This document is currently in Recommended status.  It has been approved by the Information Security Governance committee and is currently under review by the other governance committees for final approval.
Policy Number: 1.2.B Policy Owner:
Effective Date: 1/1/2011 Information Security & Business Continuity Governance
Policy applicable for: Faculty/Staff Associated Standards/Regulations:
Responsible Office(s): BU Information Security HIPAA, FERPA, GLB, PCI, Mass General Law
Capitalized terms and other key terms are defined at the end of this document or in the Data Classification Guide.

Purpose & Overview

Information maintained by the University is a vital asset that must be available to all employees who have a legitimate business need for it.  However, the use of University data for anything other than approved University business is prohibited by University policy and, in many instances, by state and federal law.

This document is a companion to the Data Classification Guide and defines the roles and responsibilities associated with the distribution and security of University data.  As described below, individuals may not access, use or store some kinds of sensitive data without authorization from the appropriate Data Trustee.  Individuals who are authorized by a Data Trustee to access, use or store sensitive information must follow any restrictions imposed by the Data Trustee.

Roles & Responsibilities

Data Trustee

The executive or head of each department included in the list of Data and Data Trustees below will designate at least two, but not more than four, Data Trustees.  Data Trustees are those persons at the University with responsibility for the accuracy, integrity, and privacy of University data.  They grant or deny access to University data, monitor the integrity of the data repositories, and perform regular audits to ensure all approved accesses still valid and appropriate.

Data Trustees must make decisions regarding the handling of data in accordance with the University’s Information Security Policy and the Data Protection Standards, and in compliance with all federal, state, and local laws and regulations.  Data Trustees are responsible for reviewing requests for access to sensitive data under their care regardless of whether the data is stored in the original data source, the authoritative repository or with any downstream users of the data.

Data Trustee responsibilities include:

  1. Responding to requests for access to University data within three business days with one of the following decisions:  “Accepted”, “On Hold” (requesting more information), or “Denied”.   Before permitting access, the Data Trustee must confirm that the requestor has a legitimate business reason for access to the data.
  2. Approving the minimum access or authorization necessary for the requestor’s needs.
  3. Support and enable the implementation of required security measures as outlined in the University Data Protection Requirements.  Trustee may consult with IS&T and BU Information Security to determine appropriate controls.
  4. Ensuring that reviews are conducted regularly (not less than one time per year) to ensure all approved access is still valid and appropriate.

When an individual becomes a Data Trustee, the executive or department head should ensure that he or she receives a written description of his or her duties as Trustee and receives the appropriate training.  (The Trustee duties list, manual and training are maintained and provided by BU Information Security.)  The Data Trustee must acknowledge the responsibilities by signing and returning a copy to the executive or department head and to BU Information Security.

In the event a Data Trustee is unavailable to fulfill the responsibilities above, the executive or department head must designate an alternate until the Data Trustee is again available.

Departmental Security Administrators

Each unit or department’s executive or department head will designate at least two, but not more than four, Departmental Security Administrators (DSAs). DSAs will act as liaisons to the BU Information Security Team.  DSAs oversee data security responsibilities at the department level.

Departmental Security Administrator responsibilities include:

  • Identifying the department’s need to store or access Confidential and Restricted Use data
  • Assisting with the data classification process and coordinate with the BU Information Security Team
  • Before submitting a request for access, confirming with the requestor’s manager that the requestor has a legitimate business reason for access to the data.
  • Communicating authorization requests for access to enterprise information system data, facilities, functions, roles and/or tasks to the appropriate data custodian.
  • Requesting that access be removed when no longer required.
  • Conducting regular reviews (not less than one time per year) of access lists and requesting removal of access when no longer needed.
  • Assigning and collecting two-factor authentication tokens
  • Communicating with BU Information Security in the event of any unauthorized disclosure, modification, or loss of Confidential or Restricted Use data
  • Assisting with security awareness for the unit or departments

A new DSA’s manager should ensure the new DSA receives a written description of his or her duties as DSA and receives the appropriate training.  (The DSA duties list, manual and training are maintained and provided by BU Information Security.)  The DSA must acknowledge the responsibilities by signing and returning a copy to his or her manager and to BU Information Security.

BU Information Security

Members of the BU Information Security Team support enterprise data management by providing certain functions and processes centrally.

Information Security responsibilities include:

  • Coordinating with Office of General Counsel to communicate changes in applicable law that impact the responsibilities of the Data Trustees, Data Security Administrators and Data Custodians.
  • Maintaining and publishing data management and protection standards, with appropriate input and approval from the Information Security and Business Continuity Governance Committee.
  • Providing training to Data Trustees on tools and processes to conduct reviews of the access to data for which Trustees are responsible.
  • Maintaining the list of DSA responsibilities and processes; maintaining the DSA manual.
  • Providing training for DSAs.  Training should be refreshed on an annual basis.
  • Receiving and processing access requests from DSAs for designated systems.
  • Define and provide secure methods for clients to access Confidential and Restricted Use data.  Where an appropriate method does not exist, provide consulting on the development of new solutions or compensating controls.
  • Administering two-factor token assignments for specific individuals as coordinated with the DSA.

Data Custodian

Data Custodians are those persons primarily responsible for maintaining security and integrity of University systems on which University data resides.   The Data Custodian’s “clients” are people or systems that access or use the data or systems which the Data Custodian maintains.

Data Custodian responsibilities include:

  1. Assisting clients or project teams with the submission of requests for access to University data.
  2. Providing data or access to data only as approved by the Data Trustee.
  • If a Data Trustee has previously approved access to the data using one format or method, the Data Custodian need not get a new approval for a different format or method.  For example, if access via spreadsheet or database is approved and the client would like it in a text file instead, this change does not require re-approval by the Trustee.  Similarly, as long as the data is being transported using a mechanism approved by BU Information Security, changing from one to the other does not require re-approval.  For example, switching from SFTP to FTP-S as the secure transport mechanism.
  1. Removing of access when requested by the DSA.
  2. Conducting regular reviews (not less than one time per year) of access lists and removing access when no longer needed.

A new Data Custodian’s manager should ensure that the new Custodian receives a written description of his or her duties as Custodian and receives the appropriate training.  The Custodian must acknowledge the responsibilities by signing and returning a copy to his or her manager.

Access Request Appeals

If the Data Trustee denies a requests for access to University data, the requestor may appeal the decision to the executive or department head of the unit or department that owns the data (or a designee).

Data and Data Trustees

If you need assistance identifying a specific Prime Domain Owner, please visit the Domain Contact List.

Alternatively, you may contact your DSA or BU Information Security (buinfosec@bu.edu).

Generally, contact these offices with questions about these data types:

Department Data Contact
Administrative Offices Records Retention
Development & Alumni Relations Alumni Gifts & Records, Telefunds, Donor & Recipient Information, Alumni Bio Sachin Agarwal
Accounts Payable Invoices, Vendor Maintenance Matthew Abrams
Budget Budget, Adjustments Meghan Tracey
WBUR Campaign Tracking, Donor Participation, Gifts and Pledges John Hoder
Business Affairs Vending Services Shawn Stone
Cashier Credit Cards Carol Moy
Grants & Contracts Grant Attributes, Principal Investigator maintenance Andy Horner, Gretchen Hartigan
General Accounting General Ledger, Unrestricted & Restricted accounting Gillian Emmons, Donna Lane
Receivables Student Accounts, Settlements, Collections Kathleen Hynes
Disbursements Payroll, Stipends, HR Time Entry Matthew Abrams
VP Finance Financial Account Number Martin Howard
Dean of Students Off Campus Housing, Judicial Affairs, Orientation, Alternative Spring Break Shiney James
Graduate Admissions Graduate Student Applications and Admissions Information Jacalyn Reisz
Int’l Students & Scholars Office International Student Admissions, SEVIS, International Scholars Jeanne Kelley
Medical Campus Med Financial Affairs, Accounting, Business Afairs Michelle Hamm
Medical Parking & Transportation Med Parking Permits, Tpass Louis D’Addario
Office of Housing Room Assignments/Check In/Withdrawal/Selection, Terrier Convenience Plan, Residence Access Control Babak Sadri
Office of Admissions /
Enrollment Services
Student Applications, Admissions Information Roberta Valday
Office of Risk Management Drivers License Numbers Paul Clancy
Office of Financial Assistance /Enrollment Services Financial Aid Funds, Awards, Loans, Promissory Notes Roberta Valday
Space Management Buidling & Space Administration, Room survey, Building occupant and cost  data Gregg Snyder
Registrar/Enrollment Services Student Records: Class Lists, Student Name, UID, SSN, Address, Telephone number, Race* Roberta Valday
Human Resources Employee Records: Employee Name, UID, SSN*, Address, Telephone number, Benefits, Race*, Payroll/Salary* Maria Canellos
Payroll Employee Records: SSN*, Payroll/Salary* Kathleen Sirois
Parking Services Parking Lots, Permits, Tpass William Hajjar
Sourcing & Procurement Requisitions, Purchase Orders, Buyer info Richard Stack
Physical, Recreation & Dance FitRec Memberships and Refunds, Registration, Instructor Class, Event Maintenance Cynthia Loud
Provost Office Faculty Records Alison English
Student Activities Office Student Activity Events and Sales Gina Galland
School of Education Literacy Test Jacqueline Boyle
Student Employment Office Student Employee information, Hire/Rehire, Timesheets, Job Board, Quickie Jobs, Work Study Mary Ann French
Student Health Services Student Health Records Christopher Valadao
Telecommunications Telephone Directory Information Sean Kinneen

* These data fields are jointly owned and approval must be granted by all trustees.

References

The Boston University Data Protection Standards:

References & Related Documents:

For legal references, links to BU references and key contacts, see the References section of 1.2.A -Data Classification Guide

History

Date Action By Supersedes
3/27/2011 Original Draft BU Information Security –Original–
3/31/2011 Approved BU Information Security Governance Committee –Original–