A data trustee is an executive officer of the University with the highest level of strategic and policy-setting authority and responsibility for his or her functional area.
The success of the University's information security and risk management efforts depends upon the support and action of the University's data trustees and data stewards. Data trustees direct institutional data use to support the University's missions and strategy. Data stewards establish the requirements for appropriate management of University information.
Guidance for data trustees
As a data trustee, you have a strategic perspective of data management and governance at the University. You are primarily accountable for the governance of one or more data sets and are actively involved in discovering and pursuing strategic opportunities for the institution's data. Your responsibilities include identifying appropriate data stewards for the data sets within your purview; ensuring that those data sets support the University's missions; and ensuring that your functional area complies with applicable laws, regulations, and policies.
Certain tasks may be delegated to individuals who are knowledgeable about your functional area's missions, strategy, administration, operations, and data management practices.
As a data trustee, you are ultimately accountable for data at a strategic level and for your functional area's compliance with relevant laws, regulations, and policies regarding data management and security.
Data stewards are individuals within the University who are the primary institutional authorities for particular data sets and who are principally responsible for the management and security of those data sets across the institution. These individuals are operational experts in the University's data; they know the details of how it is acquired, utilized, maintained, accessed, and protected and are in the best position to establish policies and procedures for its management and security.
It is your responsibility as a data trustee to identify any data stewards within your functional area. These individuals will assist you in governing the data for which your functional area is accountable. Once you've identified your data stewards, you will oversee their data governance activities to ensure that the standards and guidelines they establish&as well as the data itself&are appropriate for the institution and its missions.
The Data Management Advisory Committee (DMAC) is the University council responsible for coordinating data quality, effectiveness, usability, and strategy efforts and monitoring and recommending necessary data management actions to the University.
The Data Security Advisory Committee (DSAC) is the University council responsible for coordinating information security and risk management efforts and monitoring and recommending necessary security actions to the University.
Each of these committees plays a vital role in facilitating the appropriate governance of University information. They are invaluable forums for discussing and improving the University's data governance practices.
You may be invited by the chairs of the DMAC or DSAC to appoint a delegate to participate in the respective committee on your functional area's behalf. Any delegate you appoint must be knowledgeable about your functional area's missions, strategy, administration, operations, and data management practices. Your delegate will be relied upon to provide insight into data management and security needs and assist in improving the University's data governance practices.
You are accountable for your functional area's compliance with the laws, regulations, and policies relevant to your operations and data. Your units must implement appropriate security controls to protect the IT resources they use or manage.
This requirement applies to all IT resources within your units. Your units are responsible for implementing security controls to protect not only for those IT resources within their direct control but also the data they receive from other units.
Make clear to your units their responsibility to implement security controls and protect IT resources, and ensure that those security controls are routinely assessed and verified to be appropriate.
Responsibilities according to policy
Data trustees' primary data governance and information security responsibilities include:
- Appointing a data steward for each data set entrusted to their care.
- Overseeing data stewardship efforts for University information entrusted to their care.
- Being ultimately accountable for their functional area's compliance with policies, laws, regulations, standards, and guidelines for the appropriate management of University information.
- Coordinating the use of University information entrusted to their care in a manner commensurate with the University's strategic goals.
- Launching and supporting initiatives to improve the confidentiality, integrity, availability, and effectiveness of University information across the University.
- Appointing delegates to participate in the DMAC and DSAC.
- Defining risk tolerance related to security threats to University information entrusted to their care.
- Being ultimately accountable for the implementation of reasonable and appropriate security controls to protect the confidentiality, integrity, and availability of IT resources within their functional areas.
- Requiring annual assessments of security controls within their functional areas and reporting the results to IT.
- Requiring the appropriate classification of University information entrusted to their care.