Corporte Policies & Procedures Generl Administrtion Document CPP123 Dt Governnce Policy First Produced: Current Version: Pst Revisions: Review Cycle: Applies From: 17/07/13 17/07/13 Nil 3 yer cycle Immeditely Authoristion: Officer Responsible: Te Kāhui Mnukur Mnger, Governnce & Strtegy 1 Introduction 1.1 Purpose Dt governnce needs to ensure tht systems nd business processes re well mnged nd mintined both t strtegic nd opertionl levels on n ongoing bsis to ensure dt is ccurte nd vilble for business purposes. 1.2 Scope nd Appliction The policy pplies to ll stff of CPIT. It lso pplies to contrctors, consultnts nd visitors engged to work with, or who hve ccess to CPIT informtion. Policies lso pply to students nd ny specific exclusion s for students re identified within the policy. 1.3 Forml Delegtions Te Kāhui Mnukur hs ultimte responsibility for the integrity nd mngement of the institute s core dt. This is delegted to the Dt Governnce Group nd s (who my delegte further to the s) in their respective res of expertise. The Dt Governnce Group (DGG) will undertke those responsibilities defined in its chrter; CPIT Governnce Group, Dt Governnce. The DGG will report to Te Khui Mnukur (TKM). Members of the DGG will be s nd/or s representing the Core Dt resources of the Institute, nd Informtion representtive(s). 1.4 Definitions b c d s: Senior stff members with delegted ccountbility for the collection, dissemintion nd security of dt. Core Dt: The dt tht resides in the dtbses ssocited with the importnt nd business criticl pplictions for the orgnistion. Core dt includes, but is not limited to - shred dt bout mnged entities, interests, finnces, employees, resources, customers, providers, business ffilites, best prctices, nd operting procedures. Dt Clssifictions: The following dt clssifictions hve been estblished to inform the ccess nd utilistion of dt within the orgnistion. Public Dt: Avilble to generl public with no ccess control or identifiction required. Pge 1 of 9
e f g h i j k l m n o Student Dt: Dt vilble to students s right of enrolment. This includes generl student dt nd dt of relevnce to the individul student. Institutionl Dt: Proprietry dt, dt for generl dministrtion. Primrily for internl usge, not for student or externl distribution. Protected Dt: Dt to be used only by individuls who require it for their jobs. Dt contining sensitive personl or confidentil informtion, commercilly sensitive informtion or other informtion tht would usully be regrded s sensitive informtion. : An individul who is ultimtely responsible for the definition, mngement, control, integrity or mintennce of Core dt resource. This role will normlly be ssigned to n existing senior user/dministrtor of the system, which produces the dt, who hs good understnding of the dt nd its ppliction. Dt Integrity: Dt tht hs complete or whole structure. All chrcteristics of the dt including business rules, rules for how pieces of dt relte, dtes, definitions nd linege must be correct for dt to be complete. Disster Recovery: the process, policies nd procedures relted to prepring for recovery or continution of technology infrstructure criticl to n orgnistion fter nturl or humn-induced disster. Informtion: dt tht hs been processed into meningful form. Interfces: point of interction between two systems (or pplictions). Met-dt: dt tht describes dt e.g. dt formt, mening, source, ppliction etc. Referentil Integrity: property of dt which, when stisfied, requires every vlue of one ttribute (column) of reltion (tble) to exist s vlue of nother ttribute in different (or the sme) reltion (tble). Repliction: the use of redundnt resources to improve relibility, fult-tolernce, or performnce. This cn refer to both dtbses nd supporting technology e.g. server hrdwre. Relted CPIT Procedures(indicte if ttched to policy or where they cn be found) CPP105 Code of Conduct for ICT Users Relted Legisltion or Other Documenttion Privcy Act 1993 Public Records Act 2005 Relted CPIT Policies CPP105 Acceptble Use nd Conduct for ICT Users CPP109 Disclosing Personl Informtion bout Students nd CPP110 Legisltive Complince CPP114 Records nd Archives CPP121 ICT Security Policy Good Prctice Guidelines(indicte if ttched to policy or where they cn be found) References Notes Pge 2 of 9
2 Principles 2.1 All Dt is the Property of the Institution Dt is not "Owned" by ny Individul or Business Unit. Dt (both structured nd unstructured) nd the met-dt bout tht dt re business nd technicl resources owned by the orgnistion. 2.2 Core Dt Must Be Modeled All core dtbses shll be modeled, nmed, nd defined consistently (ccording to stndrds) cross the business divisions of the orgnistion. Every effort must be mde by mngement to shre dt cross divisions nd to void redundncy. s of core dtbses must recognise the informtionl needs of downstrem processes nd business units tht my require sid dt. 2.3 Core Dt Must Be Mintined Close to Source All core dt shll be creted nd mintined s close to the source s fesible ligned to consistent dt input stndrds. Dt qulity stndrds shll be mnged nd pplied ctively to ensure pproved relibility levels of core dt s defined by the Dt Governnce group e.g. compulsory field vlidtion on ll core dt sets. 2.4 Core Dt Must Be Sfe nd Secured Core dt in ll formts shll be sfegurded nd secured bsed on recorded nd pproved requirements nd complince guidelines s per dt clssifiction stndrds. These requirements re to be determined by the dt stewrds nd vlidted by the Mngement Tem. Approprite vilbility, bckups nd disster recovery mesures shll be dministered nd deployed for ll core dtbses. 2.5 Core Dt Must Be Accessible Core dt nd informtion bout tht dt (met-dt) shll be redily ccessible to ll. Core dt will be public except where determined to hve controlled ccess s per dt clssifiction stndrds. When restrictions re mde, dt stewrds re ccountble for defining specific individuls nd levels of ccess privileges tht re to be enbled. 2.6 Met-Dt Will Be Recorded nd Utilised All core informtion system development nd integrtion projects will utilise consistent met-dt method for dt nming, dt modeling, nd logicl nd physicl dtbse design purposes. 2.7 s Will Be Accountble for Core Dt s will be senior stff members with delegted ccountbility for the collection, dissemintion nd security of dt. They will be ccountble for: b c d e f Legisltive complince Dt use Dt qulity Dt security Dt Privcy Chnge mngement 2.8 s Will Be Responsible for Core Dt Individuls recognised s business definers, producers, nd users of core dt will be designted "s". s re those individuls ultimtely responsible for the definition, mngement, control, integrity or mintennce of core dt resource. Dt Pge 3 of 9
Stewrds re wre of complince requirements pertining to the dt held (e.g. Privcy Act 1993, Public Records Act 2005, etc) nd wre of their regultory obligtions rising from those regultions. 2.9 s will hve responsibility through their job description. 3 Associted procedures for CPIT Corporte Policy on: Dt Governnce Contents: 3.1 Dt Stndrds And Procedures 3.2 Access to Dt 3.3 Authority over Dt 3.4 Dt Integrity Referentil Integrity b Integrity of Appliction Softwre c Integrity of Content d Integrity of Process 3.5 Interfces 3.6 Migrtion 3.7 Dt Mngement 3.8 Version Control 3.9 Chnge Control 3.10 Repliction 3.11 Bckup, Recovery nd Restore 3.12 Disster Recovery 3.13 Retention requirements 3.14 Destruction protocols 3.15 User Responsibilities 3.16 Skills nd Trining 3.17 Corporte Informtion Systems 3.1 Dt Stndrds And Procedures The following dt stndrds hve been developed for the CPIT environment. It is expected tht these stndrds will provide guideline for ll stff nd vendors when working with CPIT core dt. 3.2 Access to Dt Access to dt is the bility to view, retrieve, lter, or crete dt. The Dt Governnce Group will estblish nd mintin ccess rules for dt nd business documents under their control. Access rules must be bsed on the principle of public nd equitble ccess to informtion unless explicit resons preclude this. Access with the bility to lter or crete dt is likely to be different, nd more restrictive, thn tht for view/retrieve. Where dt is held in multiple physicl dtbses e.g. for nlysis purposes or technicl performnce resons, the Dt Governnce Group will designte the mster source of the dt which will lwys tke precedence should conflict in dt vlues occur. Dt element content nd business documents will be retrievble in formts tht meet open interntionl stndrds. Technology will be supported for future retrievl of dt. Complince with CPIT Access to Dt stndrds is required for ll users. 3.3 Authority over Dt CPIT hs uthority over use of the orgnistion s physicl computer ssets. CPIT is the legl custodin of ll dt tht is collected or generted during the execution of the Institute s business processes. Pge 4 of 9
The Chief Executive or delegte is responsible for protecting CPIT dt t the level pproprite for its sensitivity, s per the dt clssifiction stndrds. CPIT dt will only be shred between internl systems or with other orgnistions with mngement pprovl. Complince with CPIT Authority over Dt stndrds is required for ll users. 3.4 Dt Integrity Dt nd business documents will be mnged to preserve nd demonstrte their uthenticity, integrity nd retrievbility to meet business nd sttutory requirements. These procedures cover both the logicl nd physicl integrity of dt nd document stores nd their contents. In order to present consistent informtion both internlly nd externlly, document nd dt stores must be mnged s coherent whole. This mens: All core dt stores re known & documented (s identified by the Dt Governnce Group) Dupliction of content between stores is minimised nd controlled The originl content, context, nd structure of documents is preserved Authorised ctivities re permitted Unuthorised ctivities re prevented Relevnt events re logged s determined by business or legisltive requirements Content is retrievble in usble formt. Referentil Integrity s must ensure tht systems re put in plce to mintin the context of dt elements in dtbse structures. b Integrity of Appliction Softwre The integrity of ny ppliction softwre operting on pproved dt stores will be monitored t pproprite intervls, nd ction tken to repir nd prevent defects. c Integrity of Content Where users enter dt into dt store, vlidtion t the time of input is required wherever prcticl. Processes must be in plce to monitor nd correct errors in the dt nd metdt. Any chnges to the use of dt or metdt fields must be greed with the relevnt nd documented nd effects on downstrem systems tken into ccount. d Integrity of Process 3.5 Interfces CPIT must be ble to demonstrte tht their processes fully cpture required dt elements, tht business rules nd stndrd operting procedures re in plce for their mngement nd tht they hve been implemented. Electronic interfces between systems must use mechnisms bsed on open industry stndrds s specified in the CPIT informtion technology policies nd stndrds. Redundnt or non-stndrd interfces will be phsed out over time. Pge 5 of 9
3.6 Migrtion Dt stores will be constituted such tht ll content, structure nd metdt cn be migrted to different environment without loss of integrity. In the event of migrtion or mjor upgrde, migrtion plns will be produced nd require pproprite pprovl. Complince with CPIT Dt Integrity stndrds is required for ll users. 3.7 Dt Mngement s hve responsibility for dt mngement of core dt within institutionl business systems. Metdt will be collected for ll core dtbses nd must be sufficient to describe the document, dtset, or dt store, nd to estblish its vlidity nd relevnce for business or evidentil purposes. Cpture of most metdt for business documents is best undertken t the time they re creted or received, usully by the individul involved. Dt nd business documents will be mnged within defined retention process, s per the forml retention nd disposl schedule for the institute. 3.8 Version Control CPIT will determine business rules for version control of dt elements nd dt sets. Rules will be built into systems or expressed s guidelines for users. 3.9 Chnge Control Chnge control procedures will be pplied to the structure of dt stores nd the business processes tht ffect them, to ensure the contextul integrity of current content nd tht historicl mteril mintins its integrity. This includes being cognisnt of Applictions tht crete or mintin dt nd interfces to downstrem systems. 3.10 Repliction Repliction of dt will be controlled by the s involved nd will only come from prime uthorittive dt sources. All repliction rrngements will be uditble to ensure tht true replic is mde. 3.11 Bckup, Recovery nd Restore CPIT will hve bckup regime for dt stores to insure ginst system filure or humn error. Bckup opertions will be regulrly monitored for completeness nd tested for retrievbility. 3.12 Disster Recovery CPIT will hve fully tested disster recovery pln to reconstitute dt stores to ensure timely re-estblishment of the business. 3.13 Retention requirements CPIT must identify, describe nd comply with their retention nd destruction requirements for dt elements s per legisltive requirements, including the Public Records Act (2005). Pge 6 of 9
3.14 Destruction protocols No dt will be destroyed while they re needed to fulfil the sttutory or business requirements of CPIT. Any deletion or destruction process must be secure, deliberte, uthorised nd uditble. Complince with CPIT Dt Mngement stndrds is required for ll users. 3.15 User Responsibilities Users of Institute dt include but re not limited to the following ctegories: b c d e f Institute employees Volunteers Contrctors Vendors Prtners Students Individul Institute Users ply criticl role in ensuring the security of Institute Dt. Ultimtely, only the User cn prevent unuthorized ccess nd ensure responsible use of the dt. Proper use of dt, including ssurnce of security nd privcy, is requirement for ll Institute employees nd should be included in ll Institute greements providing ccess to Institute Dt, nd is condition of enrolment for students. Users re responsible for the following ctions i ii iii iv v Store dt under ppropritely secure conditions for the dt clssifiction level Mke every resonble effort to ensure the pproprite level of dt privcy is mintined Use the dt only for the purpose for which ccess ws grnted Not to shre identities or psswords with other persons Securely dispose of sensitive Institute dt In ny disposl of medi or devices, Users should ensure tht techniques re pplied so tht unuthorized persons cnnot lter ccess sensitive dt. Such techniques include, but re not limited to; ersing dt from flsh/pen drives or hrd drives with specil scrubber' progrms, nd physiclly destroying old medi contining sensitive dt. This role my be conducted by the ICT support tem on behlf of the user. Complince with Institute User Responsibilities stndrds is required for ll users. 3.16 Skills nd Trining will be trined in their responsibilities when working with CPIT dt. These responsibilities will be written or referred to in Job Descriptions nd Performnce Agreements, for stff t ll levels. Pge 7 of 9
3.17 Corporte Informtion Systems (s defined by the CPIT Dt Governnce Group) Student Mngement System HR & Pyroll Tlent2 Alesco Finnce System Kyper Asset Mngement BEIMS Lerning Mngement System Moodle Director Corporte Services (Drren Mitchell) Mnger Registry (Lurie Millr) Mrion Pewini Admission/Results Tem Leder Kren Colemn Interntionl Admissions Gel Brrington Curriculum Loding Ktherine Hely Timetbling Officer Authorised stff nd students Director Humn Resources (Ptsy Gibson) Anlyst/Administrtor HRIS (Svetln Sburov) Pyroll All stff vi HRKiosk Director Corporte Services (Drren Mitchell) Mnger Finnce (Dvid Kerby) Dvid Kerby Finnce stff Director Corporte Services (Drren Mitchell) Mnger Fcilities Mngement (Grnt McPhil) Mnger Services (Chris Lws) Fcilities Director Acdemic (Shirley Wilson) Mnger Librry & Lerning (Fion Mcdonld) LTU & Students, Externl collbortors Pge 8 of 9
Lerning Object Repository Equell Director Acdemic (Shirley Wilson) Mnger Librry & Lerning (Fion Mcdonld) LTU & Students, Externl collbortors Content Mngement System MySource Mtrix Director Business Development Mnger Mrketing (Lee McNichol) Mrketing (Ntsh Cin) Communictions Exchnge, Lync, Cisco telephony, Zecom Director Corporte Services (Drren Mitchell) Director ICT (Mrk Mrshll) Infrstructure Mnger (Crig Mnson) Contct Center specilist users on Zecom Librry Voyger Progrmme Repository Director Acdemic (Shirley Wilson) Mnger Librry & Lerning (Fion Mcdonld) Librrin Digitl (Tnj Webster) Librry Students Director Acdemic (Shirley Wilson) Mnger Acdemic Evlution (Denise Holling) Acdemic Evlution Unit (Nicol Cmeron, Lynne Hwke) AEU Mrketing Pge 9 of 9