Appendix B of the Administrative Data Access Policy
Roles and Responsibilities Related to Institutional Administrative Data
Roles at a Glance
System sponsors/Data stewards
Data security contacts
Data users
Data processors
Central roles of the University-level information technologies staff
Roles at a Glance
| Role |
Highlight of Responsibilities |
| System sponsors/ Data stewards |
Senior institutional officials, or their department head level designate(s), with planning and policy-level responsibility and accountability for data, including creation and maintenance, within their appropriate data domains. They determine who may create, maintain, and use data in the domain area(s) for which they are responsible, and they are responsible for ensuring the quality of data entered. They negotiate priorities and enhancements to the systems and lead change management processes in accord with the documented strategic goals for particular systems; responsible for ensuring that the system for which they serve as sponsor is operable and available to all authorized users on an established schedule. |
| Data security contacts |
Carry out the data domain policies set by the data stewards, as well as the institution's overall administrative data security policies; play major approval role in data access authorization processes. |
| Data users |
View, copy or download data, but do not enter, modify or delete it. |
| Data processors |
Enter, modify, or delete data. |
| University-level information technologies staff | This central organization sets strategic
direction, develops overall policies, coordinates, and provides
services supporting institution-wide data administration activities.
|
DETAILED DESCRIPTIONS
System sponsors/Data stewards are senior institutional officials, or their department head-level designate(s), who have planning and policy-level responsibility and accountability for data, including creation and maintenance, within their appropriate data domains (a list of data stewards and their data domains appears in Appendix C). They ensure the usability, reliability, availability and integrity of information systems and their data by serving as liaisons between each system's stakeholders -- all parties with interests in such systems. They negotiate priorities and enhancements to the systems and lead change management processes in accord with the documented strategic goals for particular systems. They are responsible for ensuring that the system for which they serve as sponsor is operable and available to all authorized users on an established schedule. They also serve as liaisons between the stakeholders and the technical staff responsible for such systems and the infrastructure in which they operate. They notify technical staff and stakeholders of required changes. They provide resources and training to those with other data-related roles to assure that quality standards are met. As data stewards, their specific responsibilities include:
- Assigning each item of administrative data to a data category (see Appendix A).
- Defining the criteria for archiving the data to satisfy mandated and business-driven retention requirements, with advice from system sponsors on the balance of cost effectiveness and reasonableness.
- Determining the business needs for security for their data and monitoring and reviewing security implementation and authorized access, in consultation with the information security officer.
- Establishing procedures for initial definition and change of data elements within their data domains.
- Providing data descriptions for directories that will let data users know what shareable data are available, what the data mean, and how to access the data stored within the repositories for which they are responsible. Data definitions will be: based on actual usage, made according to University standards, modified only through approved procedures, and reviewed on a timely basis and kept current.
- Developing policy to promote the accurate interpretation, responsible use and protection of administrative data in their domains.
- Specifying data viewing, copying or downloading procedures that are unique to a specific data repository or set of data elements. These procedures will ease "read-only" access, will preserve data quality and will minimize security risk.
- Ensuring the rules and conditions that could affect the accurate presentation of data are well known by data users and processors and supporting users/processors in the use and interpretation of administrative data, primarily through documentation, training, and problem resolution.
- Ensuring data quality by:
- Determining the most reliable sources of data and regularly evaluating the quality of the data.
- Assigning and overseeing data entry, data capture and maintenance to ensure data quality.
- Identifying gaps and redundancies in the data and, to the extent possible, ensuring that only needed versions of each data element exist.
- Specifying data control and protection requirements to be observed by data processors and users.
- Informing the system sponsor of any new data needs, gaps in quality, and/or removal of data redundancies or obsolete data.
- Generally monitoring the data for accuracy, integrity, and dependability, and where appropriate, initiating action concerning these issues.
Data security contacts carry out the data
domain policies set by the data stewards, as well as the institution's
overall administrative data security policies (a
list of data security contacts appears in Appendix C). Data security contacts are responsible
for making known the rules and procedures to safeguard the data from
unauthorized access and abuse. They also play an active and critical
role in data access authorization processes. Access in this context
means either (a) the capacity for data processors to enter, modify or
delete data or (b) the capacity for data users to view, copy or download
data. The access-authorization responsibilities of data security contacts
include:
- Approving access requests for sponsored employees and non-institutional individuals within their departments and forwarding these to the next stop in the approval chain (varies with the application for which access is being requested).
- Requesting adjustments to these authorizations when access needs of employees and non-institutional individuals within their departments change.
- Regularly verifying the accuracy of existing authorizations for individuals in their departments and monitoring for inappropriate access activity.
Data security contacts who report to a data steward are typically also assigned responsibility for approving all or selected requests (varies with the system) from other departments to access data in that data steward's data domain. In some cases, data stewards have granted blanket access for selected data on condition that the requestor satisfies certain prerequisites (e.g., signing a confidentiality agreement).
Data users are, in this context, any institutional employees who use institutional administrative data -- persons who view, copy or download data, but who do not enter, modify or delete it. Persons who view data and who copy or download it are responsible for the accurate presentation of that data. They also are responsible for helping to protect the data to minimize security risks and for helping to monitor data quality. For more details on data user responsibilities, see Section 5.0 of the Administrative Data Usage Policy .
Data processors are persons
specifically authorized by data stewards to enter, modify, or delete
data. They are responsible for and accountable for completeness, accuracy,
and timeliness of the data, and they are cognizant that other persons
rely on their products for those qualities.
University-level information technologies staff set strategic direction, develops overall policies, coordinates, and provides services in support of University-wide data administration activities. These responsibilities are encompassed in the following roles:
- The chief information officer is responsible for setting overall policies, procedures, and guidelines for the institution-wide data environment and infrastructure (the current CIO is identified in Appendix C). The CIO establishes quality and security standards for administrative data, in order to promote and protect the institution's interests in it. The CIO also is ultimately responsible for defining and implementing policies to assure that institutional administrative data are recoverable from unforeseen loss or damage to the degree that can be accomplished at reasonable cost. The system sponsors/data stewards play active roles in assisting the CIO in this responsibility. Also with the system sponsors'/data stewards' advice, the CIO will develop workable plans for resuming operations in the event of a disaster, including recovery of data and restoration of needed computing infrastructure services.
- The agency information security officer is the person designated by the CIO (authority delegated from the President) to serve as the Commonwealth of Virginia-recognized information security officer (the current agency information security officer is identified in Appendix C). The individual in this role is responsible for coordinating the agency's compliance with relevant Commonwealth security policies, standards and guidelines, notably SEC2000-01.1, Information Technology Security. The agency information security officer works in partnership with units and individuals across the institution to establish strategic direction, review and recommend policy, provide security education and training, establish security safeguards, monitor for and address security incidents, assess risk, develop business continuation plans, and related activities.
- Data administrators of the Department of University Data Management develop, communicate and monitor compliance with standards for the management of institutional data and for ensuring that data are accessible to those who need it (current UDM data administrators are identified in Appendix C). They work closely with the system sponsors/data stewards on formulation of data policies, standards, and procedures. They also work with the system sponsors/data stewards to establish long-term direction for effectively using information resources to support institutional goals and objectives. The data administrators develop the overall data architecture and create logical data models for data repositories. These models are ultimately used to create an institution-wide data model that cross-references data across applications and encourages data sharing. The data administrators develop standard methods for naming and defining data. They also facilitate conflict resolution in data definitions. They provide means that enable institutional data to be available to authorized users in a manner consistent with established data access rules and decisions. The data administrators develop, communicate and promote standards for data quality, as well as model-processes for assuring it. In conjunction with the agency information security officer, they develop and promote processes to minimize security risks.
- Data security administrators of the departments of Information Technologies and of University Data Management work closely with data security contacts, and where appropriate Human Resources, to administer data authorization processes for enterprise-wide administrative data. They establish/delete user IDs and grant/remove access to users with proper authorization and manage password expiration and reset processes. They also distribute and monitor data security contact usage of administrative data security reports and investigate unauthorized access in collaboration with the institution's internal auditor, the Auditor of Public Accounts, and the Police Department.