Utah Valley University
Policies and Procedures
|Title||Processing and Control of Distributed Administrative Data||Number||450|
|Section||Facilities, Operations, and Information Technology||Approval Date||Oct 09,2008|
|Subsection||Information Technology||Effective Date||Oct 09,2008|
- While most administrative data reside on hardware maintained by the Office of Information Technology (OIT) and are managed by the Data Management Group, some data reside in and are managed by other university departments. Given the critical nature of administrative data, it must be managed in a consistent, secure manner across the entire institution. The purpose of this document is, therefore, to define requirements that must be met by any and all departments that have or will have management responsibility for administrative data.
of Regents Policy R345 Information Technology Resource
Policy 135 Use of Copyright Materials
- UVU Policy 445 Institutional Data Management and Access
Data meeting any of the following criteria if:
- at least two administrative operations of the institution use the data and consider the data essential;
- integration of related information requires the data;
- the institution must ensure the integrity of the data to comply with legal and administrative requirements for supporting statistical and historical information externally;
- a broad cross section of users refers to or maintains the data; or
- the institution needs the data for strategic planning
- Data Custodian: An individual directly responsible for creating, maintaining, and using
data to support the university's operation and its information needs.
- Data Steward: A
senior university official who has planning and policy-level responsibility for
data within their functional areas.
Application Committee (EAC): The
management group for enterprise data and data systems which includes all of the
data stewards or their designee.
Application Management Team (EAMT): A team made up of data custodians.
- Malware (also known as Malicious Software): Software designed to infiltrate or damage a computer system without the owner's informed consent.
- Open Access to
- Information maintained by the institution is a critical asset that should be available to all who have a legitimate need for it.
- Any department that is responsible for managing
administrative data in a distributed computing environment must do so
consistent with EAC approved processes for accessing data. Departments must
follow all relevant stipulations in UVU Policy #445 Institutional Data Management and Access. Departments must provide
unimpeded access to the administrative data it manages, to facilitate appropriate
levels of access, while properly securing the information.
- Compliance with the Institutional Data
Management and Access Policy
- Department heads assuming technical responsibility for
administrative data serve on the Enterprise Application Committee (EAC) and
must ensure their department fully complies with all data policies and
procedures developed and/or endorsed by the EAC.
- To enhance the ease with which administrative data can be understood and used across the institution, the EAMT will develop and maintain a standard method for naming and defining data (see the OIT Data Naming Standards document for details, available from the Office of Information Technology). While purchased application databases already have data names and definitions established, department managers shall ensure all custom-developed databases follow the EAMT standards.
- Physical Security of Hardware
department, which assumes responsibility for administrative data, must ensure
that the computing systems housing the data are physically secure. Areas to
- Environmental factors - the equipment should be protected from excessive heat, cold, humidity and dryness. Alarms should exist to warn of thresholds being exceeded.
- Power surges - the equipment should be protected against electrical interruptions or voltage spikes and surges.
- Protection against smoke, fire and water damage should be accomplished with smoke detectors and/or fire extinguishers, air-tight computer rooms for containment of fire suppression gas, air filters, and water sensors. Alarms tied to the institution and city police departments should be installed.
- Access controls - the equipment should be properly locked up, with no vulnerabilities from drop ceilings, raised floors or ventilation ducts. In addition, glass windows should not exist, or should be opaque. A log of accesses by personnel should be kept.
- Backups should be moved offsite. A fireproof vault should exist if backups remain onsite. The offsite storage location should be maintained and managed in a secure way appropriate for the storage of institutional data.
- The history of theft and vandalism in the buildings of the immediate vicinity should be considered, and appropriate measures should be taken to counteract the risks.
disaster recovery plan should exist and drills should be conducted on a regular
basis. Offsite documentation should exist, and key personnel should be
cross-trained to handle an emergency.
- System Controls and Ability to Audit
of the factors that need to be considered before a department assumes
responsibility for administrative databases are:
- back-up and contingency functions should comply with established standards;
- physical and data security specifications need to be met;
- controls over the development and maintenance of applications should comply to established standards;
- adequate change controls over movement of new or modified software and hardware need to be defined and implemented;
- documentation standards should be uniform and enforced;
- the vulnerability of the applications environment to malware should be determined;
- compliance with institutional policy on copyright violations should be enforced;
- the data stewards and data custodians must have a strong commitment to maintain and improve the systems under their control; and
- the responsible department must have a strong
commitment to maintain and improve the systems under its control.
- Segregation of Duties
- Segregation of duties is an important disciplinary control. An analysis of the potential risk of mistakes, and even possible fraud, can justify the segregation of duties, even when it is inefficient. Segregation of duties can serve to deter fraud or to reveal gross incompetence, since it is necessary to get another individual's cooperation. Collusion may be less likely than the possibility of fraud where one person is acting alone.
of the factors involved in segregation of duties are:
- independent authorization for changes made to the data;
- persons responsible for system changes or operation of the system should not have responsibility for entering transactions;
- reconciliation of the data should be performed by a person other than the person entering the data; and
- the data steward of the system, or his/her designee, should authorize all changes to the programs or execution of the programs.