Title: UC Berkeley
1UC Berkeley Business Officer Institute
Data Integration Helen Kelly, COIS DSC Jill
Martin, COIS/OPA - DSC July, 2003
2Business Officer Institute Taking Control and
Loving IT Data Integration Presentation
Objectives
What we will be covering
- Campus data integration commitment and efforts
- Information as an asset
- Roles and responsibilities
- Data Classifications and Risk Assessment
- Best Practices
3Business Officer Institute Taking Control and
Loving IT Data Integration
Data Integration Overview
Chancellors Initiative 2001 Data Stewardship
Council (DSC) DSC Projects
4Business Officer Institute Taking Control and
Loving IT Data Integration Chancellors
Initiative
Chancellors Initiative recognizing the need for
data integration in order to further
- Improve central campus response to departments
data needs - Address inconsistent rules regarding data
- Address problem of poorly defined data
- Address issues of missing data
- Reduce data duplication across systems
- Assess campus risk associated with data
- Develop an integrated and collaborative data
environment
A Data Integration Working Group was formed in
2001 to develop a plan for moving forward.
5Business Officer Institute Taking Control and
Loving IT Data Integration DSC Current
Activities
Data Stewardship Council Activities
- Current
- Data Integration Projects
- Student Data Warehouse Prototype (currently under
development) - Sponsored Projects Office and Extramural Funds
Accounting - Facilities and Spatial Data Integration (FASDI)
http//fasdi.vcbf.berkeley.edu/ - Campus Data Management, Use, and Protection
Policy - Inventory of Locally Administered Data Systems
(LADS) - Upcoming
- Enterprise Data Dictionary
- Policy Implementation and Education
- http//dataintegration.vcbf.berkeley.edu/
6Business Officer Institute Taking Control and
Loving IT Data Integration IA Management and
Use
Information Asset Information (Data) is a
valuable campus asset that must be managed and
protected as such.
Information Asset Management and Use
Data integrity and integration throughout the
University are requisites for organizational
effectiveness and efficiently managed resources.
7Financial Management/Information Management
Business Officer Institute Taking Control and
Loving IT Data Integration Asset Management
Financial Assets
Information Assets
- Ensure appropriate staff training
- Developing and adhering to procedures to ensure
compliance with applicable laws, regulations, and
policies - Providing adequate explanations and documentation
- Establish monitoring controls
- Identifying unauthorized transactions
- Providing adequate safeguards to protect against
loss or unauthorized use (e.g. Separation of
Duties)
- Ensure appropriate staff training
- Developing and adhering to procedures to ensure
compliance with applicable laws, regulations, and
policies - Develop and maintain data dictionaries
- Inventory data systems and establish access and
security procedures - Monitor data system activities
- Providing adequate safeguards to protect against
loss or unauthorized use (e.g. Separation of
Duties)
8Relevant Laws, Regulations, and PoliciesUsers
of campus data resources are responsible for
familiarizing themselves with and complying with
all UC Berkeley policies, guidelines, standards
and procedures relating to information privacy
and security.
Business Officer Institute Taking Control and
Loving IT Data Integration Relevant Policies
- Controls Initiative Guide to Administrative
Responsibilities - UC BF Bulletin Records Management Program
(RMP) Series - UC BF Bulletin Information Systems, IS-3
- UC Berkeley Data Management, Use, and
Protection Policy (Draft) - Berkeley Campus IT Security Policy
- Interim E-Berkeley Policy
- Berkeley Campus Departmental Security Contact
Policy - Guidelines and Procedures for Blocking Network
Access - SB 1386
9UCB Data Management, Use, and Protection
Policy(Currently being developed by the Data
Stewardship Council)
Business Officer Institute Taking Control and
Loving IT Data Management, Use, and Protection
Policy
- Complies with federal and state law, University
of California and Berkeley campus policies.
Interprets and further implements aspects of UCOP
RMPs and IS-3 - Applies to all campus data, in any form of
communication or presentation. (e.g. data file,
document, email, website) - Defines campus data management roles and
responsibilities
10UC Berkeley Data Access and Security Policy
cont.(Currently being developed by the Data
Stewardship Council)
Business Officer Institute Taking Control and
Loving IT Data Integration Relevant Policies
- Establishes principles, guidelines, standards,
and campuswide procedures for data management and
use - Promotes the use of best practices across the
campus - Contributes to the further development of an
integrated and collaborative data environment for
the Berkeley campus
11Business Officer Institute Taking Control and
Loving IT Data Integration Roles
Responsibilities
Roles and Major Responsibilities
- Administrative Official
- Data Proprietor
- Data Custodian
- Data Integrator
- User
- Office of Record
- System of Record
12Business Officer Institute Taking Control and
Loving IT Data Integration Roles
Responsibilities
Roles and Major Responsibilities
- Administrative Official
- Is ultimately responsible for implementing campus
requirements and guidelines, establishing local
procedures, and promoting best practices for the
management and use of data
- Data Proprietor
- Has primary responsibility for determining the
purpose and function of an essential data resource
- Data Custodian
- Is the technical partner of the data proprietor
and is responsible for the implementation of data
systems and the technical management of data
resources
(See Handout)
13Business Officer Institute Taking Control and
Loving IT Data Integration IA Management
Practices
Information Asset Management Classification of
Data (From UC BF Bulletin IS-3)
- Sensitivity
- Restricted
- Unrestricted
- Criticality
- Essential
- Required
- Deferrable
14Business Officer Institute Taking Control and
Loving IT Data Integration Classification of
Data
Sensitivity of Data
- Restricted
- Data that is considered sensitive to some degree
- Personal
- refers to any information that identifies or
describes an individual, including but not
limited to, name, social security number, medical
history, and financial matters - Limited
- refers to data whose unauthorized access,
modification or loss could seriously or adversely
affect the University or adversely affect the
public. Or data that the Proprietor chooses to
protect from general access or modification
15Business Officer Institute Taking Control and
Loving IT Data Integration Classification of
Data
Sensitivity of Data
- Unrestricted
- Access or modification is not restricted by law
or University policy and is permitted by the
Proprietor - Pertains to individuals and equates to
non-personal information as defined in BFB
RMP-8. Equivalent to public information in
Federal Privacy Act and FERPA
16Business Officer Institute Taking Control and
Loving IT Data Integration Roles
Responsibilities
Criticality of Data
- Essential
-
- Failure to function correctly and on schedule
could result in a major failure to perform
mission-critical business functions, a
significant loss of funds, or a significant
liability or legal exposure
- Required
- Performs an important function, but the operation
of the campus could continue for some designated
period of time without the function
- Deferrable
- Campus could continue operation for an extended
period of time without the information resource
performing correctly or on schedule
17Business Officer Institute Taking Control and
Loving IT Data Integration Classification of
Data
Summary Chart
18Reduction of Risks throughPreventative Measures
and Controls
Business Officer Institute Taking Control and
Loving IT Data Integration Risk Assessment
- Absolute security against all threats is
unrealistic. A risk assessment should include - The criticality of the information asset to
business operations - The sensitivity of the data residing within or
accessible through information systems - The cost of preventative measures and controls
designed to detect errors or irregularities - The amount of risk that management is willing to
absorb
19Business Officer Institute Taking Control and
Loving IT Data Integration IA Management
Practices
Information Asset Management Know What, Where,
Who, and When
- What data do you have?
- Where is it?
- Who has access to it and do they know their
responsibilities? - When something goes wrong, what to do?
Have an Inventory
http//dataintegration.vcbf.berkeley.edu/ Email
to jmartin1_at_uclink.berkeley.edu
20Business Officer Institute Taking Control and
Loving IT Data Integration Information Asset
Management Practices
Information Asset Management Best Practices Top
Ten List
- Restrict use of restricted data
- Systems with restricted data should be managed by
a System Administrator - Choose key fields carefully
- Do not maintain actual data in a test environment
when using restricted data - Use caution when downloading restricted data
- Do not email restricted data
- Remember common-sense rules
- Consider data integration issues when designing
new systems - Maintain up-to-date data dictionaries
- Maintain appropriate physical security