards Redefined Data
Classifications
![Page 9: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/9.jpg)
Redefined Data Classifications
Highly Sensitive
ModeratelySensitive
Not Sensitive
- Data that enables identity theft
- Personally-identifiable medical data
EverythingIn between
Public Data such as:
- University financial statements
- Summary statistics, e.g. employees by gender
![Page 10: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/10.jpg)
Key Supporting Policies & Standards Redefined Data
Classifications Protection and Use of
SSNs Policy
![Page 11: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/11.jpg)
Key Supporting Policies & Standards Redefined Data
Classifications Protection and Use of
SSNs Policy Electronic Storage of
Highly Sensitive Data Policy
![Page 12: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/12.jpg)
Key Supporting Policies & Standards Redefined Data
Classifications Protection and Use of
SSNs Policy Electronic Storage of
Highly Sensitive Data Policy
Institutional Data Protection Standards By Classification
![Page 13: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/13.jpg)
Key Supporting Policies & Standards Redefined Data
Classifications Protection and Use of
SSNs Policy Electronic Storage of
Highly Sensitive Data Policy
Institutional Data Protection Standards By Classification
Revision of Administrative Data Access Policy
![Page 14: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/14.jpg)
Revision of Administrative Data Access Policy Current Policy
Planned Revision
“Administrative Data Access Policy
Addresses administrative electronic data shared across departments
Roles and responsibilities do not reflect current practice; unclear how to fulfill
“Institutional Data Stewardship Policy”
Addresses all data owned by the institution wherever they are created and used and whatever the form
Roles and responsibilities are updated and clearer
Clear linkage made between data classifications and data protection standards
![Page 15: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/15.jpg)
Data Stewardship Data Domain Roles System-Specific Roles
![Page 16: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/16.jpg)
Institutional Data Domains
Human Resources
Data
Procurement Data
Payroll Data
Accounts Receivable
s Data
Development Data
Student Records
Data
Other Data Domains
![Page 17: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/17.jpg)
One Data Domain : Multiple Systems
Human Resource
s Data Domain
Integrated System
Time and Leave
System
Lead@UVa System
Other Systems
Benefits System
![Page 18: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/18.jpg)
Multiple Domains : One System
Integrated
System
Procurement Data Domain
Accounts Receivable
s Data Domain
Hunan Resources
Data Domain
Payroll Data
Domain
Other Data Domains
BudgetData
Domain
![Page 19: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/19.jpg)
Data Domain Roles:Executive Data Stewards
Senior university officials having planning and policy-level responsibilities for a large subset of the institution’s data resource. They: Oversee the implementation of the Institutional
Data Stewardship Policy for their data domains Determine the appropriate classification of
institutional data within their domains in consultation with executive management and appropriate others
Appoint Data Stewards for their data domains
![Page 20: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/20.jpg)
Data Domain Roles:Data Stewards
University officials having responsibility for determining purposes and functions of data within their assigned data domains. They: Work to ensure accuracy, integrity, and (as appropriate)
confidentiality of data Establish criteria for meeting the “need to know”
requirement for data access. Have final sign-off authority for users seeking to access data
for their respective data domains. May delegate final sign-off authority to Deputy Data Stewards they appoint, but retain accountability for results.
Work to ensure users understand the data to which they have access
![Page 21: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/21.jpg)
Data Domain Roles:Deputy Data Stewards
Authorize or reject access requests based upon approval criteria established by the Data Stewards who appoint them
![Page 22: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/22.jpg)
System-Specific Roles Data Users –
acknowledge acceptance that they are accountable for protecting and appropriately using data to which they are given access
meet all prerequisite requirements, e.g. attend training on system use, before being granted approved access.
Supervisors –
confirm that their employees’ job duties require system access privileges
assure system access privileges are removed when employees no longer need them.
Data Access Approvers –
develop in-depth understanding of various responsibilities established within a given system
confirm that data access requests for a given system are completed correctly, e.g. that appropriate system responsibilities are selected for the stated purpose(s).
Provisioners – central IT staff who implement the requested access
authorizations.
![Page 23: Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,](https://reader035.fdocuments.net/reader035/viewer/2022070306/55189dd1550346c31f8b4740/html5/thumbnails/23.jpg)
References http://its.virginia.edu/security/dataprotection
Protection & Use of SSNs Policy Electronic Storage of Highly Sensitive Data Policy Institutional Data Protection Standards
http://its.virginia.edu/policy/admindataaccess.html Administrative Data Access Policy (under revision)
http://www.its.virginia.edu/policy Additional IT Policies