|Policy Title:||Data Governance|
|Effective:||January 17, 20131|
|Approved by:||President Bruce D. Benson|
|Responsible University Officer:||Vice President of Employee and Information Services|
|Responsible Office:||Office of the Vice President of Employee and Information Services|
|Policy Contact:||Chief Information Security Officer|
|Last Reviewed/Updated:||January 17, 2013|
|Applies to:||University wide|
Brief Description: To ensure that data is managed as a material asset the University has established a data governance program with the goals of ensuring that data provides value, meets compliance requirements, and risks are managed appropriately. Given that poor handing of data poses a risk to the University it is necessary to define roles and responsibilities for certain types of data.
Reason for Policy: Define roles and responsibilities to enable the University to exercise positive control over the processes and methods used to handle data and assure that university employees and administrative processes have appropriate access to reliable, authentic, accurate, and timely data. Data governance authority rests ultimately with the President and Chancellors; this policy defines roles and responsibilities to assist the President and Chancellors.
The policy covers university records, data where federal or state regulations exists, and data where external contract requirements exists regardless if the data is stored on a University owned or managed system or on a third party hosted service. Excluded from the scope of this policy is intellectual property that is educational materials.
II. Policy Statement
The program shall be managed and monitored collaboratively by University Counsel, Chief Information Security Officer, and the Council of Data Owners. Roles and responsibilities for data governance are as follows:
- Data owners are accountable for managing, protecting, and ensuring the integrity and usefulness of university data. Data owners have the primary responsibility to ensure the university is following its policies and is in compliance with federal and state laws and regulations. Data owners, in consultation with the Council of Data Owners, shall identify the criticality and sensitivity of data. Data owners typically are associated with the business functions of an organization rather than technology functions. Data owners are appointed by the President, Chancellors or their delegates and are typically an administrative officer of the University or departmental director. The President, Chancellor may choose to not identify a Data owner for certain data types given risk decisions or administrative, research, or academic needs.
- Data custodians typically have control over a data asset's disposition, whether stored (at rest), in transit, or during creation. Custodians will often have modification or distribution privileges. Data custodians carry a significant responsibility to protect data and prevent unauthorized use. Data custodians are often data providers to data users. Data owners or data stewards may also exercise custodial roles and responsibilities. Data custodians typically are associated with IT units within the university, either central IT organizations or IT offices within academic and administrative units.
- Data Stewards will often have data custodial responsibilities, but are distinguished from custodians by delegated decision-making authority regarding the data. Data stewards may represent data owners in policy discussions, architectural discussions, or in decision-making forums. Data stewards actively participate in processes that establish business-context and quality definition for data elements. Data stewards are more likely to be associated with business functions than IT functions.
- To the degree that a data user creates university data and/or controls the disposition of university data, he or she has responsibility for the custodial care of that data. Data users share responsibility in helping data stewards and custodians manage and protect data by understanding and following the IT and information security policies of the university related to data use.
- Council of Data Owners: The Council of Data Owners advise the President and Chancellors that the University is taking appropriate measures to ensure data quality and ensure compliance with relevant regulations and policies. The Council will work to consensus to resolve conflicts where data overlaps between multiple data owners. Council members consist of data owners appointed by the President and Chancellors. Where data owners are distributed to the campuses a single representative shall be appointed and may rotate bi-annually. Legal Counsel and the Chief Information Security Officer shall be ex officio members of the Council.
When University units create shared data repositories they take on responsibilities as data custodians. As such units must work with data stewards to ensure that they understand external regulatory and University policy compliance requirements. Data custodians may not extend the use of University data beyond the initial scope without additional review by the appropriate data steward. When shared data repositories are created on third party services special care must be made to ensure that contracts or service agreements include appropriate security and privacy.
It is the responsibility of the data steward to understand business needs of the University unit and facilitate appropriate access to the required data. The data steward will also coordinate with the campus Information Security Officer to ensure that adequate security controls are identified and implemented. Should the data steward have questions regarding the legitimacy of the University Unit’s business need the data steward shall validate the need with the data owner.
Data stewards, in consultation with the appropriate Campus Information Security Officer or the Office of Information Security shall publish processes for requesting and monitoring access to data and periodically audit access to data. Data stewards shall, at least annually, provide the data owner with information regarding the management, protection, and effectiveness of efforts to ensure the integrity and usefulness of university data. For example, how data is being used, identify data quality issues, and report on compliance issues.
The Chief Information Security Officer shall maintain and publish a list of identified data owners and data stewards for specific data types. The list will also identify the classification of specific data types. Where a single individual maintains multiple roles (e.g., data steward and data custodian) the CISO will provide notice to the Counsel of Data Owners to ensure the roles do not pose a risk to the University.
- Data Owner is a party or entity identified with and widely recognized to have primary authority and decision responsibility over a particular collection of university data. Click here for the list of University data owners.
- Data Custodian is any party charged with managing a data collection for a data owner.
- Data Steward is a party or entity possessing delegated authority to act on a data owner's behalf.
- Data User is any person or party that utilizes university data to perform his or her job responsibilities.
- Originally approved 1/1/13
- The title of “IT Security Principals” was replaced with the title of “Information Security Officers” effective May 1, 2014.
V. Key Words
Data, governance, information technology, compliance, risk, records, security
- 1. The title of “IT Security Principals” was replaced with the title of “Information Security Officers” effective May 1, 2014.