A Data Owner has administrative control and has been officially designated as accountable for a specific information asset dataset. This is usually the senior most officer in a division. Some examples of Data Owners include the Registrar and student data; the Treasurer and financial data; the VP of Human Resources and employee data. In most cases, the Data Custodian is not the Data Owner.
A system administrator or Data Custodian is a person who has technical control over an information asset dataset. Usually, this person has the administrator/admin, sysadmin/sysadm, sa, or root account or equivalent level of access. This is a critical role and it must be executed in accordance with the access guidelines developed by the Data Owner.
Data Users also have a critical role to protect and maintain TCNJ information systems and data. For the purpose of information security, a Data User is any employee, contractor or third-party provider who is authorized by the Data Owner to access information assets.
General Responsibilities of the Data Owner
1. Ensure compliance with TCNJ policies and all regulatory requirements as they relate to the information asset.
2. Assign an appropriate classification to information assets.
TCNJ recognizes three classifications of information assets:
College data protected specifically by federal or state law such as FERPA, HIPPA, PCI, Sarbanes-Oxley, Gramm-Leach-Bliley, contractual agreements requiring confidentiality, integrity, or availability considerations, or specific student or employee data.
College data not otherwise classified as Category I but is available for open public records act (OPRA) requests.
College data not otherwise classified as Category I or Category II. This information is considered publicly available and has no requirement for confidentiality, integrity, or availability.
3. Determine appropriate criteria for obtaining access to information assets.
A Data Owner is accountable for who has access to information assets within their functional areas. A Data Owner may decide to review and authorize each access request individually or may define a set of rules that determine who is eligible for access based on business function, support role, etc. Access must be granted based on the principles of least privilege as well as separation of duties. For example, a simple rule may be that all students are permitted access to their own transcripts or all staff members are permitted access to their own health benefits information. These rules must be documented in a concise manner.
The Data Owner is also responsible for reviewing who has been given access twice per year to ensure accuracy.
General Responsibilities of the Data Custodian
1. Assign and remove access to others based upon the direction of the Data Owner.
Assigning access to the information asset dataset so others can perform their respective job functions is an important and necessary part of the Data Custodian’s job.
2. Produce reports or derivative information for others.
In many cases the Data Custodian is also responsible for producing, interpreting, and distributing information based on the datasets to which he or she has access.
3. Log all information provided and access granted to others.
A log of all information that is disseminated must be kept including the dataset used, the receiving party, and the date. Likewise, access granted to others must be logged including the access level granted and the dataset in question.
4. Implement appropriate physical and technical safeguards to protect the confidentiality, integrity, and availability of the information asset dataset.
Data Custodians are expected to work with Data Owners to gain a better understanding of these requirements. Security controls must be documented and shared with the Data Owner.
General Responsibilities of the Data User
1. Adhere to policies, guidelines and procedures pertaining to the protection of information assets.
Users are required to follow all specific policies, guidelines, and procedures established by departments, schools, or business units with which they are associated and that have provided them with access privileges. This includes information confidentiality and any reports from the dataset should not be shared or made accessible to others without express permission of the Data Owner. The Data User is also charged with ensuring the security of any sensitive organizational data and should not leave copies of this data in unencrypted form on laptops or removable media.
2. Report actual or suspected security and/or policy violations/breaches to an appropriate authority.
During the course of day-to-day operations, Data Users may come across a situation where they feel the security of information assets might be at risk. For example, a Data User comes across sensitive information on a website that he or she feels shouldn’t be accessible. If this happens, it is the Data Users responsibly to report the situation.
Requirements of the Data Custodian and Data User
In all cases, second hand data access requires written administrative permission of the respective Data Owner for the Data Custodian to assign access, re-distribute, or use the data. Access requests must be specific and include justification.
In no event shall any type of access be granted without permission of the Data Owner.