Data Management Standard

Similar documents
Rowan University Data Governance Policy

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Institutional Data Governance Policy

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

How To Manage Information Security At A University

PROCEDURE. The permission rights assigned to allow data custodians to view, copy, enter, download, update or query data.

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

October 8, User Conference. Ronald Layne Manager, Data Quality and Data Governance

University of Hawai i Executive Policy on Data Governance (Draft 2/1/12)

RUTGERS POLICY. Policy Name: Standards for Privacy of Individually Identifiable Health Information

Cal Poly Information Security Program

SUMMARY OF POSITION ROLE/RESPONSIBILITIES:

Information Security Policy

Information Security Program

Data Governance Policy. Staff Only Students Only Staff and Students. Vice-Chancellor

TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE 2.0 PURPOSE 3.0 SCOPE 4.

SAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS

University of Tennessee's Identity Theft Prevention Program

Vulnerability Management Policy

Data Management & Protection: Common Definitions

Legislative Language

Health Sciences Compliance Plan

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

Information Resources Security Guidelines

Marist College. Information Security Policy

OPERATIONAL DIRECTIVE. Data Stewardship and Custodianship Policy. Superseded By:

Privacy Policy Last Modified: April 3,

Security Awareness Training Policy

SOUTHERN UNIVERSITY SYSTEM POLICIES AND PROCEDURES. I. Policy Statement

HIPAA Employee Training Guide. Revision Date: April 11, 2015

R345, Information Technology Resource Security 1

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

Governance Processes and Organizational Structures for Information Management

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

POLICY 5.9 CORNELL UNIVERSITY POLICY LIBRARY. Information technology data will be disclosed only according to the procedures outlined in this policy.

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Information Security: Roles, Responsibilities, and Data Classification. Technology Services 1/4/2013

HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction. HIPAA Privacy Regulations-General

Utica College. Information Security Plan

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

INFORMATION SECURITY STRATEGIC PLAN

Data Governance Policy. Version October 2015

Information Security Program CHARTER

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

Institutional Data Governance Policy

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention

J.H. ELLWOOD & ASSOCIATES, INC. 33 West Monroe, Suite 1850 Chicago, IL (312)

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

David Coble Internal Control Officer

Gramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007

Virginia Commonwealth University School of Medicine Information Security Standard

FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY

Information Security Policy

College of DuPage Information Technology. Information Security Plan

Information Security Plan May 24, 2011

Data Security Incident Response Plan. [Insert Organization Name]

Health Care Provider Guide

Wright State University Information Security

Guidance Statement GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services

BERKELEY COLLEGE DATA SECURITY POLICY

Contact: Henry Torres, (870)

PROTECTION OF PERSONAL INFORMATION

University Information Technology Security Program Standard

Computer Security Incident Response Team

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Release: 1. FNSILF302A Process a life insurance application

MATTEL, INC. AMENDED AND RESTATED AUDIT COMMITTEE CHARTER

HIPAA BUSINESS ASSOCIATE AGREEMENT

Health Plan Select, Inc. Business Associate Privacy Addendum To The Service Agreement

Transcription:

Data Management Standard Revision: Version 1.0 Date: 11/2015 Status: Approved by ISAC, Reviewed by Chancellor s Cabinet 1. Objectives Page 1 2. Scope Statement. Page 1 3. Requirements..Page 1 4. Definitions Page 5 5. References.Page 5 Table of Contents 1. Objective: The objective of this standard is to clearly define the roles, responsibilities, and specific requirements needed to provide secure and optimal management of data to support the University mission. This standard addresses the objectives outlined in sections 4.4.3.1 and 4.4.3.2 of the University Security Policy. 2. Scope: The standard applies to all Appalachian State University employees, students, and affiliates and all institutional data (see section 4.4), whether verbal, printed, or electronic, and whether individually controlled, shared, stand alone, or networked. 3. Requirements 3.1 Data Governance Groups 3.1.1 Council The Council is comprised of all University (see 3.2.2). The Council is responsible for overseeing the development and maintenance of standards needed to ensure consistent treatment of institutional data (see 4.4) as well as periodically reviewing and reporting on the effectiveness of University data management practices. 3.1.2 Data Management Group The data management group is responsible for establishing operational practices and initiatives related to data quality, data security, privacy, and compliance. Standing membership of this committee will include but is not limited to the University Data Custodians, Director of Analytics, Director of Enterprise Applications, Chief Security Officer, University Archivist, and General Counsel. 1

3.2 Data Management Structure Roles and responsibilities related to management of institutional data are defined at all levels of the University. The following data management roles are recognized and approved: 3.2.1 Data Trustees - The data trustees are senior institutional officers (e.g., Vice Chancellors, Vice Provosts, Deans, etc.) who have both oversight and policy-level responsibility for defined institutional data sets. Data Trustees work with the Chief Officer (CIO) to ensure that the appropriate resources (staff, technical infrastructure, etc.) are available to support the data needs of the entire university. Establishment of university-wide data management policies and standards Oversight of data management related to university functions for their units Promoting appropriate data use, data quality and management procedures Assigning for specific institutional data sets 3.2.2 - Data stewards are University employees with planning and management responsibility for defined institutional data sets (e.g. student data, finance data, personnel data, research data, and alumni data). Data stewards are responsible for ensuring that the management of individual data sets conforms with relevant University policies and standards. Establishing procedures to ensure that data elements within institutional data sets are defined, described, and assigned an appropriate Data Classification level (see 3.3) Ensuring that data quality and data definition standards are developed and implemented Coordinating and resolving stewardship issues and data definitions of data elements that cross multiple functional units Regularly coordinating with Chief Security Officer, Data Management Group, and General Counsel on management and security of data Assigning Data Custodians for their respective areas 3.2.3 Data Custodians / Security Officers A data custodian is a University employee who has been assigned operational responsibilities for maintaining technical solutions and/or enforcing access procedures related to Institutional Data (including data maintenance roles). Data custodians often work in teams to document, implement, and monitor operational standards and procedures. Maintaining technical solutions and executing procedures in compliance with relevant University policies, standards, and data steward requirements Managing Data User access and modification requests as authorized by appropriate Data Stewards Providing and updating procedures in conjunction with and Data Management Group 3.2.4 Data Users - Data Users are University units or individual University members who have been granted access to institutional data in order to perform assigned duties or in fulfillment of assigned roles or functions within the University. This access is granted solely for the conduct of university business. 2

Using institutional data only as required for the conduct of university business within the scope of employment, affiliation with the University, or enrollment as a student Following the policies and procedures established to store data under secure conditions Complying with federal and state laws and regulations as well as university policies, procedures, and standards associated with data privacy Implementing safeguards prescribed for Confidential, Sensitive, and Internal Data Ensuring the appropriateness, accuracy, and timeliness of institutional data used for the conduct of university business Reporting any unauthorized access, data misuse, or data quality issues to the appropriate data steward for remediation Accepting and completing the University Confidentiality Statement if work duties require access to Confidential Data Completing any training required for access to a specific data set, such as FERPA or HIPAA training 3.3 Data Classifications All data elements shall be classified in one of four data classification levels. All institutional records will be classified based on the data element(s) that have the most restrictive classification. The following data classifications have been defined: Data Classification Level Description Defined By Confidential Data Social Security Numbers Credit Card Numbers Bank Routing Numbers Protected Health Info. Example Compliance Areas: NC Identity Theft Protection Act (GS 75-65) GLBA (CFI) HIPAA (PHI) PCI-DSS (CHD) Data whose unauthorized disclosure and/or loss of control would reasonably result in significant financial losses, unacceptable risks, or impairment to the efficient conduct of the University mission. Confidential Data often have these attributes: Protection of this data is prescribed within legal and/or contractual requirements. Not considered a public record subject to disclosure (G.S. 132). Handling of this data addressed by detailed data security requirements. Office of General Counsel ITS Office of Security Sensitive Data Employee Performance Student Socioeconomic Indicators Data that is considered private and must be protected, but has lesser degree of impact associated with unauthorized disclosure and/or loss of control versus Confidential Data. Sensitive Data often have these attributes: in consultation with Office of General Counsel and ITS Office of 3

Protection measures not prescribed by legal or contractual requirements. Access rights established around identified processes and needs. Handling of this data requires elevated data security requirements. Security Internal Data FERPA Academic Records Non-Confidential Personnel Records Budget and Salary Data that is proprietary or produced only for use by members of the University community who have a legitimate purpose to access such data. Internal Data often have these attributes: Access established for fulfillment of daily business requirements Handling of this data requires general security requirements. Public Data Public Web Pages Press Releases Institutional information that has few restrictions or is intended for public use. 3.5 Data Access Controls Access to institutional data shall be driven by the application of a role based access control model. The two following role types will be applied when evaluating and implementing access requirements. 4. Definitions 3.5.1 Data Maintenance Roles: The access for data maintenance in administrative systems will be determined based on the employee position and location, and will be governed by the business requirements as determined by the Data Custodians. 3.5.2 Data Inquiry Roles: The access for data inquiry will be determined by the required data set and associated data classification level, and will be governed by the Data Steward assigned the requested data set. 4.1 Data - Data refers to information created, gathered and consumed for reference or analysis. 4.2 Data Element - A data element is an atomic unit of data that has precise meaning or precise semantics. 4.3 Administrative System - A system at the University that contains institutional data, and is 4

used for operation of business. 4.4 Institutional Data - Institutional data refers to one or more data elements that meets one or more of the following criteria: Any Data that originates in an academic or administrative system. Any Data contained within the University data warehouse. 4.5 Data Classification - A data classification is a common category of data elements that specifies their availability, access requirements, and requisite protection levels. 4.6 Data Quality is a perception or an assessment of data's fitness to serve its purpose in a given context. 4.7 Data Set - A data set is a discrete collection of data that is managed by an authorized University unit or individual. 4.8 Data Maintenance - The action of managing or editing the data inside an administrative system for the purpose of doing business at the University. 4.9 Data Inquiry - The action of querying data from an environment designed for that purpose with the intent of informing and influencing decision making. 5. REFERENCES 5.1 University Security Policy (Key Control Requirements 4.4.3.1, 4.4.3.2) 5.2 University Statement of Confidentiality 5.3 University Identity Theft Prevention Plan 5.4 University Payment Card Services Policy 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information