Data Stewards-Computing Services ISO - Carnegie Mellon University

Information Security Roles and Responsibilities (cont.)

View/Download PDF
lvl_2colHorizontalRule

Data Steward

A Data Steward is a senior-level employee of the University who oversees the lifecycle of one or more sets of Institutional Data.  Responsibilities of a Data Steward include the following:
a. Assigning an appropriate classification to Institutional Data.

All Institutional Data should be classified based on its sensitivity, value and criticality to the University.  The University has adopted three primary classifications:  public, private and restricted.  See the Guidelines for Data Classification for more information.
b. Assigning day-to-day administrative and operational responsibilities for Institutional Data to one or more Data Custodians.

Data Stewards may assign administrative and operational responsibility to specific employees or groups of employees.  A Data Steward could also serve as a Data Custodian.  In some situations, multiple groups will share Data Custodian responsibilities.  If multiple groups share responsibilities, the Data Steward should understand what functions are performed by what group.
c. Approving standards and procedures related to day-to-day administrative and operational management of Institutional Data.

While it is the responsibility of the Data Custodian to develop and implement operational procedures, it is the Data Steward’s responsibility to review and approve these standards and procedures.  A Data Steward should consider the classification of the data and associated risk tolerance when reviewing and approving these standards and procedures.  For example, high risk and/or highly sensitive data may warrant more comprehensive documentation and, similarly, a more formal review and approval process.  A Data Steward should also consider his or her relationship with the Data Custodian(s).  For example, different review and approval processes may be appropriate based on the reporting relationship of the Data Custodian(s).
d. Determining the appropriate criteria for obtaining access to Institutional Data.
  A Data Steward is accountable for who has access to Institutional Data. This does not imply that a Data Steward is responsible for day-to-day provisioning of access. Provisioning access is the responsibility of a Data Custodian. A Data Steward may decide to review and authorize each access request individually or a Data Steward may define a set of rules that determine who is eligible for access based on business function, support role, etc. For example, a simple rule may be that all students are permitted access to their own transcripts or all staff members are permitted access to their own health benefits information. These rules should be documented in a manner that allows little or no room for interpretation by a Data Custodian.
e. Ensuring that Data Custodians implement reasonable and appropriate security controls to protect the confidentiality, integrity and availability of Institutional Data.
  The Information Security Office has published guidance on implementing reasonable and appropriate security controls based on three classifications of data:  public, private and restricted.  See the Guidelines for Data Classification and the Guidelines for Data Protection for more information.  Data Steward will often have their own security requirements specified in contractual language and/or based on various industry standards.  Data Stewards should be familiar with their own unique requirements and ensure Data Custodians are also aware of and can demonstrate compliance with these requirements.  The Information Security Office can assist with mapping controls identified in the Guidelines for Data Protection to controls mandated by contract(s) or industry standards.
f. Understanding and approving how Institutional Data is stored, processed and transmitted by the University and by third-party Agents of the University.
  In order to ensure reasonable and appropriate security controls are implemented, a Data Steward must understand how data is stored, processed and transmitted. This can be accomplished through review of data flow documentation maintained by a Data Custodian. In situations where Institutional Data is being managed by a third-party, the contract or service level agreement should require documentation of how data is or will be stored, processed and transmitted.
g. Defining risk tolerance and accepting or rejecting risk related to security threats that impact the confidentiality, integrity and availability of Institutional Data.
  Information security requires a balance between security, usability and available resources.  Risk management plays an important role in establishing this balance.  Understanding what classifications of data are being stored, processed and transmitted will allow Data Stewards to better assess risks.  Understanding legal obligations and the cost of non-compliance will also play a role in this decision making.  Both the Information Security Office and the Office of General Counsel can assist Data Stewards in understanding risks and weighing options related to data protection.  
h. Understanding how Institutional Data is governed by University policies, state and federal regulations, contracts and other legal binding agreements.
  Data Stewards should understand whether or not any University policies govern their Institutional Data. For example, the Information Security Policy governs the protection of all Institutional Data. The Policy on Student Privacy Rights specifically addresses the privacy of student information. Other policies exist to help govern financial information, health information, etc. Visit the University’s policy website for a comprehensive list of University policies. Similarly, Data Stewards are responsible for having a general understanding of legal and contractual obligations surrounding Institutional Data. For example, the Family Educational Rights and Privacy Act (“FERPA”) dictates requirements related to the handling of student information. The Office of General Counsel can assist Data Stewards in gaining a better understanding of legal obligations.

Back to the Top