Data Governance Policy

Philosophy

The value of data as a resource is increased through its widespread and appropriate use; its value is diminished through misuse, misinterpretation, unnecessary restrictions to its access, or failure to maintain quality. Most importantly, wide access to data will enable consumers to identify new relationships in data and new information previously unknown or unavailable. This is the domain of data mining and to some degree what-if analysis. Oxcyon endorses and supports this within the appropriate security and privacy constraints.

Information maintained by Oxcyon is a vital asset that is available to all employees or users of each of Oxcyon’s clients who have a legitimate need for it, consistent with the client's responsibility to preserve and protect such information by all appropriate means. The client is the owner of all data, and their departments, units or departments may have stewardship responsibilities for portions of that data.

The Client determines levels of access to their data according to principles drawn from various sources. State and federal law provides a clear description of some types of information to which access must be restricted. Depending upon the industry of each client, ethical, security, and privacy considerations are other important factors in determining access to data being managed in behalf of the client.

Oxcyon is committed to establishing and maintaining data standards and quality, while adhering to all privacy and compliance requirements, including relevant information security concepts and constructs.

Purpose

Data Governance is the overall management of the availability, integrity, and security of data used in the enterprise, including a defined set of procedures and a plan to execute those procedures.

The primary purposes of this policy are:

To establish and define the Data
To establish the governance structure, including the responsibility and authority
To define and communicate the Client’s data architecture, framework, and standards, including:
- Data Standards
- Data Classifications
- Data Quality
- Data Access
- Data Compliance and Privacy
- Data Retention and Archiving
- Information Security
To monitor and enforce compliance with the framework and standards
To define the primary operational roles for execution of data governance, including identification of responsible parties

Definitions

Data Access

The right to read, enter, copy, query, download, or update data, which is potentially different for different sets of data for each person, role, etc.

Role-Based Access Control

Role-based access control (RBAC) is a method of restricting access to data based on the roles of individual users within an enterprise. RBAC lets employees have access rights only to the information they need to do their jobs and prevents them from accessing information that doesn't pertain to them.

Data

Facts, ideas, or discrete pieces of information, especially when in the form originally collected and unanalyzed.

Private or Secure Data

Private or Secure is a large subset of the totality of the clients’ records and could include any information in print, electronic, or audio-visual format that meets the following criteria:

Acquired and/or maintained by Client’s employees in the performance of official administrative job duties;
Created or updated via the use of a Client’s enterprise system or used to update data in an enterprise system;
Relevant to planning, managing, operating, or auditing a major function at the Client;
Referenced or required for use by more than one organizational unit; and
Included in reports or official Client records.

Data Governance Council, Data Trustees

Oxcyon prepares, compiles, creates, and recommends policies and procedures based upon the data governance policies and guidelines of it’s clients to be implemented within the hosting environment of each client. This Council is ultimately between Oxcyon and it’s clients, but led by the client with respect to each installed project.

Data Stewards

Oxcyon, via the managed services it provides, acts as the stewards of these client mandated data governance policies and guidelines in behalf of the client, and inherit the responsibility for managing and implementing these policies within the installed hosted environment.

Data Guardians

Oxcyon and/or Hosting Provider (AWS/Azure/Rackspace) Information Technology staff are responsible for configuring and maintaining the infrastructure for each client around the Data Governance policies and guidelines of the project being managed. They are also responsible for implementing the security and access framework.

Data Consumers

These are the users of the Client who authenticate to gain access to the Client’s data. These can be but are not limited to: employees, agents, partners, or other properly authorized individuals who access the Data in performance of their assigned duties on behalf of the client.

Framework

Ease of access to data by properly authorized individuals securely in performing their job responsibilities is the desired outcome of the policy and the framework. It is supported by the across-the-board baseline technology and the five pillars.

The five pillars of this framework are:

Quality and consistency
Policies and standards
Security and privacy
Compliance
Retention and archiving

Scope

This policy establishes the framework for technical and behavioral standards and guidelines in creation and management of data, especially as related to data quality and consistency, security and privacy, compliance, retention and archiving, and access by individuals. It assigns responsibilities to offices and individuals regarding management of data.

This policy covers all Client data, including but not limited to machine-readable data and printed data on all media, principal copies, backup copies, and archival copies.

The policies and procedures of this document are applicable to and binding for all Oxcyon constituents, including but not limited to all users, staff, affiliates, guests, contractors, vendors, and others who are on-site or off-site. Specifically, the policies and procedures of this document are applicable and binding for all providers who host data in their off-site systems, unless specifically excluded or subjected to revised policy and contract provisions after due consideration by Information Security staff and Oxcyon Attorney. To the maximum degree possible provisions of this policy and procedures must be made part of the contract with outside providers who host Oxcyon data in their off-site systems.

Policy Statement

Data Governance Council will prepare and recommend relevant data governance policies. The President will review and approve those policies as appropriate. Additionally, Data Governance Council will establish the necessary control and enforcement mechanisms.

Client Data is owned by the Client. The access to data, reports, and other related output is governed according to the Client’s data governance policies and guidelines. Individuals and/or departments function as the stewards of the data and are responsible for proper application of the Client’s policies and guidelines.

As of the current revision of this policy Data includes:

User Data: All information in the User system and its related auxiliary systems: AD, SAML, and others
Research Data
Financial Data
Human Resources Data
Library Data
Information Technology Data: Identity and Access Management Data, E-mail, Shared Documents
Physical Facilities Data

Data Administration Roles

Data Trustees

The Data Trustees will establish and enforce the Client’s Data Governance framework and policies regarding data classification, data standards, data quality, data access, data compliance and privacy, data retention and archiving, and information security. In doing so the Data Trustees may establish sub-committees or working groups with external membership. Additionally, Data Trustees will address any procedural issues and address appeals. Finally, Data Trustees will appoint Data Stewards.

Data Stewards

The Data Stewards are responsible for implementation and enforcement of the Data Governance Policies and Procedures for each Client including their units, departments and/or subsidiaries.

Specific responsibilities:

Compliance: Responsible for compliance with all Client policies and external relevant laws and regulations related to the portion of Data within their purview.
Access: Review and approve or deny access requests for the portion of Data within their purview subject to Client policies and guidelines.
Data Definition and Classification: Approve Data Definition and Classification recommendations from Data Custodians.
Data Quality and Integrity: Responsible for developing procedures and protocols to make sure that Client’s Data within their purview meets the quality and integrity expectations for the Client.
Data Retention and Archiving: Responsible to assure that Client’s Data within their purview is properly retained and archived according to Data Governance and other Client retention policies.
Information Security: Responsible for implementing and disseminating the Information Security protocols, processes, and safeguards for Data within their purview.
Business Intelligence: Responsible for approving/developing standard, parametric, and ad hoc Client’s reports for Client’s Data within their purview working in collaboration with Data Custodians.
Appoint Data Custodians.

Data Custodians

Data Custodians assist Data Stewards with all the necessary tasks for the successful implementation and enforcement of the Data Governance policies and procedures within their domain. Generally, Data Custodians have responsibility for the day-to-day maintenance and security of the Data.

Specific responsibilities:

Compliance: Implement day-to-day aspects of the compliance requirements established by Data Stewards.
Data Collection and Maintenance: Make sure that data collected and entered is complete, accurate, valid, and timely.
Data Definition and Classification: Develop and recommend Data Definition and Classification to the Data Stewards.
Data Quality and Integrity: Implement quality and integrity procedures and protocols developed by Data Stewards.
Information Security: Monitor access to data and address inappropriate access timely.
Business Intelligence: Assist Data Stewards with developing standard, parametric, and ad hoc Client’s reports for Client’s.

Data Guardians

Data Guardians are Information Technology staff who has responsibility for configuring and maintaining the infrastructure for the Client’s Data as well as implementing the security and access framework.

Specific responsibilities:

Assist in development of Data Standards, Data Dictionary, Roles, Taxonomy, Data Cleaning Rules and Data Quality.
Assist in development of Information Security standards to provide safeguards for the data.
Develop and implement data access and security controls, and audit tools.
Design, implement, and maintain the infrastructure for the systems in which the data is housed.

Data Consumers

Data Consumers are Clients’ users to include but not be limited to their: employees, agents, or other properly authorized individuals who access the Data remotely via secure authentication in performance of their assigned duties on behalf of the Client. There are three basic types of access:

View/Read access to select or all standard and parametric reports
Full View/Read access to the data or parts of data
Transaction/Write access to the data or parts of data

Specific responsibilities:

Respecting the confidentiality and privacy of the data as defined by Client’s policies, State and Federal laws and regulations.
Adhering all policies and regulations in use, disseminations, disclosure, and disposal of data.
Accessing and using Data only in the performance of their duties and for no other purpose.

Data Standards & Data Dictionary

The Data Standards & Data Dictionary policy is established in a separate document as a subordinate policy, which is incorporated into this policy by reference.