Carnegie Mellon University Website Home Page
 

Information Security Roles and Responsibilities (cont.)

View/Download PDF
lvl_2colHorizontalRule

Data Custodian

A Data Custodian is an employee of the University who has administrative and/or operational responsibility over Institutional Data.  In many cases, there will be multiple Data Custodians.  An enterprise application may have teams of Data Custodians, each responsible for varying functions.  A Data Custodian is responsible for the following:
a. Understanding and reporting on how Institutional Data is stored, processed and transmitted by the University and by third-party Agents of the University.
  Understanding and documenting how Institutional Data is being stored, processed and transmitted is the first step toward safeguarding that data.  Without this knowledge, it is difficult to implement or validate safeguards in an effective manner.  One method of performing this assessment is to create a data flow diagram for a subset of data that illustrates the system(s) storing the data, how the data is being processed and how the data traverses the network.  Data flow diagrams can also illustrate security controls as they are implemented.  Regardless of approach, documentation should exist and be made available to the appropriate Data Steward.
b. Implementing appropriate physical and technical safeguards to protect the confidentiality, integrity and availability of Institutional Data.
  The Information Security Office has published guidance on implementing reasonable and appropriate security controls for three classifications of data: public, private and restricted.  See the Guidelines for Data Classification and the Guidelines for Data Protection for more information.  Contractual obligations, regulatory requirements and industry standards also play in important role in implementing appropriate safeguards.  Data Custodians should work with Data Stewards to gain a better understanding of these requirements.  Data Custodians should also document what security controls have been implemented and where gaps exist in current controls.  This documentation should be made available to the appropriate Data Steward.
c. Documenting and disseminating administrative and operational procedures to ensure consistent storage, processing and transmission of Institutional Data.
  Documenting administrative and operational procedures goes hand in hand with understanding how data is stored, processed and transmitted.  Data Custodians should document as many repeatable processes as possible.  This will help ensure that Institutional Data is handled in a consistent manner.  This will also help ensure that safeguards are being effectively leveraged.
d. Provisioning and deprovisioning access to Institutional Data as authorized by the Data Steward.
  Data Custodians are responsible for provisioning and deprovisioning access based on criteria established by the appropriate Data Steward.  As specified above, standard procedures for provisioning and deprovisioning access should be documented and made available to the appropriate Data Steward.
e. Understanding and reporting on security risks and how they impact the confidentiality, integrity and availability of Institutional Data.
  Data Custodians should have a thorough understanding of security risks impacting their Institutional Data.  For example, storing or transmitting sensitive data in an unencrypted form is a security risk.  Protecting access to data using a weak password and/or not patching a vulnerability in a system or application are both examples of security risks.  Security risks should be documented and reviewed with the appropriate Data Steward so that he or she can determine whether greater resources need to be devoted to mitigating these risks.  This Information Security Office can assist Data Custodians with gaining a better understanding of their security risks.

Back to the Top