Description

Texas A&M University data is not owned by a single individual, but is a university asset that is owned by the institution and entrusted to appropriate individuals for their care. Understanding these roles and their relationship to the data they oversee is critical for ensuring good governance of university data. This is true of all types of university data, including research data, unless there is a legally binding agreement in place with different terms (ref. SAP 15.99.03.M1.03).
Draft Guidance

The current data classification standard for Texas A&M University is available online. These controls are changes to the classification standard and are still in draft status.

Applicability

  • The roles and responsibilities described in this control apply to all individuals who handle university data, regardless of their relationship to the university. This includes, but is not limited to: students, employees, affiliates of the university, and third parties (e.g., business associates, cloud service providers, vendors, or contractors).

Implementation

  • 1

    Individuals interact with university data through four roles: steward, manager, custodian, or user. Each of these roles has a unique set of responsibilities with regard to the data under their care. Individuals may simultaneously hold more than one role, even for the same dataset.

  • 2

    Data Steward describes an individual with a role title related to representing information—usually for a specific information type, business sector, or business function—for university-wide information governance purposes. Data Stewards are institutional officers and have management and policy-making authority over their specific data subject areas, including the business definitions of data, and the access and use of that data across the university. An example of a Data Steward in the student data domain is the University Registrar; an example in the financial/budget data domain is the Chief Financial Officer.

    Data Stewards are responsible to:

    • 2.1

      Ensure that information systems that store or process university data remain compliant with university security controls and all applicable federal and state regulations.

    • 2.2

      Periodically review the data under their care to ensure the classification remains accurate.

    • Provide a complete and accurate inventory of the data under their care, including any information resources storing that data, to the Division of IT.

    • 2.3

      Remediate or mitigate risks related to data under their care identified through the annual information security risk assessment process.

    • 2.4

      Report any known or suspected instances of inappropriate access or unauthorized disclosure to the Chief Information Security Officer in accordance with requirements described in Incident Response.

    • 2.5

      Appoint Data Managers for their data subject areas.

  • 3

    Data Managers are responsible for the quality and integrity of a defined dataset on a day-to-day basis. Data Managers evaluate and authorize requests for access to the data, and are responsible to protect the data from misuse or mismanagement. Data Managers are assigned these responsibilities by a Data Steward over a particular data domain, and may act as a delegate of the Data Steward for routine purposes. An example of a Data Manager in the student data domain is the manager of a college advising office; an example of a Data Manager in the research data domain is the Principal Investigator of a sponsored research grant.

    Data Managers are responsible to:

    • 3.1

      Ensure that information systems that store or process university data remain compliant with university security controls and all applicable federal and state regulations.

    • 3.2

      Maintain a complete and accurate inventory of the data under their care to ensure the classification remains accurate, including any information resources storing that data.

    • 3.3

      Establish procedures to protect the quality and integrity of assigned datasets.

    • 3.4

      Evaluate and authorize (or deny) requests for access to assigned datasets.

    • 3.5

      Advise the Data Steward regarding appropriate procedures for data management.

    • 3.6

      Ensure that known or suspected instances of inappropriate access or unauthorized disclosure are reported to the Data Steward and the CISO in accordance with requirements described in Incident Response.

    • 3.7

      Identify data recovery objectives (RTO and RPO) for assigned datasets in accordance with risk management decisions.

    • 3.8

      Coordinate with Data Custodians to implement security controls required by the Texas A&M Controls Catalog.

    • 3.9

      Delegate authority to Data Custodians as appropriate for data administration.

  • 4

    Data Custodians are typically information technology professionals who manage the information systems that store and process university data. Data Custodians develop and implement technology infrastructure to support the functional needs of a data domain, and implement technical security controls to ensure the confidentiality, integrity, and availability of their data under their care.

    Data Custodians are responsible to:

    • 4.1

      Assist Data Stewards and Data Managers in classifying university data and information resources according to the university data classification standards (see DC-1).

    • 4.2

      Identify, or assist Data Managers in identifying, information resources containing university data.

    • 4.3

      Implement security controls required by the Texas A&M Controls Catalog.

    • 4.4

      Follow system monitoring procedures described in Audit and Accountability.

    • 4.5

      Follow incident reporting guidelines as described in Incident Response.

    • 4.6

      Ensure university data is recoverable in accordance with risk management decisions.

  • 5

    Data User refers to any individual (student, employee, or affiliate of the university) who interacts with university data. Data Users are responsible to:

    • 5.1

      Access university data only in the course of official university business, and in ways consistent with the university’s mission (see SAP 29.01.03.M0.02 and University Rule 29.01.03.M3).

    • 5.2

      Only disclose or release university data to others as required by their job responsibilities, under the direction of a Data Manager.

    • 5.3

      Respect the confidentiality and privacy of individuals whose records they may access.

    • 5.4

      Promptly report any known or suspected instances of inappropriate access or unauthorized disclosure of university data to a Data Custodian, Data Manager, Data Steward, or directly to the Division of IT at helpdesk@tamu.edu.