9.8.3 Procedures Define Enterprise Data Repository Management Roles and Responsibilities

I. Introduction

Data critical to the administration of Illinois State University, whether maintained by administrative or academic units, are strategic assets and contribute to the collective knowledge of the entire University community. While these data are stored in different database management systems that are housed on a number of different platforms and are maintained by several custodians, they collectively form the University's Enterprise Data Repository (EDR). The following Procedures identify the roles and responsibilities of those committed to ensuring the EDR effectively serves the needs of the University.

II. Role and Responsibilities

Data Stewardship and Information Technology Services Council

The Stewardship Council provides oversight for Enterprise Information Technology activities to ensure they are aligned with objectives stated in Educating Illinois, the University's Strategic Plan. It manages and balances the demand for Enterprise Information Technology needs by identifying priorities, overseeing data access, establishing performance metrics, and evaluating and monitoring progress on Information Technology activities.

The Stewardship Council defines the standards for the Master Data Access Plan including:

• defining and adopting levels for data classification
• overseeing the review process for exceptions to the Data Access Plan
• reviewing, revising, and updating policies related to data access
• further defining roles and responsibilities for those responsible for the EDR

Data Stewards

Data Stewards are individuals who have planning and decision-making responsibilities for data, related to their functional area, contained within the EDR. Responsible for:

• overseeing data access, data quality, and data integrity
• defining user security roles
• identifying, assessing and evaluating risks to the EDR
• ensuring that data are maintained and used in compliance with law, rule, and regulation
• promoting data security awareness to the University community
• ensuring metadata is created for data related to their functional area
• authorizing usage of data

Functional Owners

Functional Owners are operational managers in a functional area with day-to-day responsibilities for managing business processes and establishing business rules for production transaction systems A Functional Owner normally reports to a Data Steward. Responsible for:

• providing content expertise for the meaning and usage of data (e.g., defining metadata; implementing data quality)
• educating users on the data
• providing input on the creation of security roles and role-level security
• reviewing and validating user access, at least annually

Data Custodians

Data Custodians are information technology staff with day-to-day responsibilities for the capture, maintenance, and dissemination of data within the EDR. Responsible for:

• ensuring the Master Access Plan (MAP) is implemented and processes are auditable
• providing day-to-day security administration and request fulfillment
• maintaining access and audit records
• communicating appropriate use, and consequences of misuse, to users who access the systems
• creating, distributing, and following-up on security violation reports
• monitoring to ensure the authorized use, security, and transmission of data
• ensuring designs for new technologies are consistent with the MAP
• in coordination with Stewards, implementing and administering controls and procedures to manage application and information security risks
• providing reports on actual accesses to be reviewed and validated by Functional Owners at least annually

Data Users

Data Users are individuals who access university data in order to perform their assigned duties or to fulfill their role in the university community. Responsible for:

• requesting appropriate access to applications and data through the Unit Security Liaison (USL)
• using EDR resources in accordance with University policy
• maintaining adequate operational controls to ensure data protection (e.g., ensuring local copies of data are maintained in accordance with the MAP)
• notifying management when there is a suspicion of data misuse or a violation of University policy
• maintaining data confidentiality (including security controls and passwords)
• if requested by the University, executing a confidentiality or ownership agreement
• accessing and using only the information that is authorized by Data Stewards

Unit Security Liaisons

Unit Security Liaisons (USLs) are the primary point of contact for academic and administrative units for all matters relating to data security. The USL is appointed by the dean, director, or department head. A USL coordinates with the Information Security Officer to implement the University's data security policies and procedures within the unit. Responsible for:

• promoting security awareness and good security practices
• attending data security awareness and training presentations, seminars, workshops and events
• disseminating information within the unit to raise awareness about information security issues
• participating the incident response process
• creating security risk assessments for locally stored data
• coordinating inventories of sensitive or critical information and information systems
• creating and maintaining business continuity plans for local systems
• assisting in the implementation of corrective actions resulting from audits or an incident report
• documenting unit security standards and plans
• participating in audits of user security, at least annually
• notifying the appropriate data steward of changes in personnel or job functions that result in changes to user access

Deans, Directors, Department Heads

Deans, Directors, and Department heads are responsible for appointing Unit Security Liaisons and for validating user security roles within their unit, at least annually.

Information Security Officer

The Information Security Officer (ISO) is the individual, assigned to the Business Intelligence and Technology Solutions (BITS) department, responsible for developing and maintaining procedures for promoting security and uninterrupted service for University Enterprise Data Repository (EDR). The ISO works cooperatively with the Data Stewards, Functional Owners, Data Custodians, and other University security teams to implement and maintain appropriate data security controls over data contained within the EDR. The ISO identifies and addresses exposures to accidental or intentional destruction, disclosure, modification, or interruption of information that may cause serious financial and/or information loss to the University. Responsible for:

• keeping informed of new laws, rules, and regulations affecting data security and applying those concepts to the EDR
• ensuring security requirements defined in service level agreements are met
• creating and maintaining key performance indicators (KPIs) for data security
• developing and implementing security plans to ensure the protection of enterprise data within source systems and any derivative systems
• implementing security policies and good practices within the EDR
• establishing a framework for data security
• ensuring the implementation of the data classification scheme as defined by the Stewardship Council
• coordinating data security orientation and awareness programs
• managing the Unit Security Liaison (USL) program for data security – including the periodic review of access
• implementing tools to ensure data security policy and procedures are being applied and that appropriate audit controls are in place
• auditing security request for fulfillments, performed by BITS, for accuracy and timeliness
• conducting risk assessments of data and systems containing them
• coordinating data security efforts with the University's Internal Auditor
• acting as an internal resource on information security issues

Information Architecture Team

The Information Architecture team, housed within the Business Intelligence and Technology Solutions (BITS) department, cooperatively works with the University community to maintain an Enterprise Data Warehouse environment (EDW) and operational data stores (ODS) that collects, structures, and delivers University data to support timely decision-making.

Knowledge Management Team

The Knowledge Management Team, housed within the Business Intelligence and Technology Solutions (BITS) department, cooperatively works with the University community to map and create solutions to support the University's need for enterprise knowledge.

Information Technology Security Incident Response Team (ITSIRT)

The Information Technology Security Incident REsponse Team (ITSIRT) includes technology and functional specialists from various disciplines who are brought together during an IT security incident to investigate contain, eradicate, recover, and perform follow-up.

III. Definitions

Data Administration -- The function of applying formal guidelines and tools to manage the University's information resources is termed data administration. Responsibility for data administration activities is shared among the Data Stewards, Functional Owners, Data Custodians, and the Information Security Officer. Where data is shared among systems, the Information Security Officer will document the process and identify the responsibilities for data administration.

Data Definition -- Data Stewards and Functional Owners provide data descriptions so that Data Users know what shareable data are available, what the data mean, and how to access and process the data. These descriptions about the data are referred to as data definitions and sometimes called metadata. Data definitions may be stored in an integrated or complementary database known as a Metadata Repository. Data definitions should be based on actual usage, documented and modified only through procedures established by the Data Stewards, and periodically reviewed for currency.

Data Integration Model – Business Intelligence and Technology Solutions collaborates with Data Stewards, Functional Owners, and Data Custodians to establish and maintain a university-wide Data Integration Model that describes all major data entities of the EDR and the relationships among those data entities. Included in the model are the linkages among data collected or maintained by the various organizational units of the university.

Data Security Administration -- The function of specifying, implementing, and maintaining access control to ensure that Data Users have the appropriate authorized access needed to perform assigned duties or to fulfill university roles. Data Stewards, Functional Owners, Data Custodians, Unit Security Liaisons, and the Information Security Officer share responsibility for security administration activities.

Enterprise Data Repository (EDR) – An aggregate collection of data stored in different database management systems forming a single logical University resource. Individual units or departments have stewardship responsibilities for portions of the data contained within the EDR.

Enterprise Data Warehouse (EDW) -- A query-only database containing historical point-in-time data and summary information from University operational systems. The Enterprise Data Warehouse is used to support business analysis and decision-making.

Metadata Repository -- A database system containing descriptive information about the University's enterprise data. The repository provides the definitions for data contained within the Enterprise Data Warehouse.

Last Review: July 2013