Printer Friendly

Utah Valley University
Policies and Procedures

Title Processing and Control of Distributed Administrative Data Number 450
Section Facilities, Operations, and Information Technology Approval Date Oct 09,2008
Subsection Information Technology Effective Date Oct 09,2008
I. Purpose
  1. While most administrative data reside on hardware maintained by the Office of Information Technology (OIT) and are managed by the Data Management Group, some data reside in and are managed by other university departments. Given the critical nature of administrative data, it must be managed in a consistent, secure manner across the entire institution. The purpose of this document is, therefore, to define requirements that must be met by any and all departments that have or will have management responsibility for administrative data.

II. References
  1. Board of Regents Policy R345 Information Technology Resource Security

  2. UVU Policy 135 Use of Copyright Materials

  3. UVU Policy 445 Institutional Data Management and Access

III. Terms
  1. Administrative Data: Data meeting any of the following criteria if:

    1. at least two administrative operations of the institution use the data and consider the data essential;
    2. integration of related information requires the data;
    3. the institution must ensure the integrity of the data to comply with legal and administrative requirements for supporting statistical and historical information externally;
    4. a broad cross section of users refers to or maintains the data; or
    5. the institution needs the data for strategic planning and operation.

  2. Data Custodian: An individual directly responsible for creating, maintaining, and using data to support the university's operation and its information needs.

  3. Data Steward: A senior university official who has planning and policy-level responsibility for data within their functional areas.

  4. Enterprise Application Committee (EAC): The management group for enterprise data and data systems which includes all of the data stewards or their designee.

  5. Enterprise Application Management Team (EAMT): A team made up of data custodians.

  6. Malware (also known as Malicious Software): Software designed to infiltrate or damage a computer system without the owner's informed consent.

IV. Policy
  1. Open Access to Data

    1. Information maintained by the institution is a critical asset that should be available to all who have a legitimate need for it.
    2. Any department that is responsible for managing administrative data in a distributed computing environment must do so consistent with EAC approved processes for accessing data. Departments must follow all relevant stipulations in UVU Policy #445 Institutional Data Management and Access. Departments must provide unimpeded access to the administrative data it manages, to facilitate appropriate levels of access, while properly securing the information.

  2. Compliance with the Institutional Data Management and Access Policy

    1. Department heads assuming technical responsibility for administrative data serve on the Enterprise Application Committee (EAC) and must ensure their department fully complies with all data policies and procedures developed and/or endorsed by the EAC.

  3. To enhance the ease with which administrative data can be understood and used across the institution, the EAMT will develop and maintain a standard method for naming and defining data (see the OIT Data Naming Standards document for details, available from the Office of Information Technology). While purchased application databases already have data names and definitions established, department managers shall ensure all custom-developed databases follow the EAMT standards.

V. Procedures
  1. Physical Security of Hardware

    1. Any department, which assumes responsibility for administrative data, must ensure that the computing systems housing the data are physically secure. Areas to address include:

      1. Environmental factors - the equipment should be protected from excessive heat, cold, humidity and dryness. Alarms should exist to warn of thresholds being exceeded.
      2. Power surges - the equipment should be protected against electrical interruptions or voltage spikes and surges.
      3. Protection against smoke, fire and water damage should be accomplished with smoke detectors and/or fire extinguishers, air-tight computer rooms for containment of fire suppression gas, air filters, and water sensors. Alarms tied to the institution and city police departments should be installed.
      4. Access controls - the equipment should be properly locked up, with no vulnerabilities from drop ceilings, raised floors or ventilation ducts. In addition, glass windows should not exist, or should be opaque. A log of accesses by personnel should be kept.
      5. Backups should be moved offsite. A fireproof vault should exist if backups remain onsite. The offsite storage location should be maintained and managed in a secure way appropriate for the storage of institutional data.
      6. The history of theft and vandalism in the buildings of the immediate vicinity should be considered, and appropriate measures should be taken to counteract the risks.
      7. A disaster recovery plan should exist and drills should be conducted on a regular basis. Offsite documentation should exist, and key personnel should be cross-trained to handle an emergency.

  2. System Controls and Ability to Audit

    1. Some of the factors that need to be considered before a department assumes responsibility for administrative databases are:

      1. back-up and contingency functions should comply with established standards;
      2. physical and data security specifications need to be met;
      3. controls over the development and maintenance of applications should comply to established standards;
      4. adequate change controls over movement of new or modified software and hardware need to be defined and implemented;
      5. documentation standards should be uniform and enforced;
      6. the vulnerability of the applications environment to malware should be determined;
      7. compliance with institutional policy on copyright violations should be enforced;
      8. the data stewards and data custodians must have a strong commitment to maintain and improve the systems under their control; and
      9. the responsible department must have a strong commitment to maintain and improve the systems under its control.

  3. Segregation of Duties

    1. Segregation of duties is an important disciplinary control. An analysis of the potential risk of mistakes, and even possible fraud, can justify the segregation of duties, even when it is inefficient. Segregation of duties can serve to deter fraud or to reveal gross incompetence, since it is necessary to get another individual's cooperation. Collusion may be less likely than the possibility of fraud where one person is acting alone.
    2. Some of the factors involved in segregation of duties are:

      1. independent authorization for changes made to the data;
      2. persons responsible for system changes or operation of the system should not have responsibility for entering transactions;
      3. reconciliation of the data should be performed by a person other than the person entering the data; and
      4. the data steward of the system, or his/her designee, should authorize all changes to the programs or execution of the programs.

Cara O'Sullivan, Policy Officer | mailto:cara.osullivan@uvu.edu | (801) 836-7355
Utah Valley University • 800 West University Parkway • Orem, UT 84058 • (801) 863-INFO (4636) • Rights & Responsibilities | © 2013 UVUFeedback/Report Errors