Data Steward
A data steward is an individual within the University who is the primary institutional authority for a particular date set and who is principally responsible for the management and security of that data set across the institution.
The success of the University's information security and risk management efforts depends upon the support and action of the University's data trustees and data stewards. Data trustees direct institutional data use to support the University's missions and strategy. Data stewards establish the requirements for appropriate management of University information.
Guidance for data stewards
As a data steward, you have an operational perspective of data management and governance at the University. You are the institution's primary authority for one or more data sets and are actively involved in the management—including the acquisition, utilization, maintenance, access, and protection—of that data. Your responsibilities include establishing policies, procedures, and guidelines for those data sets.
Characterizing data sets
A data set, generally speaking, is a collection of related data used for a University purpose. As a data steward, you are the institution's authority for one or more data sets, which you may make available for access and use across the University.
In order to ensure the consistent and appropriate management of these data sets, you are responsible for characterizing and classifying these data sets according to the University Information Classification Policy.
Where responsibility for a data set overlaps the functional areas of multiple data trustees or data stewards, the Council for Data Governance will resolve disputes.
When characterizing the data sets within your stewardship, consider the following:
- The elements (types of data) contained in the data set.
- The University purposes for which the data sets are used.
- The ways in which different processes may use the same data set.
The following are examples of data sets, including their characterizations and the elements they may contain:
- FAFSA data
- Social Security number
- Federal tax returns
- Bank statements
- Proof of address
- PHI/ePHI
- Personally identifiable medical history
- Diagnosis and treatment records, including dispensary records
- Test and laboratory results
- Insurance information
Classifying data sets
Once you have characterized the data sets within your stewardship, you must classify them according to the University information classifications established by the University Information Classification Policy. These classifications are based on the confidentiality risks related to that data. A data set's collective classification must be at least equal to the highest classification of any individual element. For example, a data set containing some Level II elements and some Level III elements would be a Level III data set.
The following are examples of data sets:
- FAFSA data (Level III)
This data set contains information with high confidentiality concerns and therefore a high potential impact on the University and other stakeholders if it is disclosed in an unintentional, unlawful, or unauthorized manner. Examples of Level III elements include Social Security numbers and financial account information. - PHI/ePHI (Level III)
Protected Health Information (PHI) is classified by the University Information Classification Policy as Level III information due to its legal and regulatory requirements and its high potential impact on the University and other stakeholders if it is disclosed in an unintentional, unlawful, or unauthorized manner. - Facilities maintenance data (Level II)
This data set contains information with moderate confidentiality concerns and therefore a moderate potential impact on the University and other stakeholders if it is disclosed in an unintentional, unlawful, or unauthorized manner. It contains official business information that does not need to be disclosed to the public but that does not necessarily warrant strict protection. - Event schedules (Level I)
Event schedules are public by default and have limited or no potential impact on the University or its stakeholders if they is disclosed in an unintentional, unlawful, or unauthorized manner. There is very little risk involved in making this data available to the public, and most such data is intended to be public.
Statement of Data Requirements (SDR)
Each data steward issues a Statement of Data Requirements to formally characterize, classify, and define the protection requirements for the data sets within their stewardship. IT will develop and maintain a University data dictionary based on the SDRs submitted by all data stewards.
Tools
Secure UD Data Steward Guide
Assists data stewards in characterizing, classifying, and setting protection requirements for the data sets within their stewardship.
Defining protection requirements for data sets
The policies and security controls defined by Secure UD serve as a baseline for the University as a whole. They are based on the best practices and requirements that affect all of the University's IT resources.
You may endorse the security standards and controls established in the Secure UD Data Governance & Security Program (Secure UD DGSP) as the official set of requirements for the data sets within your stewardship. To do so, include in your Statement of Data Requirements (SDR) a statement of endorsement of the Secure UD DGSP. Guidance, an SDR template, and sample wording are provided in the Secure UD Data Steward Guide.
If the data sets within your stewardship have particular concerns not addressed by the Secure UD DGSP or by existing policies, you may choose to develop additional standards and guidelines specific to that information.
Tools
Secure UD Data Steward Guide
Assists data stewards in characterizing, classifying, and setting protection requirements for the data sets within their stewardship.
Responsibilities according to policy
Data stewards' primary data governance and information security responsibilities include:
University Data Management and Governance Policy
- Overseeing the informational quality, effectiveness, usability, strategy, and security of the University information within their stewardship.
- Establishing definitions of the data sets within their stewardship.
- Developing and promulgating data management standards and guidelines to ensure the confidentiality, integrity, availability, and usefulness of University information within their stewardship.
- Ensuring that University information within their stewardship is managed according to legitimate interests and operational requirements and in a manner that ensures the privacy and security of that University information.
- Developing and publishing standards and guidelines for access to University information within their stewardship.
- Reviewing and approving uses or proposed uses of University information within their stewardship.
- Authorizing the creation of shared data repositories containing University information within their stewardship and assigning custodianship responsibilities for those shared data repositories.
- Authorizing the access of individual end users to University information within their stewardship.
- Auditing at least annually the authorized access to University information within their stewardship.
University Information Security Policy
- Requiring the implementation of reasonable and appropriate security controls to protect the confidentiality, integrity, and availability of IT resources within their stewardship.
University Information Classification Policy
- Classifying University information within their stewardship according to the three University information classifications:
- Level III—High Risk Information
- Level II—Moderate Risk Information
- Level I—Low Risk Information
- Periodically reviewing and updating the classifications assigned to University information within their stewardship.
- Reporting to IT the classifications of University information within their stewardship.
