Definitions and FAQ

Each unit or department’s executive or department head will designate at least two, but not more than four, DSAs. DSAs will act as liaisons to the BU Information Security Team. DSAs oversee data security responsibilities at the department level.

DSA responsibilities include:

• Identifying the department’s need to store or access Confidential and Restricted Use data
• Assisting with the data classification process and coordinate with the BU Information Security Team
• Before submitting a request for access, confirming with the requestor’s manager that the requestor has a legitimate business reason for access to the data.
• Communicating authorization requests for access to enterprise information system data, facilities, functions, roles and/or tasks to the appropriate data custodian.
• Requesting that access be removed when no longer required.
• Conducting regular reviews (not less than one time per year) of access lists and requesting removal of access when no longer needed.
• Assigning and collecting two-factor authentication tokens
• Communicating with BU Information Security in the event of any unauthorized disclosure, modification, or loss of Confidential or Restricted Use data
• Assisting with security awareness for the unit or departments

A new DSA’s manager should ensure the new DSA receives a written description of his or her duties as DSA and receives the appropriate training. (The DSA duties list, manual and training are maintained and provided by BU Information Security.) The DSA must acknowledge the responsibilities by signing and returning a copy to his or her manager and to BU Information Security.

The executive or head of each department will designate at least two, but not more than four, Data Trustees. Data Trustees are those persons at the University with responsibility for the accuracy, integrity, and privacy of University data. They grant or deny access to University data, monitor the integrity of the data repositories, and perform regular audits to ensure all approved accesses still valid and appropriate.

Data Trustees must make decisions regarding the handling of data in accordance with the University’s Information Security Policy and the Data Protection Standards, and in compliance with all federal, state, and local laws and regulations. Data Trustees are responsible for reviewing requests for access to sensitive data under their care regardless of whether the data is stored in the original data source, the authoritative repository or with any downstream users of the data.

Data Trustee responsibilities include:

• Responding to requests for access to University data within three business days with one of the following decisions: “Accepted”, “On Hold” (requesting more information), or “Denied”. Before permitting access, the Data Trustee must confirm that the requestor has a legitimate business reason for access to the data.
• Approving the minimum access or authorization necessary for the requestor’s needs.
• Support and enable the implementation of required security measures as outlined in the University Data Protection Requirements. Trustee may consult with IS&T and BU Information Security to determine appropriate controls.
• Ensuring that reviews are conducted regularly (not less than one time per year) to ensure all approved access is still valid and appropriate.
• When an individual becomes a Data Trustee, the executive or department head should ensure that he or she receives a written description of his or her duties as Trustee and receives the appropriate training. (The Trustee duties list, manual and training are maintained and provided by BU Information Security.) The Data Trustee must acknowledge the responsibilities by signing and returning a copy to the executive or department head and to BU Information Security.

In the event a Data Trustee is unavailable to fulfill the responsibilities above, the executive or department head must designate an alternate until the Data Trustee is again available.

In general these authorizations are granted by “Data Custodians”, who are entrusted with the maintenance of the data.  These are typically Systems Administrators, Database Administrators, or Application Administrators.    These individuals are responsible for executing the approved account definition/modification/removal request, after validating that appropriate approvals have been granted.

Data Custodian responsibilities include:

• Providing data or access to data only as approved by the Data Trustee.
• Assisting clients or project teams with the submission of requests for access to University data.

If a Data Trustee has previously approved access to the data using one format or method, the Data Custodian need not get a new approval for a different format or method. For example, if access via spreadsheet or database is approved and the client would like it in a text file instead, this change does not require re-approval by the Trustee. Similarly, as long as the data is being transported using a mechanism approved by BU Information Security, changing from one to the other does not require re-approval. For example, switching from SFTP to FTP-S as the secure transport mechanism.

• Removing of access when requested by the DSA.
• Conducting regular reviews (not less than one time per year) of access lists and removing access when no longer needed.

A new Data Custodian’s manager should ensure that the new Custodian receives a written description of his or her duties as Custodian and receives the appropriate training. The Custodian must acknowledge the responsibilities by signing and returning a copy to his or her manager.

Depending on the system and access being requested, Information Security can perform several roles in the process including, consultant, request reviewer, access auditor, request and implementer.  Information Security can also assist any requestor or approver who need help with the process, or with tracking a request.

In general, requests should be completed within 5 business days of the submitted request.  While requests are typically fulfilled quicker than that, keep in mind there are multiple stages of the request/approval process where a request can reside.

Yes.  We have manuals, guides, and other resources available here.

To become a DSA simply have an existing DSA in your department send us a ServiceNow ticket with the request.  If your department doesn’t currently have a DSA, send us the request yourself.  You will then be required to attend DSA training.

You can find our Training schedule here.

An authorization should only provide the privileges required for the function to be performed and no more.  Following this principle helps ensure proper workflows are followed and access to functions that may expose data is contained as much as possible.

When an authorization is granted to an account it must be approved by multiple individuals.  Multiple approvers ensures that the Principle of Least Privilege is followed from both a technical and process perspective, decreases opportunity for conflict of interest or fraud, and reduces the risk of error.  As applied to authorization, separation of duties requires that the administrative and technical approver are not the same person, or if they must be, then the Data Custodian is not filling either role.

In general access given in Test systems is not as restrictive as Production systems.  Since clients typically do not have access to non-production systems, access requests are typically performed by technical team members.  Requests should still have a business need, and may still need approval from a Manager, Business Owner, Information Security, and potentially a Data Trustee (specifically if Restricted Use data is involved)

Before granting access to a system or application, the following policy must adhered to:

1. Use role-based authorization schemes over individual authorizations whenever practical
2. Be as granular as possible in your authorizations.
3. Ensure that the authorization has the appropriate approvals:
   1. Administrative and Technical Approvals are always required.  These approvers must:
      1. Ensure the principles of Least Privilege and Separation of Duties are applied.
      2. When approving privileges to a shared account consider everyone who has access to that account and whether or not such privilege is appropriate for everyone.
   2. All requests for access to data for which there is a Data Trustee must be approved by the Data Trustee.  See the Data Management Guide for more details.
   3. All requests for access to a system or application containing Restricted Use information have been approved by Information Security.
4. Privileged access may be granted permanently only if that specific person’s job duties routinely require that level of access, otherwise, the access must be temporary.
5. All authorization requests must be documented, including the nature of the request, the time period for which it has been granted, all related approvals that were obtained, and the names of the approvers.