Project Title: Communication Action Matrix
Introduction
In June 2007, the University discovered a security breach in one of its computer applications that resulted in
exposure of sensitive information belonging to current and former U.Va. faculty members. The response team
was challenged in identifying sources of address information for existing and former University employees; a
necessary component in contacting those affected by the breach. The Director for Security Coordination and
Policy within Information Technology and Communications department solicited the help of Process
Simplification in creating a report matrix to aid the response team in future occurrences.
Project Team Members
Brian Davis, Team Lead, Information Technology and Communication
Jane C. Fletcher, Development and Public Affairs
George Stovall, Office of Institutional Assessment and Studies
John C. Hill, University Human Resources
Kevin Savoy, Audit Department
John Teahan, Office of the Executive Vice President and Provost
Martha Wall, Integrated System Deployment and Support
Nannette Keenan, Office of Process Simplification
Lea Moore, Office of Process Simplification
Goals and Objectives
Create a Report Matrix which includes a list of:
ƒ University population types;
ƒ Data owners who manage contact information for various populations;
ƒ System/database names which house the information;
ƒ Address types; and
ƒ Any other data identified by the work group.
Approach to Work/Matrix Details
The work group met regularly over a two month period from August to September 2007 with ongoing research
being conducted through early October 2007. A Collab site was created to aid in managing incoming data; a MS
Excel spreadsheet was developed for data collection in an effort to ease future dissemination of data. Data
elements for the report defined by the team consist of:
a. Population: including students, faculty, staff, alumni, donors, parents, and vendors. A population type for
“Foundation employees and contractors” was considered; however, information contained within
Foundation systems was not accessible;
b. Campus: listing for University Grounds at Charlottesville, Virginia and College at Wise;
c. Data Owners: listing department name where data is managed and maintained;
d. Contact: including information on data owners such as phone extension and email address;
e. Data Store: listing the name of the system and/or application;
f. Time: including the date range of data contained within the system;
g. Address Data: identifying if report contained postal, email and phone number of population;
h. Availability of Report: identifying whether the report was canned or ad-hoc (improvised or impromptu
reporting) accessible;
i. Name and Data Elements: identifying whether the report contained University, employee, student ID’s or
Social Security Number as the primary identifier for each population type. This reporting element was not
recognized as a needed reporting element until the last team meeting. It was determined that if the system
listed in the report matrix housed the data it would be extracted ad hoc for the response team;
j. Comments: allowing the work group to include general information about the data identified in the matrix;
and,
Report Cover Sheet V3 Adobe.doc
1 of 2
3/18/2008
k. Entered By: identifying the name of the team or resource that provided the data contained in the report.
Each member of the work group took ownership of various population types. Process Simplification
assisted in compiling the data and distributing it to the work group during regular meetings. Constraints
of the data collected include: a) lack of consistency by University departments when identifying values
for each data element; and b) deficiency in verifying quality of the data received due to lack of system
accessibility. See Appendix A: Combined Notification Data Matrix attached for the final version of the
report matrix completed by the team.
Report Cover Sheet V3 Adobe.doc
2 of 2
3/18/2008