Appendix B of the University of Virginia Administrative Data Access Policy

[Nov 23, 2009 14:09] Web access to Microsoft Live@edu accounts now works.

Table of Contents

Roles and Responsibilities Related to University Administrative Data

Roles at a Glance
Role Highlight of Responsibilities
Data stewards Senior University officials, or their department head level designate(s), with planning and policy-level responsibility and accountability for data, including creation and maintenance, within their appropriate data domains. They determine who may create, maintain, and use data in the domain area(s) for which they are responsible, and they are responsible for ensuring the quality of data entered.
Data security contacts Carry out the data domain policies set by the data stewards, as well as the University's overall administrative data security policies; play major approval role in data access authorization processes.
Data users View, copy or download data, but do not enter, modify or delete it.
Data processors Enter, modify, or delete data.
System sponsors Negotiate priorities and enhancements to the systems and lead change management processes in accord with the documented strategic goals for particular systems; responsible for ensuring that the system for which they serve as sponsor is operable and available to all authorized users on an established schedule.
Information Technology & Communications and Health System Computing Services

These central offices set strategic direction, develop overall policies, coordinate, and provide services supporting University-wide data administration activities. Roles include:

  • Chief information officers - Set policies, procedures, and guidelines for University-wide data administrative activities; establish security standards for administrative data, in order to promote and protect the University's interests in it.
  • Agency information security officers - Coordinate agencies overall IT security programs and ensure compliance with relevant Commonwealth security policies, standards and guidelines.
  • Data administrators - Develop and apply standards for the management of institutional data and for ensuring that data are accessible to those who need it. They work closely with the data stewards on formulation of domain data policies, standards, and procedures.
  • Data security administrators - Administer the data authorization process for enterprise-wide administrative data
DETAILED DESCRIPTIONS
Data stewards are senior University officials, or their department head level designate(s), who have planning and policy-level responsibility and accountability for data, including creation and maintenance, within their appropriate data domains (a list of data stewards and their data domains is under development and will be linked here when available). Specific responsibilities include:
  1. Assigning each item of administrative data to one of three categories: general administrative, legally restricted, or limited-access (see Appendix A).
  2. Defining the criteria for archiving the data to satisfy mandated and business-driven retention requirements, with advice from system sponsors on the balance of cost effectiveness and reasonableness.
  3. Determining the business needs for security for their data and monitoring and reviewing security implementation and authorized access, in consultation with the appropriate (Agency 207 or 209) information security officer and system sponsor.
  4. Establishing procedures for initial definition and change of data elements within their data domains.
  5. Providing data descriptions for directories that will let data users know what shareable data are available, what the data mean, and how to access the data stored within the repositories for which they are responsible. Data definitions will be: based on actual usage, made according to University standards, modified only through approved procedures, and reviewed on a timely basis and kept current.
  6. Developing policy to promote the accurate interpretation, responsible use and protection of administrative data in their domains.
  7. Specifying data viewing, copying or downloading procedures that are unique to a specific data repository or set of data elements. These procedures will ease "read-only" access, will preserve data quality and will minimize security risk.
  8. Ensuring the rules and conditions that could affect the accurate presentation of data are well known by data users and processors and supporting users/processors in the use and interpretation of administrative data, primarily through documentation, training, and problem resolution.
  9. Ensuring data quality by:
    1. Determining the most reliable sources of data and regularly evaluating the quality of the data.
    2. Assigning and overseeing data entry, data capture and maintenance to ensure data quality.
    3. Identifying gaps and redundancies in the data and, to the extent possible, ensuring that only needed versions of each data element exist.
    4. Specifying data control and protection requirements to be observed by data processors and users.
    5. Informing the system sponsor of any new data needs, gaps in quality, and/or removal of data redundancies or obsolete data.
    6. Generally monitoring the data for accuracy, integrity, and dependability, and where appropriate, initiating action concerning these issues.
Data security contacts carry out the data domain policies set by the data stewards, as well as the University's overall administrative data security policies. (a list of data security contacts is under development and will be linked here when available) Data security contacts are responsible for making known the rules and procedures to safeguard the data from unauthorized access and abuse. They also play an active and critical role in data access authorization processes. Access in this context means either (a) the capacity for data processors to enter, modify or delete data or (b) the capacity for data users to view, copy or download data. The access-authorization responsibilities of data security contacts include:
  1. Approving access requests for sponsored employees and non-UVa individuals within their departments and forwarding these to the next stop in the approval chain (varies with the application for which access is being requested).
  2. Requesting adjustments to these authorizations when access needs of employees and non-UVa individuals within their departments change.
  3. Regularly verifying the accuracy of existing authorizations for individuals in their departments and monitoring for inappropriate access activity.
Data security contacts who report to a data steward are typically also assigned responsibility for approving all or selected requests (varies with the system) from other departments to access data in that data steward's data domain. In some cases, such as the University's Oracle applications, data stewards have granted blanket access for selected data on condition that the requestor satisfies certain prerequisites (e.g., signing a confidentiality agreement).
Data users are, in this context, any University employees who use University administrative data -- persons who view, copy or download data, but who do not enter, modify or delete it. Persons who view data and who copy or download it are responsible for the accurate presentation of that data. They also are responsible for helping to protect the data to minimize security risks and for helping to monitor data quality. For more details on data user responsibilities, see Section 5.0 of the Administrative Data Usage Policy.
Data processors are persons specifically authorized by data stewards to enter, modify, or delete data. They are responsible for and accountable for completeness, accuracy, and timeliness of the data, and they are cognizant that other persons rely on their products for those qualities.
System sponsors ensure the usability, reliability, availability and integrity of information systems and their data by serving as liaisons between each system's stakeholders -- all parties with interests in such systems. (a list of system sponsors is under development and will be linked here when available) The system sponsors negotiate priorities and enhancements to the systems and lead change management processes in accord with the documented strategic goals for particular systems. They are responsible for ensuring that the system for which they serve as sponsor is operable and available to all authorized users on an established schedule. They also serve as liaisons between the stakeholders and the technical staff responsible for such systems and the infrastructure in which they operate. They notify technical staff and stakeholders of required changes. They provide resources and training to those with other data-related roles to assure that quality standards are met.
Central Information Technology and Communication (ITC) and Health Systems Computing Services (HS/CS) set strategic direction, develop overall policies, coordinate, and provide services in support of University-wide data administration activities. These responsibilities are encompassed in the following roles:
  • Chief information officer(s) of the University and the Health System, depending on the nature of the data involved, are individually responsible for setting overall policies, procedures, and guidelines for the University-wide data environment and infrastructure (current CIOs are identified in Appendix C). They establish quality and security standards for administrative data, in order to promote and protect the University's interests in it. They also are ultimately responsible for defining and implementing policies to assure that University administrative data are recoverable from unforeseen loss or damage to the degree that can be accomplished at reasonable cost. The data stewards and system sponsors play active roles in assisting their relevant CIO in this responsibility. Also with the data stewards' and system sponsors' advice, the CIOs will develop workable plans for resuming operations in the event of a disaster, including recovery of data and restoration of needed computing infrastructure services.
  • Agency information security officers are persons designated by the relevant CIOs (responsibility delegated from the President) to serve as the Commonwealth of Virginia-recognized information security officers for Agency 207 and Agency 209, respectively (current agency information security officers are identified in Appendix C). The two individuals in these roles are responsible for coordinating the agencies' compliance with relevant Commonwealth security policies, standards and guidelines, notably SEC2000-01.1, Information Technology Security. In this role, each agency information security officer works in partnership with units and individuals across the University to establish strategic direction, review and recommend policy, provide security education and training, establish security safeguards, monitor for and address security incidents, assess risk, develop business continuation plans, and related activities.
  • Data administrators of ITC and Health System Computing Services develop, communicate and monitor compliance with standards for the management of institutional data and for ensuring that data are accessible to those who need it (current ITC and HSCS data administrators are identified in Appendix C). They work closely with the data stewards on formulation of data policies, standards, and procedures. The data administrators work with the system sponsors and data stewards to establish long-term direction for effectively using information resources to support University goals and objectives. The data administrators develop the overall data architecture and create logical data models for data repositories. These models are ultimately used to create an institution-wide data model that cross-references data across applications and encourages data sharing. The data administrators develop standard methods for naming and defining data. They also facilitate conflict resolution in data definitions. They provide means that enable institutional data to be available to authorized users in a manner consistent with established data access rules and decisions. The data administrators develop, communicate and promote standards for data quality, as well as model-processes for assuring it. In conjunction with the agency information security officers, they develop and promote processes to minimize security risks.
  • Data security administrators of ITC and Health System Computing Services work closely with data security contacts, and where appropriate Human Resources, to administer data authorization processes for enterprise-wide administrative data . They establish/delete user IDs and grant/remove access to users with proper authorization and manage password expiration and reset processes. They also distribute and monitor data security contact usage of administrative data security reports and investigate unauthorized access in collaboration with the UVa Audit Department, the Auditor of Public Accounts, and the UVa Police Department.

© 2009 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.