Roles and Responsibilities
The success of the University's information security and risk management efforts depends on a data governance framework that establishes the roles and responsibilities for managing University information. Accountability for IT resources and their security drives ownership of information security and risk management issues and creates an institutional context for management efforts.
The roles and responsibilities for information security at the University are defined by policy, including:
- the University Data Governance Policy
- the University Information Security Policy
- the University Information Classification Policy
- the Secure UD Data Governance & Security Program.
Information security is a shared responsibility, and everyone has a part to play in protecting IT resources.
Because the University encompasses many units with diverse administrative, operational, and technical needs, the allocation of security roles may vary across units and functional areas. The data governance framework has the flexibility to accommodate this diversity. Roles and responsibilities established by the framework should be fulfilled by appropriate individuals based on their unit's or functional area's specific needs.
You may fulfill more than one role depending on your other job responsibilities.
All employees are end users in addition to whatever other roles they may fulfill.
Use the information and links below to learn more about the University's data governance and information security framework, including your role(s) and responsibilities for protecting the University and yourself.
University-wide coordination roles
The following roles coordinate and manage data governance and information security efforts across the University.
The University council responsible for overseeing the appointment and action of data stewards for each of the University's functional areas.
An executive officer of the University with the highest level of strategic planning and policy-setting authority and responsibility for a functional area.
An individual within the University who is the primary institutional authority for a particular data set and who is principally responsible for the management and security of that data set across the institution.
Data Management Advisory Committee (DMAC)
The University council responsible for coordinating data quality, effectiveness, usability, and strategy efforts and monitoring and recommending necessary data management actions to the University. It is chaired by the Associate Provost for Institutional Research and Effectiveness and includes delegates as may be appointed from time to time by data trustees and/or the chair.
The University council responsible for coordinating information security and risk management efforts and monitoring and recommending necessary security actions to the University. It is chaired by the director of IT Security and includes delegates as may be appointed from time to time by data trustees and/or the chair.
A University entity or employee with operational responsibility to manage a shared data repository on behalf of a data steward.
IT has specific responsibilities pertaining to data governance and information security at the University.
Institutional Research and Effectiveness (IRE)
IRE assists data trustees and data stewards with data management and helps coordinate institutional data use and strategy.
Unit implementation roles
The following roles implement data governance and information security at the unit level.
A University official with the highest level of authority over the day-to-day management or oversight of a unit's operation.
An individual or unit with primary responsibility for the installation, configuration, security, and ongoing maintenance of an IT device.
Any individual who accesses and/or uses IT resources.
Data governance overview
The above diagram illustrates how data governance roles interact at the institutional level.
University policy grants the President of the University, and his or her delegates, the highest degree of authority over the University's data governance framework.
The University's data governance and information security roles are arranged by functional area and unit to facilitate the coordination of data governance and information security efforts.
- Each functional area has a data trustee who holds ultimate strategic and policy-setting authority for that functional area.
- Each data set has a data steward who establishes the policies and procedures for managing and securing the data sets within his or her stewardship.
- Each unit has a unit head who is responsible for managing the unit's use of University information.
- The individuals who use data are end users.
The University, as an organization, owns all University information.
Organizing and leading the University's data governance efforts are the University's executive officers. As the University's data trustees, these individuals are ultimately accountable for the strategic use of University information and for overseeing its stewardship. Each data trustee is accountable for the data for which his or her functional area is principally responsible.
Each data trustee appoints a data steward for each data set within his or her jurisdiction. Data stewards are operational experts on those data sets and understand the value of the data and how it is used across the institution. They are actively engaged in the acquisition, utilization, maintenance, access, and protection of University information to ensure that it is suitable to support institutional missions and strategies.
Each data steward establishes standards and guidelines for the data sets within his or her stewardship. These standards apply to that University information wherever it exists, even across functional areas.
Data stewards set management requirements for data.
In the course of fulfilling University missions, each functional area uses many kinds of University information, including some University information from that functional area and some from other functional areas.
Data trustees are ultimately accountable for ensuring that their functional areas adhere to appropriate data management practices for all University information and other IT resources in use by their units.
Every unit head is primarily responsible for ensuring his or her unit's compliance with University policies, including data management policies.
Every end user of IT resources, including University information, has a responsibility to appropriately manage and protect those IT resources.
All University information must be managed according to the requirements set for it by the respective data steward.
Data governance committees
To coordinate University-wide data governance and security efforts, University policy establishes two data governance committees:
- The Council for Data Governance (CDG)
- The Data Security Advisory Committee (DSAC)
The CDG is an executive-level committee formed by the President to identify and organize the University's functional areas and data trustees. Initially, the CDG defines the University's functional areas and appoints a data trustee for each one. From that point forward, it ensures institutional accountability for data management by assisting data trustees in coordinating and executing their governance responsibilities.
The DSAC is an operational committee chaired by the director of IT Security. It is composed of delegates as appointed at the discretion of data trustees and/or the chair. The DSAC is tasked with coordinating the University's information security and risk management efforts across functional areas. It facilitates collaboration between data stewards to establish and enforce consistent and effective requirements for University information.
The CDG and DSAC collaborate to promote and improve the confidentiality, integrity, and availability of University information. The DSAC monitors legal, regulatory, and technological developments for relevance to the University. Based on relevant developments and the initiatives of the data stewards, it then provides recommendations to the CDG for follow-up as necessary.
University policy also establishes a third data governance committee, the Data Management Advisory Committee (DMAC), which is concerned with data management in the context of the quality, informational effectiveness, strategic value, and usability of data.