Purpose: The expansion of our ERP system and web applications at Davenport University has created an environment where there is wider access to systems and to sensitive databases and information.
The purpose of this Policy is to provide general guidance on the protection of University data and information being processed by manual as well as automated systems and the protection of the records and reports generated by these information processing systems.
Policy: Information is a vital component of University operations, and it is important to ensure that persons with a need for information have ready access to that information. It is equally important to ensure that measures have been taken to protect sensitive information against accidental or unauthorized access, modifications, disclosures, or destruction, in order to ensure the security, reliability, integrity, and availability of information. In addition, federal and state laws assign legal responsibility for the correct and appropriate use of information in order to protect a person's right to privacy.
This policy sets forth the responsibilities for data and information security for all individuals and departments at Davenport University who access, process, or have custody of university data.
Roles and Responsibility:
Chief Information Officer
- The Chief Information Officer (CIO) is the university official responsible for overseeing the management of the University’s Information Technology Resources. The Chief Information Officer has the signature approval authority for the Administrative Data Management and Access Policy.
Data Trustee
- Data Trustees are the senior university officials (typically the level of Vice President) who have planning and policy-making responsibilities for university data. The Data Trustees, as a group, are responsible for overseeing the establishment of data management policies and procedures and for the assignment of data management accountability.
Data Stewards
- Data Stewards are the University directors (typically at the level of Controller, Registrar, or Director of Admissions) who oversee the capture, maintenance and dissemination of data for a particular operational area. Data Stewards are appointed by the respective Data Trustee. Data Stewards responsibilities include the data management activities outlined in this policy and other activities that may be assigned by the Data Trustee.
Data Experts
- Are the operational managers in a functional area with day-to-day responsibilities for managing business processes and establishing the business rules for the production transaction systems. A Data Expert generally reports to a Data Steward.
Data Users
- Are the individuals who access university data in order to perform their assigned duties or to fulfill their role in the university community. Data Users are responsible for protecting their access privileges for the proper use of the university data they access.
Data Management Group
- A university-wide group (typically composed of Data Stewards, Data Experts, and interested Data Users) which reviews data management activities and makes recommendations to Data Trustees. It is the responsibility of Information Technology to see that this group is convened and coordinated.
Information Technology Resource Management
- Is a group within the Information Technology organization consisting of customer support specialists, security officers, database administrators and security specialists. This group works cooperatively with the Data Stewards and Data Experts to specify, implement, and maintain appropriate security controls and authorized access for Data Users.
Information Technology Security Officer
- The university official responsible for maintaining a plan for security policies and practices and for keeping abreast of security related issues internally within the university community and externally throughout the information technology marketplace.
Access and Security Administration:
Data Access Philosophy - The value of data as a university resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, or unnecessary restrictions to its access.
Implementation of Security Controls - The Information Technology Resource Management group and the Data Stewards share security administration responsibilities by specifying, implementing, and managing system and data access controls. These two groups will work together to manage requests for user access and create user access profiles defined by a users job description. Job descriptions should spell out each positions data access needs. Annual reviews of these processes and profiles will be done by the Data Stewards. Data Stewards may delegate specific security administration to their Data Experts as needed.
User Accounts
- Account management procedure must be followed
- All DU accounts must be accountable to an individual (no shared or generic accounts)
- Individuals will be held accountable for all actions performed using their account
- To the greatest extent possible, accounts associated with applications should be service accounts (accounts that do not permit individuals to login)