Information Technology Services

Home » asc » Data SOR

Request for Data Use Beyond System-of-Record Process

Purpose

The purpose of the Administrative Information Security Committee (hereafter referred to as "Security Committee") as described in its charter is to "Promote good security practices related to and provide appropriate access to data for which an administrative application is the official systems of record." Banner is the official system of record for the greater part of UNCG's administrative data but the Security Committee's purview extends to data residing in other administrative systems as well. The review process defined in this document only covers data security concerns. This review process is not intended to cover product suitability, capacity, performance, cost-effectiveness, ADA compliance or any other aspect of the application unrelated to data security.

Many special purpose applications, including purchased and developed in departmental areas, have been and continue to be implemented across UNCG that require an interface with Banner to provide data to be fed to/from Banner. As data becomes replicated across multiple systems, the potential risk for improper use of the data increases. In exercising due diligence in maintaining an appropriate secure environment for UNCG administrative data, the Security Committee must understand these special purpose systems and the data to be used in them. Approval by the Security Committee is required for these types of interfaces.

The Security Committee wishes to engage with any party considering usage of a special purpose application that may require an interface with Banner. The Security Committee definitely wishes to avoid having to disapprove the use of data after an application has been purchased or developed.

Review Process

The review steps below are arranged within recommended timeframes, i.e. "Upon Consideration of a new Application" and "Pre-Acquisition". Even if the timeframe is compressed, the requirement for completely filling out the "Proposed Application Data Security Questionnaire" (.docx format) and subsequent review of the document by the Security Committee is required before approval can be granted.

  1. Upon Consideration of a new Application
    1. Requestor - Any party considering use of a special purpose system requiring an interface to/from Banner should complete at least the General Information section of the "Proposed Application Data Security Questionnaire" (.docx format) and send to current chair of the Administrative Information Security Committee. If assistance is needed in completing the questionnaire, first contact the appropriate divisional representative on the Security Committee. Security Committee representatives are listed at http://banner.uncg.edu/projectteam. A request to attend an upcoming Security Committee meeting should be made. It is recommended that individuals that would fill a technical support role accompany a functional support person.
    2. Security Committee Chair - Upon receipt, the chair will forward this information to committee members and make this an agenda item for the next monthly Security Committee meeting.
    3. Security Committee Chair - The Committee chair may ask the requesting party to attend the next monthly Security Committee meeting.
  2. Pre-Acquisition
    1. Requestor - Complete all sections of the "Proposed Application Data Security Questionnaire" (.docx format) and send to current chair of the Administrative Information Security Committee.
    2. Security Committee Chair - Upon receipt, the chair will forward this information to committee members and make this an agenda item for the next monthly Security Committee meeting.
    3. Security Committee Chair - The Committee chair may ask the requesting party to attend the next monthly Security Committee meeting.
    4. Security Committee Chair - Depending on the complexity of the system, the Security Committee may request a formal security assessment from the Information Technology Security Officer. This formal assessment may result in the need for more detailed information about the system under consideration to be collected.
    5. Security Committee Chair - The Security Committee will provide written approval/disapproval for use of a particular product or data to be used with the product based on the information provided in the "Proposed Application Data Security Questionnaire" (.docx format) and learned during discussions during Security Committee meetings. Approvals and Disapprovals will be made in writing.
  3. Post-Acquisition/Implementation
    1. Requestor- The "Proposed Application Data Security Questionnaire" (.docx format) must be updated with any new information gained during implementation of a product or actual use of the product. Any cause for a material change to the Specification will require review by the Security Committee.
    2. Security Committee Chair – The Security Committee chair initiates a review of the MOU's per review frequency documented in the MOU.