Data Governance

All Towson University (“the university”) employees, students, affiliates, and others granted access to university data or university information systems are responsible for understanding the terms and conditions under which they may access and use university data. These guidelines define the roles and their required responsibilities.

For data classification and definitions, please see the University’s Data Classification Standards

Everyone at TU should follow the Cybersecurity Incident response process to report any possible data breach. If you have questions or comments about these Roles and Responsibilities guidelines, please contact us.

Email us Report a Cybersecurity Incident

Roles and Responsibilities

University President

The President of the University has ultimate responsibility for the University’s Information Security Program and, specifically, the protection of confidential and protected data as part of the University’s Data Governance Program. The President has delegated responsibility for the Information Security Program and the Data Governance Program to the Chief Information Officer and Data Trustees.

Chief Information Officer

The Chief Information Officer (CIO) is the individual designated to have executive oversight of the University’s Information Security Program and Data Governance Program, and for the evaluation and classification of data. The CIO is also responsible for leading the Data Governance Committee (DGC).

Data Trustee

This senior-level employee (e.g. Provost, Vice Presidents, etc.) reports to the President and has authority over policies, standards and guidelines, and overall university strategy regarding the confidentiality, integrity, availability and quality of data within their delegations of authority. Responsibilities of a Data Trustee include:

  • Establish policies and direction for the overall security and privacy of all university data, particularly highly sensitive data, within their respective areas of responsibility.
  • Appoint and oversee a Data Steward(s) for data within their delegation of authority.
  • Appoint appropriate representative individuals to the Data Governance Committee.
  • Review appeals to decisions that denied access to university data within their area of responsibility.

Data Steward

A Data Steward oversees the lifecycle of one or more subsets of university data and is responsible for data access and policy implementation issues. The Data Steward works closely with their Data Trustee to ensure proper classification and management of the data they oversee. Responsibilities of a Data Steward should not be delegated, should be performed by the appointed individual, and they include:

  • Oversee access and protection requirements to ensure they are consistent with University policies and that data classifications are in place.
  • Monitor the integrity and quality of all data within their area of responsibility.
  • Establish definitions of the data assigned to them.
  • Establish the appropriate classification of data assigned to them and manages updates to the classification based on changes in university policies and standards, as well as USM, state, and federal regulations.
  • Provide guidance to departments and individuals within the area of responsibility on data access and policy implementation.
  • Review and approve requests for data, as appropriate.
  • Determine the appropriate criteria for obtaining access to university data.
  • Identify and coordinate on an ongoing basis with Data Custodians utilizing data in their delegation of authority.

Data Governance Committee (DGC)

The DGC is the managing authority for the University’s Data Governance Program. The DGC strategically and proactively addresses issues related to data and information management across the university. Specific oversight responsibilities include:

  • Develop and implement a university-wide data governance program and documents and disseminates data governance policies and procedures.
  • Establish policies and direction related to the confidentiality, integrity, availability, and quality of University data.
  • Coordinate compliance requirements related to laws and regulations that have information management implications.
  • Recommend and approve controls or plans for assessing data management value and risk.
  • Advise on university-wide data management practices for decision-making, including master data management and business intelligence.
  • Review and approve requests for data that would transition applications to a higher risk level.

Chief Information Security Officer (CISO)

The CISO is the individual designated by the CIO as responsible for the development, implementation, oversight, and maintenance of the University’s Information Security Program. The CISO distributes Information Security Data Protection standards by data classification level that assists Data Stewards in establishing the controls necessary for the data in their delegation of authority.

Director of Enterprise Applications & Analytics

The Director of Enterprise Applications & Analytics is the individual designated by the CIO as responsible for the IT processes and controls to ensure that information at the data level is true and accurate, and unique (not redundant) and aligns with the business objectives of the University by providing leadership, guidance, awareness, and operational support for the data governance program.

Data Governance Lead

The Data Governance Lead is responsible for coordinating the formation and execution of data governance framework, policy, standards, and communication. This role assists in the implementation and maintenance of an enterprise data governance program and will participate with projects that involve any of the data flows and processes.

University Data Custodian

University Data Custodians are responsible for protecting all University data from unauthorized access, alteration, destruction, or usage and for providing Application Data Custodians and Data Managers with requirements to protect the confidentiality, quality, and availability of data within their application. Responsibilities include:

  • Develop policies, procedures, and guidelines for management, security and access to data according to University policies and standards as well as state and federal regulations.
  • Provide guidance to the Data Manager on technical safeguards and requirements as required by the Data Classification.
  • Assist in establishing necessary security and access requirements for data in electronic form.
  • Coordinate activities of the Application Data Custodian and Data Manager when changes made by the Data Trustee, Data Steward, or Data Governance Committee require alterations to administrative, operational, and/or technical controls within the application.
  • Audit all applications on a continuous basis to ensure compliance with requirements.
  • Understand and report on security risks and their impacts.
  • Provide guidance on awareness or training needs required by users for access to University applications.

Application Manager

The Application Manager is responsible for operation and maintenance of a University application or set of applications. With respect to Data Governance, the Application Manager establishes security awareness and maintains compliance with federal and state regulations, University policies, and data classification standards for the application(s) in their delegation of authority. The Application Manager may also be an Application Data Custodian. Responsibilities include:

  • Oversee the confidentiality, integrity, and availability of the application(s) for which they are responsible.
  • Promote security awareness and training for users of the application(s).
  • Maintain compliance with federal and state regulations, University policies, standards and guidelines in all application activities.
  • Designate and delegate responsibility to an Application Data Custodian and Data Manager for the application.

Application Data Custodian

An Application Data Custodian implements, manages, and operates an application or set of applications. The Application Data Custodian has responsibility for application-specific technical considerations regarding the confidentiality, integrity, availability and quality of data within a specific application. Depending on the size or complexity, an application may have more than one Application Data Custodian. An application should have both an Application Data Custodian and a Data Manager. To ensure proper separation of duties, an Application Data Custodian should not be the same individual as the Data Manager. Based on the risk profile the Director of Information Security may allow both roles be managed by one individual. The Application Data Custodian may also be the Application Manager. Responsibilities include:

  • Provide a secure and stable infrastructure in support of the data, including usability, reliability, integrity, physical security, and backup and recovery processes.  
  • Implement appropriate physical and technical safeguards to protect the confidentiality, integrity, and availability of University data and identifies possible security risks/gaps.
  • Implement technical controls at the direction of the University Data Custodian.
  • Ensure appropriate handling of data given the data classification assigned by the Data Steward.
  • Understand how application data are stored, processed, and transmitted given the data.
  • Provide user access to data as defined by the Data Steward and approved by Data Manager.
  • Review user access and works with Data Manager to have role changes (e.g., new roles, role changes, etc.) approved as appropriate and removes user access as necessary.
  • Understand and report on security risks and their impacts.
  • Ensure that responsibilities within their office and delegated to third party vendors or other custodians are met.

Data Manager

A Data Manager has direct, day-to-day operational responsibility for university data within an application or multiple applications. There may be multiple Data Managers for a given application. To ensure proper separation of duties, a Data Manager and Application Data Custodian should not be the same individual designated as the Data Manager or the Application Manager. Special circumstances may be reviewed and approved by the Data Governance Committee that allows that both roles be managed by one individual. Responsibilities include:

  • Implement appropriate procedural and operational safeguards to protect the confidentiality, integrity, availability, and quality of University data working in conjunction with the application data custodian.
  • Perform analysis and provides recommendations in coordination with other Data Custodians when requests for data are being considered.
  • Ensure appropriate handling of data given the data classification assigned by the Data Steward.
  • Understand how application data are stored, processed, and transmitted.
  • Ensure compliance with requirements as specified by the Data Stewards for the handling of data processed by the application.
  • Ensure users of the application are aware of and compliant with the data classification standards and data governance policy.
  • Ensure that responsibilities within their office and delegated to technical administrators, third-party vendors, or other parties are met.

Data User

For the purpose of data governance, a Data User is any employee, contractor, or duly authorized member of the community who is authorized to access university systems or data. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for protecting the security and integrity of that data. Any university employee with access to university data can be considered a Data User. Responsibilities include:

  • Protect all data and access to data in their care. Recipients of Confidential Data are responsible for maintaining the restricted nature of the data.
  • Use data and access to data only as required in the performance of legitimate University functions and their job.
  • Adhere to applicable Federal and State laws, requirements of any applicable contracts, and University policies, standards and procedures as part of the University’s Data Governance Program.

Responsible Executive and Office

Responsible Executive: Vice President for Administration & Finance and Chief Financial Officer Responsible Office: Office of Technology Services (OTS)

Related Policies & Guidelines

Information Technology Security PolicyData Governance Policy, Standards for Data Classification