 Evolution
of Data Use and Stewardship
 Recent University-wide Data Stewardship Enhancements
 Integrated System Data Stewardship
Shirley C. Payne, CISSP, CRISC
UVa Assistant VP for Information Security, Policy, and Records
payne@virginia.edu
July, 2012
Data Dark Ages
A
D
M
I
S
S
I
O
N
S
Centralized
Stovepipe Data
Stores
A
C
A
D
E
M
I
C
R
E
C
O
R
D
S
F
I
N
A A
N I
C D
I
A
L
H
I
R
I
N
G
P
A
Y
R
O
L
L
A
C
C
O
U
N
T
S
P
A
Y
A
B
L
E
etc.
Data Floodgates Opened In Early 90’s
A
D
M
I
S
S
I
O
N
S
A
C
A
D
E
M
I
C
R
E
C
O
R
D
S
F
I
N
A A
N I
C D
I
A
L
H
I
R
I
N
G
INFORMATION WAREHOUSE
P
A
Y
R
O
L
L
A
C
C
O
U
N
T
S
P
A
Y
A
B
L
E
etc.

Clarified data ownership:
 University is owner of all administrative data
 Organizational units may have stewardship
responsibilities for portions of those data

Set high level conditions of data use:
 Use only for University business
 Comply with confidentiality and privacy policies and laws
 Comply with “reasonable protection and control
procedures”
 Present data accurately

Defined roles and responsibilities for (initially):




Data Stewards – data use planning/policy
Data Custodians – data creators/updaters
Data Users – data viewers
ITC – technical underpinning

New roles and responsibilities added over time and
existing ones renamed and/or updated

Last update was in 2001
Departmental
Systems
ERPs
Cloud
Computing
Escalating
Security Threats
Web
Apps
Increasing
Public
Awareness
& Concern
Mobile
Computing
New Laws &
Regulations
Data Minimization Initiative
Highly sensitive data requested
only when essential
Highly sensitive data access
authorized
to least # of people
University
Processes &
Supporting
Systems
Clear data use policies and standards exist
Responsibilities for data protection well communicated
Compliance verification processes in place
Highly sensitive data
provided only
when essential
Highly sensitive data stored
only in well secured
devices and file cabinets

Redefined Data
Classifications
Highly
Sensitive
Moderately
Sensitive
- Data that enables
identity theft
- Personallyidentifiable medical
data
Not
Sensitive
Public Data such as:
Everything
In between
- University financial
statements
- Summary statistics,
e.g. employees by
gender


Redefined Data
Classifications
Protection and Use of SSNs
Policy



Redefined Data
Classifications
Protection and Use of SSNs
Policy
Electronic Storage of Highly
Sensitive Data Policy




Redefined Data
Classifications
Protection and Use of SSNs
Policy
Electronic Storage of Highly
Sensitive Data Policy
Institutional Data
Protection Standards By
Classification





Redefined Data
Classifications
Protection and Use of SSNs
Policy
Electronic Storage of Highly
Sensitive Data Policy
Institutional Data
Protection Standards By
Classification
Revision of Administrative
Data Access Policy
Current Policy



“Administrative Data Access
Policy
Addresses administrative
electronic data shared across
departments
Roles and responsibilities do
not reflect current practice;
unclear how to fulfill
Planned Revision




“Institutional Data
Stewardship Policy”
Addresses all data owned by
the institution wherever they
are created and used and
whatever the form
Roles and responsibilities are
updated and clearer
Clear linkage made between
data classifications and data
protection standards


Data Domain Roles
System-Specific Roles
Other Data
Domains
Human
Resources
Data
Student
Records Data
Procurement
Data
Development
Data
Payroll Data
Accounts
Receivables
Data
Integrated
System
Benefits
System
Human
Resources
Data
Domain
Other
Systems
Time and
Leave
System
Lead@UVa
System
Procurement
Data Domain
Accounts
Receivables
Data Domain
Budget
Data Domain
Integrated
System
Hunan
Resources
Data Domain
Other Data
Domains
Payroll
Data Domain

Senior university officials having planning and
policy-level responsibilities for a large subset of
the institution’s data resource. They:
 Oversee the implementation of the Institutional Data
Stewardship Policy for their data domains
 Determine the appropriate classification of
institutional data within their domains in consultation
with executive management and appropriate others
 Appoint Data Stewards for their data domains

University officials having responsibility for determining
purposes and functions of data within their assigned
data domains. They:
 Work to ensure accuracy, integrity, and (as appropriate)
confidentiality of data
 Establish criteria for meeting the “need to know” requirement
for data access.
 Have final sign-off authority for users seeking to access data for
their respective data domains. May delegate final sign-off
authority to Deputy Data Stewards they appoint, but retain
accountability for results.
 Work to ensure users understand the data to which they have
access

Authorize or reject access requests based upon
approval criteria established by the Data
Stewards who appoint them

Data Users –
 acknowledge acceptance that they are accountable for protecting and appropriately
using data to which they are given access
 meet all prerequisite requirements, e.g. attend training on system use, before being
granted approved access.

Supervisors –
 confirm that their employees’ job duties require system access privileges
 assure system access privileges are removed when employees no longer need them.

Data Access Approvers –
 develop in-depth understanding of various responsibilities established within a given
system
 confirm that data access requests for a given system are completed correctly, e.g. that
appropriate system responsibilities are selected for the stated purpose(s).

Provisioners – central IT staff who implement the requested access authorizations.

http://its.virginia.edu/security/dataprotection
 Protection & Use of SSNs Policy
 Electronic Storage of Highly Sensitive Data Policy
 Institutional Data Protection Standards

http://its.virginia.edu/policy/admindataaccess.html
 Administrative Data Access Policy (under revision)

http://www.its.virginia.edu/policy
 Additional IT Policies