Data Custodianship
Approved 1/29/2018
Purpose
The University values openness and promotes access to a wide range of information; accordingly, the campus information systems have been designed to be as open as possible. This policy seeks to strike a balance between access to information, data integrity and appropriate confidentiality for University faculty, staff, and students.
Definitions
Data Steward: Term used by the University of Wisconsin (UW) System Administrative Policy 1031 - Information Security: Data Classification and Protection to include "An individual who has direct responsibility to ensure that a data domain is classified appropriately. The data steward collaborates with institutional Security, Privacy and Data Officers." At UW-Whitewater, this responsibility is performed by the Data Owners.
Statement of Policy
The reliability, availability and accessibility of University data is critical to the day-to-day function of the University. Each member of the University community (students, faculty, staff, and guests) and designated agents are expected to protect the integrity of data and to know and adhere to University rules, regulations and guidelines for its appropriate use. To that end, University information should be protected by acknowledging information custodial roles and responsibilities. Data owners, users and managers should each understand their particular roles in the custodianship of University data. By exercising appropriate custodial roles, appropriate due care of University information can be assured.
Roles and Responsibilities of Data Custodians
The University classifies data owners as those responsible for:
- Knowing and understanding the data for which they are responsible;
- Identifying the major system(s) where the data for which they are responsible resides;
- Evaluating and ensuring the data has been appropriately classified based on state and federal law, University of Wisconsin System policy and procedure, regulatory agency requirements and any contractual obligations, and University regulations;
- Documenting the data classifications;
- Reviewing data classifications at least annually;
- Establishing access and utilization criteria;
- Exercising due care in setting standards for protection of data;
- Monitoring compliance and enforcing policy;
- Implement practices to assure data accuracy.
The University classifies data users as those responsible for:
- Following this policy and information access procedures established by data owners;
- Access only the information for which they are authorized;
- Report suspected or actual violations of policies and standards to management;
- Exercising due care in the use of confidential and restricted data.
The University classifies data managers as those responsible for:
- Executing access authorizations or data transfers authorized by the data owner;
- Using best practices to maintain the confidentiality, integrity, and availability of information;
- Providing a mechanism for monitoring compliance and enforcing policy;
- Exercising due care in the administration of systems hosting the data.
ICIT Responsibilities
ICIT facilitates the development of policies, and develops procedures and guidelines which enable University employees to understand their particular custodial roles and responsibilities with respect to University information. ICIT implements the technical infrastructure that allows University employees to efficiently and effectively exercise these custodial roles. ICIT also serves as the de facto data manager for most University data.
Related Documents
- University of Wisconsin-Whitewater ICIT Information Asset Classification Policy http://www.uww.edu/icit/policies-agreements/asset-classification
- University of Wisconsin System Administrative Policy 1031 - Information Security: Data Classification and Protection https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-data-classification/
- University of Wisconsin System Administrative Procedure 1031.A - Information Security: Data Classification https://www.wisconsin.edu/uw-policies/uw-system-administrative-policies/information-security-data-classification/information-security-data-classification/
Scheduled Review
This document will be reviewed on an annual basis, or as deemed necessary.
Revision/Review Log
| Date | Approver | Action | Description |
| 1/29/2018 | Revised to include references to the requirements contained in the July 31, 2017 revisions of the University of Wisconsin System Administrative Policy 1031 - Information Security: Data Classification and Protection and the UW System Administrative Procedure 1031.A - Information Security: Data Classification documents. |
Operational Procedures
Operational Procedures define ICIT's services, expectations, and role as part of the campus community.
- Asset Classification
- Campus Computer Repurposing & Surplus Process
- Chargeback for Technology Support
- Computing Environment Support Policy
- Desktop Support Service Guidelines
- Desktop Operating Systems Support
- Data Custodianship
- Data Handling After a Campus Official's Departure
- Employee Checkout/Off-Boarding
- Guest Access
- Information Outsourcing
- Ingeniux & Google Analytics
- Listserv Policy
- Securing Office Computer Equipment
- Port Activation
- Surveillance Camera Use
- Technology Purchasing & Acquisition
- Web DNS Policy & Naming Guidelines