50 likes | 180 Views
Berkeley Data Authorization Process. MATCHING DATA with IT SERVICES. CISPC, April 19, 2012 Lisa Ho, IT Policy Manager, Berkeley Privacy & Policy Office. Berkeley Data Authorization Process. The Questions. What is restricted and notice - triggering data?
E N D
Berkeley Data Authorization Process MATCHING DATA with IT SERVICES CISPC, April 19, 2012 Lisa Ho, IT Policy Manager, Berkeley Privacy & Policy Office
Berkeley Data Authorization Process The Questions What is restricted and notice-triggering data? From Resource Proprietors (functional owners): What service providers (on or off-campus) are appropriate for my data/system? From Resource Custodians who provide/manage IT services: What kind of data is under my custodianship What security controls are required? Can I host restricted/notice-triggering data? From End Users: Where can I store my restricted data?
Berkeley Data Authorization Process The Answers • Classify campus data • Definitions and process • Secure campus data • Authorize data use • Approve services (on and off campus) for a data class • Develop an information bank • Publish approved services • Reduce duplication of work • Respond to the Business Finance Bulletin IS-2 • Classify, inventory, and define appropriate security controls for institutional data
Berkeley Data Authorization Process What is the process? A: General System Inventory B: Protected Data Screen C: Data Privacy Questionnaire D: Privacy Impact Assessment E: Data Classification F: Baseline Risk Questionnaire G: Information Risk Assessment H: Resource Proprietor Approval A: General System Inventory B: Protected Data? Yes More Review No H: Resource Proprietor Approval Data Authorization Issued https://security.berkeley.edu/content/data-authorization-process-draft
High-level Rollout Plan • Pilot • Off-site hosting • Systems in the spotlight • Expand to other systems • Eventually align with campus OE initiatives Berkeley Data Authorization Process