Objective

The objective of this document is to facilitate and formalize the roles and responsibilities related to the stewardship of UAH data. This standard supports the UAH Protection of Data Policy but exists to support all university policies and federal and state regulations governing the protection of university data.

Data Stewards

The data steward is the individual assigned by management to oversee the proper handling of UAH data. The steward is responsible for ensuring that appropriate steps are taken to protect data and for the implementation of policies, guidelines and memorandums of understanding that define the appropriate use of the data. The steward of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, stewardship may be shared by managers of different departments. 

Data Steward Responsibilities

The Data Steward is responsible for ensuring that appropriate steps are taken to protect data and for implementing policies, guidelines, and memorandums of understanding (MOUs) that define the appropriate use of the data. The Data Steward or their designated representatives are responsible for and authorized to:

• Approve access and formally assign custody of an information resources asset.

• Specify appropriate controls, based on data classification, to protect the information resources from unauthorized modification, deletion, or disclosure. The steward will convey those requirements to administrators for implementation and educate users. Controls shall extend to information resources outsourced by the university

• Confirm that applicable controls are in place to ensure appropriate level of confidentiality, integrity and availability.

• Confirm compliance with applicable policies and controls, including but not limited to FERPA, PCI, PII, and HIPAA.

• Assign custody of information resources assets and provide appropriate authority to implement security controls and procedures.

• Ensure access rights are re-evaluated when a user’s access requirements to the data change (e.g., job assignment change).

• Understand and report all security risks and potential breaches to the UAH CIO and CISO.

De Facto Data Stewards

Unless otherwise designated in the contents of the data, header or metadata of the data, or in writing by the presumed data steward, the de facto steward of the data is determined by the type of data that is being protected in the table below. 

Any steward may designate a member of their staff to act as the data steward in their stead.

Data Administrators

The data administrator is the University or outsourced service provider charged with implementing the controls specified by the Data Steward. The Data Administrator is responsible for the processing and storage and recovery of information. The administrator of information resources must:

• Implement the controls specified by the Data Steward(s)

• Provide physical and procedural safeguards for the information resources

• Assist Data Stewards in evaluating the overall effectiveness of controls and monitoring

• Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents

Data Users

A Data User is any person who has been authorized by the Data Steward to read, enter, or update that information. 

All Data Users have the responsibility to 

• Use the resource only for the purpose specified by the Data Steward

• Comply with controls established by the Data Steward

• Prevent disclosure of private, confidential or sensitive information.

If you have any questions about data responsibilities please contact the CISO at CISO@uah.edu