Data Stewardship
A New Model for Managing
Data Security and Privacy
2
About us
Judith House
Associate University
Information Security
Officer
Office of Information
Services
Georgetown University
Heidi Wachs
Director of IT
Policy/Privacy Officer
Office of Information
Services
Georgetown University
3
About Georgetown University
 Private, Mid-size, ~16,000 students.
 Oldest Catholic & Jesuit university in U.S.
 Includes undergraduate, graduate and professional
(Medical and Law) schools.
 Hybrid of centralized & distributed IT models.
4
“The Event”
 GU suffered a loss of ~38,000 unique SSNs in
January 2008.
 Creation of Data Security Task Force to centralize
and coordinate response.
 Decision to use the breach as impetus to focus on
information security, including enhanced data
stewardship model.
5
The Aftermath
 Identification of repositories of PII.
 Appropriate measures for protection of PII (short
and long term).
 Development of immediately required policies.
 Revision of the Data Stewardship model at GU.
 Creation of University Reporting Center strategy.
 Review of all technology policies.
6
What do we have and where is it?
 Preliminary effort:
 Subcommittees and working groups identified ‘all’
systems and data repositories.
 All members of university with data repositories
asked to complete a survey describing the data, its
handling, protection and distribution.
 Over 700 separate repositories, 400 with SSNs,
identified and described.
7
Data Stewardship
 Data stewardship is the architecture by which the
University defines responsibility for the
management and protection of its data in a manner
consistent with the University’s need for access and
security.
8
Why Do We Need a Data
Stewardship Architecture?
 The Data Stewardship Architecture provides a
framework within which the University can manage
and protect data.
 There is a steadily increasing need to manage and
control PII and other sensitive data, based on
changes to law, policy, and regulations that affect
the University.
 In view of the enhanced focus on appropriate
management of security and access with regard to
University data, it is critical that there exist a
published and consistent structure to support these
efforts.
9
Principles of Stewardship
 Data Stewardship is the responsibility of University
and Campus Executive Officers.
 Stewardship is based on the functional area which
is primarily responsible for the data, rather than by
the systems where it is stored.
 Each item of data must have one and only one
steward. Stewardship of an item of data cannot be
shared.
10
Principles of Stewardship Cont.
 Specific responsibility for all data shall be defined
and formally documented.
 Where there is crossover, the core/descriptive data
is owned by the primary functional area. The
transactional data itself is, or may be, owned by the
“receiving” steward.
 Where data resides in non-enterprise systems, it
falls under the stewardship of the Steward(s) whose
data was used to provision the system.
11
Principles of Stewardship Cont.
 Non-enterprise data stores compiled independently
fall under the stewardship of the Data Steward for
the relevant functional area.
 Data Stewards retain responsibility for distributed
data.
 Faculty are considered the Stewards of their
research and course materials.
 Students are considered the Stewards of their own
academic work.
 The term Steward as used here does not imply
ownership in any legal sense, for example, as holder
of a copyright or patent.
12
Who Stewards the Data?
Data Steward
 University or Campus Executive Officer or the senior direct report of such
an Officer, with planning and policy-level responsibilities for data in one or
more functional areas, whose responsibilities include classification of data,
as well as secure management of and authorization for access to data in the
functional area.
Stewardship Administrator
 Direct report of the Data Steward, who on behalf of the Data Steward
assumes specific administrative duties in support of the work of data
stewardship.
Data User
 Every individual who possesses or has access to University data, either
electronically or otherwise. Every individual in a stewardship role is also a
data user.
13
What do the Data Stewards Do?
 Classify data under their stewardship as
Confidential, Internal Use Only, or Public.
 Authorize and de-authorize access to data under
their stewardship:
 Based on the principle of least privilege.
 In a manner that supports individual
accountability for user activity.
 Ensuring that each authorized user has read and
signed the Confidentiality Agreement.
14
What do the Data Stewards Do?
 Authorize the relevant Reporting Centers to create,
distribute and dispose of data in extract form.
 Promote data resource management for the good of
the university.
 Educate the user community in appropriate
management of University data.
 Maintain a thorough understanding of the data in
their functional area.
15
Stewardship Administrator
Responsibilities
 Perform specific administrative functions related to
data stewardship.
 Maintain a thorough understanding of the data in
their functional area, including its appropriate
classification under the University’s Information
Classification Policy.
 Understand and ensure compliance with procedures
for the protection, creation, retention, distribution
and disposal of information under their
stewardship, as established by the OISPO and UISO.
16
Data Classification
 Initial challenge is to identify the data to be
classified by area.
 Begin with major enterprise system data
dictionaries for the target functional area.
 Identify and classify the core systems data.
 Once the core data is defined and classified,
review your inventory to identify relevant data in
other repositories.
17
Standards for Confidential
Information
 Information must be classified as Confidential if:
 Its use, storage, or distribution is governed by law,
policy, or regulation.
 Unauthorized disclosure could result in significant
legal, financial, reputational, or other adverse
impact upon the University.
 Unauthorized release represents risk to the
University.
18
Regulated Data
 Its use, storage, or distribution is governed by law or
regulation:
 Protected by laws such as FERPA, GLBA,
HIPAA/HITECH, State and Local Information
Breach laws.
 Classified as Secret, Top Secret, or otherwise
restricted by a government agency.
 Legally protected human resource and financial
information.
 Legal documents.
19
Adverse Impact
 Unauthorized disclosure could result in significant
legal, financial, reputational, or other adverse
impact upon the University.
 Information for which the University is
contractually obligated to maintain
confidentiality.
 Intellectual property owned or managed by the
University.
 Research information which may have financial or
reputational impact.
 Donor information.
20
Risk to the University
 Unauthorized release represents risk to the
University.
 Information which if released has the potential to
compromise the physical security of the
University.
 Building, computing, and infrastructure design
information.
 DPS case information.
 System passwords, documentation, and other
information which might lead to unauthorized
exposure of University information.
21
Internal Use Only
 Information must be classified as Internal-Use-Only
if:
 It is in the University’s best interest to ensure that
the information is not disclosed outside the
University.
 Contract information.
 Internal memos, documents, and notes.
 Work products not classified as Confidential.
22
Public Information
 Information must be classified as Public if:
 It can be freely disseminated to anyone without
risk to the University.
 It may be published on generally available public
web sites.
 Press releases
 Course schedules
 Event calendars
 Information regarding admissions requirements
 Information regarding academic programs
23
Access Authorization
 Access to University data is a privilege authorized by
the Data Stewards.
 Data Steward authorization formally defines for
each individual and class of individuals what
University data may be accessed, viewed, modified,
deleted, or reported, based on the individual’s
legitimate business requirements.
24
Basis for Authorization
 The “principle of least privilege”
 Each individual’s privileges shall be limited to only
that which is necessary for performance of the
individual’s duties.
 “Need to know”
 Each individual’s access to data shall be limited to
only that which is necessary for performance of
the individual’s duties.
 The individual’s role within the organization is the
key determinant for defining access.
25
Basis for Authorization
 Supportive of individual accountability for access
and transactions.
 Contingent on the existence of a signed University
Confidentiality Agreement.
26
University and Campus Reporting
Centers
 PROBLEM:
 How can Data Stewards realistically remain
accountable for distributed data?
 SOLUTION: University and Campus Reporting
Centers
 Limited number of ‘data spigots’ distributing data.
 Formal structure provides clear accountability for
uses of PII and other Confidential University
Information.
 Tracking and auditing mechanisms in place for
distributed PII.
27
What’s a Reporting Center?
 Formal organization structured for the purpose of
managing the use and distribution of PII and other
confidential information.
 Solely empowered to create data extracts and
reports containing PII.
 Authorized by Data Stewards for extensive access to
data across systems.
28
Purpose of University and Campus
Reporting Centers
 Chartered to:
 Create and execute reports across systems and
areas of stewardship.
 Create and execute reports requiring access to
Personally Identifiable Information (PII).
 Create and manage data extracts.
 Support complex reporting requirements through
in-depth knowledge of multiple domains.
29
Purpose of University and Campus
Reporting Centers
 Support the work of the Data Stewards in managing
the use and distribution of University data.
 Ensure that appropriate authorizations and controls
are in place for the distribution of PII and
confidential information both within the University
and externally.
 Improve the quality of reporting throughout the
University.
 Aggregate scarce technical resources in support of
reporting.
30
Reporting Center Roles
 University or Campus Reporting Center
Executive Sponsor
 A University or Campus Executive with functional
responsibility in the areas relevant to the Reporting
Center.
 University or Campus Reporting Center Manager
 Individual responsible to the Executive Sponsor for
the work of a University Reporting Center, formally
tasked with ensuring that the Center meets the
institution’s needs for reporting on an ongoing basis.
 University or Campus Reporting Center Analyst
 Individual formally assigned to a Reporting Center
and tasked with meeting the institution’s needs for
reporting on an ongoing basis.
31
Reporting Centers and Data Stewards
 Significantly limits the number of sources able to
extract, report, and distribute PII.
 Trained staff, with formal responsibility (as
described in Position Descriptions) for the secure
handling of PII and Confidential Information.
 Audit capability for distributed PII.
 Consolidates scarce resources.
 Training and Certification requirements help ensure
quality control.
32
University and Campus Reporting
Center Scope
 Solely authorized to produce and distribute data
extracts.
 Data users other than Reporting Center staff are
explicitly not permitted to create extracts for
distribution or repurposing, or to create or
maintain data stores containing Confidential
information.
33
University and Campus Reporting
Center Scope Cont.
 Create reports across systems and provide reporting
services to multiple offices.
 Specifically dedicated to enterprise reporting in
support of:
 Compliance reporting
 Critical processes
 Cross-functional processes
34
Implementing the Data Steward Model
 Gather University stakeholders (as many as you
can).
 Find out what you have and where it is stored.
 Identify the categories of data for which stewards
must be identified.
 Plan and create the necessary support for their
work.

Data dictionaries, classification standards,
authorization procedures
 Engage the senior executives in each functional area
to appoint appropriate stewards.
 Create a working group for the Data Stewards.
 Begin the Classification process.
35
Contacts
Heidi Wachs, [email protected]
Directory of IT Policy/Privacy Officer
Judy House, [email protected]
Associate University Information Security Officer