Data Warehouse Leadership Team
Data Warehouse Leadership Team :: Meeting Notes and Handouts :: Data Warehouse Access Principles
Data Warehouse Access Principles
- We *do* have an obligation, due to federal and state laws as well as CSU and HSU policies, to appropriately manage and protect data the university collects about individuals.
- That said, the laws and policies *do* allow for access to this data by people who need it to perform their job for the university.
- In order to appropriately protect data AND to provide needed access requires that we deploy several integrated strategies, not just technological controls:
- policy - the CSU Information Security Policy obligates us to protect personal information - we need to make sure people who have access to data understand these obligations (e.g., FERPA, HIPPA, Level One and Level Two data)
- training - we need to provide training to people who have access to data that helps them understand how to apply these obligations to their practical, daily work as they access data
- peripheral tools - we need to make sure that people who have access to data also have appropriate (secure) methods of transporting and storing data
- defining what data is needed - we need to build a simple model for defining which job functions have a need to access what data
- levels of access - since not all jobs require access to all the data elements we store, we need to create practical levels of access that correspond to practical levels of need
- labeling – a caution and reminder, in text, on all reports that contain confidential information
- good technology controls - we need to ensure a "wrapper" of good technology controls around the data warehouse, e.g., access request and approval procedures, limited remote access, password aging
- exception process - we need an exception process for considering and handling those few circumstances that do not fit within the simple, practical models we build