{"id":103630,"date":"2016-12-12T14:57:53","date_gmt":"2016-12-12T19:57:53","guid":{"rendered":"http:\/\/www.bu.edu\/tech\/?page_id=103630"},"modified":"2017-01-06T16:05:14","modified_gmt":"2017-01-06T21:05:14","slug":"definitions-and-faq","status":"publish","type":"page","link":"https:\/\/www.bu.edu\/tech\/support\/information-security\/docs\/access-authorization-requests\/definitions-and-faq\/","title":{"rendered":"Definitions and FAQ"},"content":{"rendered":"<h2><em><strong>Definitions<\/strong><\/em><\/h2>\n<p><strong><div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Departmental Security Administrator (DSA)<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/strong><\/p>\n<p>Each unit or department\u2019s executive or department head will designate at least two, but not more than four, DSAs. DSAs will act as liaisons to the BU Information Security Team. DSAs oversee data security responsibilities at the department level.<\/p>\n<p>DSA responsibilities include:<\/p>\n<ul>\n<li>Identifying the department\u2019s need to store or access Confidential and Restricted Use data<\/li>\n<li>Assisting with the data classification process and coordinate with the BU Information Security Team<\/li>\n<li>Before submitting a request for access, confirming with the requestor\u2019s manager that the requestor has a legitimate business reason for access to the data.<\/li>\n<li>Communicating authorization requests for access to enterprise information system data, facilities, functions, roles and\/or tasks to the appropriate data custodian.<\/li>\n<li>Requesting that access be removed when no longer required.<\/li>\n<li>Conducting regular reviews (not less than one time per year) of access lists and requesting removal of access when no longer needed.<\/li>\n<li>Assigning and collecting two-factor authentication tokens<\/li>\n<li>Communicating with BU Information Security in the event of any unauthorized disclosure, modification, or loss of Confidential or Restricted Use data<\/li>\n<li>Assisting with security awareness for the unit or departments<\/li>\n<\/ul>\n<p>A new DSA\u2019s manager should ensure the new DSA receives a written description of his or her duties as DSA and receives the appropriate training. (The DSA duties list, manual and training are maintained and provided by BU Information Security.) The DSA must acknowledge the responsibilities by signing and returning a copy to his or her manager and to BU Information Security.<\/p>\n<p><strong><\/div>\n<\/div>\n<\/strong><\/p>\n<p><strong><div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Data Trustee<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/strong><\/p>\n<p>The executive or head of each department will designate at least two, but not more than four, Data Trustees. Data Trustees are those persons at the University with responsibility for the accuracy, integrity, and privacy of University data. They grant or deny access to University data, monitor the integrity of the data repositories, and perform regular audits to ensure all approved accesses still valid and appropriate.<\/p>\n<p>Data Trustees must make decisions regarding the handling of data in accordance with the University\u2019s Information Security Policy and the Data Protection Standards, and in compliance with all federal, state, and local laws and regulations. Data Trustees are responsible for reviewing requests for access to sensitive data under their care regardless of whether the data is stored in the original data source, the authoritative repository or with any downstream users of the data.<\/p>\n<p>Data Trustee responsibilities include:<\/p>\n<ul>\n<li>Responding to requests for access to University data within three business days with one of the following decisions: \u201cAccepted\u201d, \u201cOn Hold\u201d (requesting more information), or \u201cDenied\u201d. Before permitting access, the Data Trustee must confirm that the requestor has a legitimate business reason for access to the data.<\/li>\n<li>Approving the minimum access or authorization necessary for the requestor\u2019s needs.<\/li>\n<li>Support and enable the implementation of required security measures as outlined in the University Data Protection Requirements. Trustee may consult with IS&amp;T and BU Information Security to determine appropriate controls.<\/li>\n<li>Ensuring that reviews are conducted regularly (not less than one time per year) to ensure all approved access is still valid and appropriate.<\/li>\n<li>When an individual becomes a Data Trustee, the executive or department head should ensure that he or she receives a written description of his or her duties as Trustee and receives the appropriate training. (The Trustee duties list, manual and training are maintained and provided by BU Information Security.) The Data Trustee must acknowledge the responsibilities by signing and returning a copy to the executive or department head and to BU Information Security.<\/li>\n<\/ul>\n<p>In the event a Data Trustee is unavailable to fulfill the responsibilities above, the executive or department head must designate an alternate until the Data Trustee is again available.<\/p>\n<p><strong><\/div>\n<\/div>\n<\/strong><\/p>\n<p><strong><div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Data Custodian<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/strong><\/p>\n<p>In general these authorizations are granted by \u201cData Custodians\u201d, who are entrusted with the maintenance of the data.\u00a0 These are typically Systems Administrators, Database Administrators, or Application\u00a0Administrators.\u00a0 \u00a0 These individuals are responsible for executing the approved account definition\/modification\/removal request, after validating that\u00a0appropriate approvals have been granted.<\/p>\n<p>Data Custodian responsibilities include:<\/p>\n<ul>\n<li>Providing data or access to data only as approved by the Data Trustee.<\/li>\n<li>Assisting clients or project teams with the submission of requests for access to University data.<\/li>\n<\/ul>\n<p>If a Data Trustee has previously approved access to the data using one format or method, the Data Custodian need not get a new approval for a different format or method. For example, if access via spreadsheet or database is approved and the client would like it in a text file instead, this change does not require re-approval by the Trustee. Similarly, as long as the data is being transported using a mechanism approved by BU Information Security, changing from one to the other does not require re-approval. For example, switching from SFTP to FTP-S as the secure transport mechanism.<\/p>\n<ul>\n<li>Removing of access when requested by the DSA.<\/li>\n<li>Conducting regular reviews (not less than one time per year) of access lists and removing access when no longer needed.<\/li>\n<\/ul>\n<p>A new Data Custodian\u2019s manager should ensure that the new Custodian receives a written description of his or her duties as Custodian and receives the appropriate training. The Custodian must acknowledge the responsibilities by signing and returning a copy to his or her manager.<\/p>\n<p><strong><\/div>\n<\/div>\n<\/strong><\/p>\n<h2><strong><em>Frequently Asked Questions<\/em><\/strong><\/h2>\n<p><strong><div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\"><\/strong><strong>What is Information Security\u2019s role in the request process?<\/strong><strong><\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/strong><\/p>\n<p>Depending on the system and access being requested, Information Security can perform several roles in the process including, consultant, request reviewer, access auditor, request and implementer.\u00a0 Information Security can also assist any requestor or approver who need help with the process, or with tracking a request.<\/p>\n<p><strong><\/div>\n<\/div>\n<\/strong><\/p>\n<p><strong><div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\"><\/strong><strong>How long does it typically take for a request to be processed?<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/strong><\/p>\n<p>In general, requests should be completed within 5 business days of the submitted request.\u00a0 While requests are typically fulfilled quicker than that, keep in mind there are multiple stages of the request\/approval process where a request can reside.<\/p>\n<p><strong><\/div>\n<\/div>\n<\/strong><\/p>\n<p><strong><div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\"><\/strong><strong>I'm a DSA\/Data Trustee, do you have any documentation online for me to reference?<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/strong><\/p>\n<p>Yes.\u00a0 We have manuals, guides, and other resources available <a href=\"https:\/\/www.bu.edu\/tech\/support\/information-security\/docs\/dsaanddatatrustee\/dsa-manuals\/\">here<\/a>.<\/p>\n<p><strong><\/div>\n<\/div>\n<\/strong><\/p>\n<p><strong><div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">How do I become a DSA?<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/strong><\/p>\n<p>To become a DSA simply have an existing DSA in your department send us a ServiceNow ticket with the request.\u00a0 If your department doesn&#8217;t currently have a DSA, send us the request yourself.\u00a0 You will then be required to attend DSA training.<\/p>\n<p><strong><\/div>\n<\/div>\n<\/strong><\/p>\n<p><strong><div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">How do I sign up for DSA training?<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/strong><\/p>\n<p>You can find our Training schedule <a href=\"http:\/\/www.bu.edu\/phpbin\/training\/register\/index.php?admingroup_id=42#course_id_1660&amp;KeepThis=true\">here<\/a>.<\/p>\n<p><strong><\/div>\n<\/div>\n<\/strong><\/p>\n<p><strong><div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">What is the concept of \u2018Least Privilege\u2019?<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/strong><\/p>\n<p>An authorization should only provide the privileges required for the function to be performed and no more.\u00a0 Following this principle helps ensure proper workflows are followed and access to functions that may expose data is contained as much as possible.<\/p>\n<p><strong><\/div>\n<\/div>\n<\/strong><\/p>\n<p><strong><div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">What are Separation of Duties?<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/strong><\/p>\n<p>When an authorization is granted to an account it must be approved by multiple individuals.\u00a0 Multiple approvers ensures that the Principle of Least Privilege is followed from both a technical and process perspective, decreases opportunity for conflict of interest or fraud, and reduces the risk of error.\u00a0 As applied to authorization, separation of duties requires that the administrative and technical approver are not the same person, or if they must be, then the Data Custodian is not filling either role.<\/p>\n<p><strong><\/div>\n<\/div>\n<\/strong><\/p>\n<p><strong><div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">Is there any difference when requesting access in Test or Production?<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/strong><\/p>\n<p>In general access given in Test systems is not as restrictive as Production systems.\u00a0 Since clients typically do not have access to non-production systems, access requests are typically performed by technical team members.\u00a0 Requests should still have a business need, and may still need approval from a Manager, Business Owner, Information Security, and potentially a Data Trustee (specifically if Restricted Use data is involved)<\/p>\n<p><strong><\/div>\n<\/div>\n<\/strong><\/p>\n<p><strong><div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h3 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">What kind of things should be considered before an access request is approved?<\/h3><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/strong><\/p>\n<p>Before granting access to a system or application, the following policy must adhered to:<\/p>\n<ol>\n<li>Use role-based authorization schemes over individual authorizations whenever practical<\/li>\n<li>Be as granular as possible in your authorizations.<\/li>\n<li>Ensure that the authorization has the appropriate approvals:\n<ol>\n<li>Administrative and Technical Approvals are always required.\u00a0 These approvers must:\n<ol>\n<li>Ensure the principles of Least Privilege and Separation of Duties are applied.<\/li>\n<li>When approving privileges to a shared account consider everyone who has access to that account and whether or not such privilege is appropriate for everyone.<\/li>\n<\/ol>\n<\/li>\n<li>All requests for access to data for which there is a Data Trustee must be approved by the Data Trustee.\u00a0 See the <a href=\"http:\/\/www.bu.edu\/policies\/information-security-home\/data-protection-standards\/data-management-guide\/\">Data Management Guide<\/a> for more details.<\/li>\n<li>All requests for access to a system or application containing <em>Restricted Use<\/em> information have been approved by Information Security.<\/li>\n<\/ol>\n<\/li>\n<li>Privileged access may be\u00a0granted permanently only if that specific person\u2019s job duties routinely require that level of access,\u00a0otherwise, the access must be temporary.<\/li>\n<li>All authorization requests must be documented, including the nature of the request, the time period for which it has been granted, all related approvals that were obtained, and the names of the approvers.<\/li>\n<\/ol>\n<p><strong><\/div>\n<\/div>\n<\/strong><\/p>\n<p><em>*More information can be found in the <\/em><a href=\"http:\/\/www.bu.edu\/policies\/information-security-home\/data-protection-standards\/data-management-guide\/\"><em>Data Management Guide<\/em><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Definitions Frequently Asked Questions *More information can be found in the Data Management Guide&#8230;<\/p>\n","protected":false},"author":4697,"featured_media":0,"parent":103627,"menu_order":2,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/103630"}],"collection":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/users\/4697"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/comments?post=103630"}],"version-history":[{"count":7,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/103630\/revisions"}],"predecessor-version":[{"id":104085,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/103630\/revisions\/104085"}],"up":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/103627"}],"wp:attachment":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/media?parent=103630"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}