Data Warehouse Leadership Team :: Meeting Notes and Handouts :: Data Warehouse Access Principles
Data Warehouse Access Principles
We *do* have an obligation, due to federal and state laws as well as CSU and HSU policies, to appropriately manage and protect data the university collects about individuals.
That said, the laws and policies *do* allow for access to this data by people who need it to perform their job for the university.
In order to appropriately protect data AND to provide needed access requires that we deploy several integrated strategies, not just technological controls:
policy - the CSU Information Security Policy obligates us to protect personal information - we need to make sure people who have access to data understand these obligations (e.g., FERPA, HIPPA, Level One and Level Two data)
training - we need to provide training to people who have access to data that helps them understand how to apply these obligations to their practical, daily work as they access data
peripheral tools - we need to make sure that people who have access to data also have appropriate (secure) methods of transporting and storing data
defining what data is needed - we need to build a simple model for defining which job functions have a need to access what data
levels of access - since not all jobs require access to all the data elements we store, we need to create practical levels of access that correspond to practical levels of need
labeling – a caution and reminder, in text, on all reports that contain confidential information
good technology controls - we need to ensure a "wrapper" of good technology controls around the data warehouse, e.g., access request and approval procedures, limited remote access, password aging
exception process - we need an exception process for considering and handling those few circumstances that do not fit within the simple, practical models we build
Information Technology Services
Humboldt State University
Arcata, CA 95521