Data Governance and Management Policy

Data Governance and Management Policy
Type of Policy
Administrative
kcross8 Thu, 08/19/2021 - 10:34
Effective Date:
Review Date:
Policy Owner
Office of Information Technology
Contact Name
Zachary Hayes
Contact Title
Data Governance
Contact Email
zachary@gatech.edu
Reason for Policy

Information is critical to administration, planning, and decision-making and is a strategic asset of the Georgia Institute of Technology (“Georgia Tech” or “GT”) and the University System of Georgia (“USG”). To effectively and responsibly use information, data must be necessary and relevant, secure, well documented, and accessible for use by authorized, trained personnel as outlined in this policy and the corresponding guidelines, procedures, and resources referenced herein.

This policy outlines data governance and management requirements in compliance with the USG’s Business Procedures Manual (“BPM”) Sections 12.1 through 12.5 for Data Governance and Management.

Refer to the Georgia Tech Data Governance website for corresponding guidelines, procedures, and resources.

Policy Statement

2.1 Data Governance
The Georgia Tech data governance structure must include roles and committees to direct the proper use and handling of Organizational Data and Information Systems. The roles and committees as noted below in “Section 5 Responsibilities” must oversee the Data Governance, Data Management, Security, and Compliance of Georgia Tech Organizational Data and Information Systems as outlined in this policy and the corresponding guidelines, procedures, and resources. The GT technology governance structure must provide technical guidance to and support the work of the committees in the data governance structure. Learn more about the Data Governance structure.

2.2 Data Management
All Georgia Tech Organizational Data and Information Systems must be associated with appropriate Data Domains and Data Sub-Domains along with additional applicable categorizations to further assist with proper data management. Learn more about Data Domains. Learn more about Data Management Categorizations.

All Information Systems must be inventoried and have the ability to access and report documentation of the respective system’s Supporting Database schema and Data Elements. Learn more about Information Systems Inventory.

Additionally, all Mission-Critical Systems must have Data Element definitions for key elements, data quality controls and supporting documentation, and a method for communicating details about system and data availability and methods for individuals to report lack of availability. Learn more about Data Element Dictionary.

All Organizational Data must comply with USG and Georgia Tech retention and disposition requirements. Learn more about Records Management.

2.3 Data Security
Georgia Tech cybersecurity representatives, as appointed by the Chief Information Security Officer (“CISO”), must create policies, guidelines, procedures, and resources that facilitate a secure environment for the storage, use, and dissemination of Organizational Data to protect the confidentiality, integrity, and availability of information.

All Organizational Data must have a data protection categorization and a designated regulatory categorization (see “Section 2.4 Compliance”). All Protected Data must be protected in accordance with the appropriate Cyber Security Data Protection Safeguards and Protected Data Practices. These protections are recommended for all Public Data. Regulated Data is also subject to the controls specified in the applicable federal, state, local, and international laws and regulations as well as specifications contained in Georgia Tech grants, contracts, and other agreements entered into by, or for the benefit of, Georgia Tech. Such Regulated Data controls are required in addition to the controls specified in the Cyber Security Data Protection Safeguards and Protected Data Practices. When multiple controls exist, the strictest control will take precedent. Learn more about Data Protection Categorizations. Learn more about Cyber Security’s Data Protection Safeguards. Learn more about Cyber Security’s Protected Data Practices.

Access to an Information System via any interface (except user self-service) must be coordinated and reviewed through the Data User, associated Data Stewards for each applicable Data Domain, and the Data Administrator. Access to an Information System may require additional approvals (e.g., a Data User's supervisor) or may grant access through pre-approved role-based permissions. Access must be granted based on the Principle of Least Privilege, used only for the purpose for which it was originally intended, and used only by the individual Data Users who received approval. Additional training may be required by a Data Steward and/or a System Owner before access is granted. Human Resources must notify Data Stewards and Data Administrators when an employee is terminated or when an employee’s status has changed which requires a change to such employee’s access to Organizational Data and Information Systems. Access must be reviewed and verified on a regular basis to occur at a frequency determined by the Data Governance Committee. Learn more about Access Procedures.

All Georgia Tech units must ensure organizational structure, job duties, and business processes include an adequate system of separation of duties to reduce the risk of loss of confidentiality, integrity, and availability of Organizational Data. Learn more about Separation of Duties.

2.4 Compliance
Organizational Data must be closely managed to verify compliance with applicable federal, state, local, and international laws and regulations as well as specifications contained in Georgia Tech grants, contracts, and other agreements entered into by, or for the benefit of, Georgia Tech. All Organizational Data and Information Systems must have a designated regulatory categorization in order to identify applicable external regulatory requirements. Learn more about Data Regulation Categorizations. Learn more about Regulatory Compliance.

Training is required when a Data User enters any data governance and management role set forth in “Section 5.1 Roles.” Documentation of training participation and successful completion is required. Training must be completed on a regular basis, so employees are made aware of any updates to Policy, guidelines, procedures, or responsibilities of their role. Training frequency shall be determined by the Data Governance Committee. Learn more about Training.

The Data Governance Committee will appoint a Data Governance Officer to actively monitor compliance with this policy, guidelines, procedures, and resources. The roles and committees outlined in “Section 5 Responsibilities” must maintain appropriate documentation and general evidence that Georgia Tech is in compliance. Learn more about Monitoring. Learn more about Auditing.

Scope

This policy applies to all Georgia Tech units. Additionally, this policy applies to all Georgia Tech Information Systems and Organizational Data, including all data to which Georgia Tech has been granted stewardship by third parties. This policy does not address public access to Organizational Data as specified in the Georgia Open Records Act. Furthermore, this policy does not apply to documents and records that are the personal property of individuals in the Georgia Tech community including documents owned by students or personal intellectual property of professors or researchers. Learn more about this policy. Learn more about your role in data governance.

Policy Terms
  • Data Domain / Data Sub-Domain
    A logical representation of a category or grouping of Organizational Data that has been designated, named, and assigned accountability. Reference to a Data Domain includes the Data Sub-Domains within it. Learn more about Data Domains.
  • Data Element
    The smallest named item of Organizational Data that conveys meaningful information.
  • Individual Account
    Logical access to an Information System or Organization Data assigned to an individual Data User.
  • Information System
    The technology, software, and services administered for the purpose of creating, storing, managing, using, and gathering data and communication at Georgia Tech.
  • Mission-Critical System
    A data management categorization (see “Section 2.2 Data Management”) assigned by the Data Governance Committee to Information Systems that are key primary sources for Organizational Data. Unexpected downtime of Mission-Critical Systems could have a severe or catastrophic impact on Georgia Tech, presenting a high risk to Georgia Tech.
  • Organizational Data
    Data generated, owned, or managed, by or on behalf of, Georgia Tech including all data to which Georgia Tech has been granted stewardship by third parties. Organizational Data record facts, statistics, or information, which is read, created, collected, used, updated, reported, shared, stored, transferred, or deleted by Georgia Tech units. Data may be in any form, including electronic or physical. Organizational Data may reside in an Information System hosted by Georgia Tech or a third party.
  • Principle of Least Privilege
    Privileges of information resources permitting access to only what is necessary and relevant for the Data Users to successfully perform their job tasks and requirements.
  • Protected Data
    A data protection categorization (see “Section 2.3 Data Security”) where information is not generally available to parties outside of the Georgia Tech community. This is the default data protection categorization for Organizational Data. A Protected Data categorization does not always mean that the data contained therein is confidential or non-disclosable and such data may be subject to disclosure under the Georgia Open Records Act or other applicable laws and regulations.
  • Public Data
    A data protection categorization (see “Section 2.3 Data Security”) where information is targeted for public use. Examples include website content for general viewing and published press releases.
  • Regulated Data
    A data regulation categorization (see “Section 2.4 Compliance”) where information is bound by requirements of applicable federal, state, local, or international laws and regulations, and/or contractual obligations. This data must be guarded from disclosure; disclosure of this information may contribute to financial fraud and/or violate applicable federal, state, local, or international laws and regulations, and/or contractual obligations.
  • Service Account
    Logical access to an Information System or Organizational Data assigned to one or more Data Users through an established shared account.
  • Supporting Database
    The location where Organizational Data exists within an Information System.
Responsibilities

5.1 Roles
Data Owner

The President of Georgia Tech is the Data Owner and has ultimate responsibility for all Organizational Data.

Data Trustee
Data Trustees are Georgia Tech Executive Vice Presidents (or other direct reports to the President) who have overall responsibility for Organizational Data within their Data Domain(s). Data Trustees are appointed by the Data Owner.

Associate Data Trustee
Associate Data Trustees are executives (at the level of Vice President/Vice Provost or higher) who have responsibility for implementing and managing Data Trustee efforts. Associate Data Trustees are appointed by a Data Trustee.

Data Steward
Data Stewards are Georgia Tech leaders (at the director level of a division/unit) who have day to day responsibility for Organizational Data within their Data Sub-Domain(s). Depending on the size and complexity of a functional division/unit, it may be necessary, and beneficial, for the Data Steward to appoint an Associate Data Steward(s). Data Stewards are appointed by a Data Trustee or an Associate Data Trustee.

Associate Data Steward
Associate Data Stewards are division/unit subject matter experts who have responsibility for implementing and managing Data Steward efforts. Associate Data Stewards are appointed by a Data Steward.

System Owner
A System Owner is a technical expert who has overall responsibility for the data management, security, and compliance efforts of an Information System. Each Information System must be assigned a System Owner.

Technical Manager
A Technical Manager is a technical expert who has day to day responsibility for the data management, security, and compliance efforts of an Information System, including the safe transport and storage of data, establishing and maintaining the underlying infrastructure, and performing activities required to keep the data intact, maintained with data quality controls, and available to Data Users.  Each Information System must be assigned a Technical Manager, appointed by the System Owner.

Data Administrator
A Data Administrator is a technical expert who has responsibility for the provisioning of access to the Information System. Each Information System must be assigned one or more Data Administrators, appointed by the Technical Manager.

Data User
Data Users are Georgia Tech employees, affiliates, contractors, consultants, and vendors who access Organizational Data to perform their assigned duties. Data Users are responsible for safeguarding their access privileges, for the use of Organizational Data in conformity with all applicable Georgia Tech Policies and procedures, and for securing such data in accordance with cybersecurity policies and procedures. Data Users are responsible for the ethical use of Organizational Data.

Human Resources
The central office for Human Resources that maintains the official record of employee new hire, status change (either in job function, job status, or transfer to another unit), or termination. Human Resources must notify appropriate roles (as noted in “Section 2.3 Data Security”) when an employee is terminated or when an employee’s status has changed which requires a change to such employee’s access to Organizational Data and Information Systems.

Chief Information Officer / Chief Information Security Officer
The Chief Information Officer (“CIO”) and the Chief Information Security Officer (“CISO”) are each responsible for the technical infrastructure of Georgia Tech to support the Organizational Data needs and assets, including availability, delivery, access, and security across their operational scope. The CIO and the CISO will work closely with other Georgia Tech entities that contribute to the governance, privacy, compliance, strategy, and risk management of Georgia Tech Organizational Data and Information Systems.

Data Governance Officer
A Data Governance Officer is an individual assigned the responsibility of providing guidance, committee support, monitoring, and general oversight to data governance and management efforts. The Data Governance Officer will work closely with other Georgia Tech entities that contribute to the privacy, security, compliance, strategy, and risk management of Georgia Tech Organizational Data and Information Systems. A Data Governance Officer will be appointed by the Data Governance Committee.

5.2 Committees
Data Governance Committee

The Data Governance Committee is comprised of a selection of Associate Data Trustees and other Georgia Tech leaders (including faculty, staff, and student representatives) as appointed by the Data Owner. The Data Governance Committee is responsible for recommending policy, approving procedures, and providing guidance, direction, and support for data governance, management, security, and compliance efforts.

Data Management Committee
The Data Management Committee is comprised of a selection of Data Stewards and other Georgia Tech leaders (including faculty, staff, and student representatives) as appointed by the Data Governance Committee who are representative of Georgia Tech’s Data Domains. The Data Management Committee is responsible for collective decision making regarding substantive changes to Organizational Data that apply across Georgia Tech’s Data Domains.

Data Domain & Technology Sub-Committees
A Data Domain & Technology Sub-Committee is comprised of Associate Data Trustees, a selection of Data Stewards, and technology experts who are representative of the Organizational Data, business processes, service delivery, and Information System use within the Data Domain. Each Data Domain and Technology Sub-Committee is responsible for collective decision-making concerning substantive changes to Organizational Data and Information Systems within the specific Data Domain.

Frequently Asked Questions:

  • Does the Georgia Tech Data Governance and Management Policy replace the existing Georgia Tech Data Access Policy?
    Yes. Updates to the Georgia Tech Cyber Security Data Categorization resource and Data Protection Safeguards resource have been updated to align with this policy.
  • Where can I find details on the procedural requirements of this policy?
    For more guidelines, procedures, and resources related to the Data Governance and Management Policy, please visit the Georgia Tech Data Governance website. Learn more about this policy and resources.
  • What is the difference between Public, Protected, and Regulated Organizational Data?
    All Organizational Data will be assigned a data protection categorization of “Public” or “Protected,” which determines the minimum Georgia Tech data protection practices that must be followed. Organizational Data will also be categorized with a data regulation categorization of “Not Regulated” or “Regulated,” which may increase the minimum data protection practices that must be followed depending on the requirements of the regulation(s) that apply to the Organizational Data.
  • Are Service Accounts treated the same as Individual Accounts for the purpose of this Policy and the corresponding guidelines, procedures, and resources referenced herein?
    Yes. Service Accounts and Individual Accounts are treated the same.
  • What are some examples of Information Systems?
    Some common examples of Information Systems are Banner, OneUSG Connect, and Workday.  Some less recognized systems that are categorized as Information Systems are GitHub, DocuSign, and Microsoft 365.
  • Can someone serve more than one role as defined in “Section 5.1 Roles”?
    Yes. Examples may include:
    - An Associate Data Trustee of financial Organizational Data who also is a Data User of human resources Organizational Data
    - A System Owner for a small-scale Information System may also be the Technical Manager and Data Administrator for that Information System
Enforcement

Georgia Tech, the University System of Georgia, and/or the state of Georgia may periodically audit compliance with this policy.

To report suspected instances of noncompliance with this policy, please contact the Data Governance team at: datagovernance@gatech.edu

Additionally, to report suspected instances of ethical violations please visit Georgia Tech’s Ethics Hotline, a secure and confidential reporting system, at: https://secure.ethicspoint.com/domain/en/report_custom.asp?clientid=7508

Policy History
Revision Date Author Description
09/20/2021 Data Governance New Policy