Data Governance
What is Data Governance?
Data is a valued asset maintained and utilized by the University of Louisville to support our strategic goals. Institutional data, while not owned by units, is effectively and securely managed by units on behalf of the university.
Data governance is an institution-wide framework of principles to define and manage the availability, usability, integrity and security of an institution’s data (information in digital form) based on internal policies, processes and compliance standards.
Data governance, for the University of Louisville, ensures that our data is secure, private, accurate, available and usable. It includes the actions people must take, the processes they must follow, and the technology that supports them throughout the data life cycle.
Data governance looks to achieve a range of goals:
- Definition of data
- Security, compliance and privacy of data
- Stewardship of data
- Availability of data
- Utilization and quality of data for business decisions
- Enforcement of data policies
Classification Levels
The University intentionally provides this information to the public.
L2 Examples:
- Published research
- Course catalogs
- Published faculty and staff information
- Student directory information*
- Basic emergency response plans (life safety)
- University-wide policies
- UofL publications
- Press releases
- Published marketing materials
- Regulatory and legal filings
- Published annual reports
- Code contributed to Open Source
- Released patents
- Plans of public spaces
* Directory information about students who have requested FERPA blocks must be classified and handled as L3, at minimum.
The University chooses to keep this information private, but its disclosure would not cause material harm.
L2 Examples:
- Department policies and procedure
- Employee web/intranet portals
- VofL training materials
- Pre-release articles
- Drafts of research papers
- Work papers
- Patent applications
- Grant applications
- Non-public building plans or layouts (excluding L3 or L4 items)
- Information about physical plant (excluding L3 ana L4 items)
- Non-sensitive administrative survey data
Disclosure of this information beyond intended recipients might cause material harm to individuals or the University.
L3 EXamples
- Non-directory student information
- Non-published faculty and staff information
- Information protected under FERPA, in general
- ULID tied to an individual
- Personnel records**
- Donor information (excluding L4 data points or special handling)
- Non-public legal work and litigation information
- Non-public financial statements
- Information specified as confidential by contracts and NDAs
- Information specified as confidential by Data Use Agreements
- Security Findings or reports (e.g. SSAE16, vulnerability assessment and penetration test results)
- Most UofL source code
- Non-security technical specifications/architecture schema
- Library/museum object valuations
- IRB records
- Sensitive administrative survey data, such as performance reviews or course feedback, especially if free text response is permitted
**Employees have the right to discuss terms and conditions of their own employment, including salary and benefits, with each other or with third parties.
Disclosure of this information beyond specified recipients would likely cause serious harm to individuals or the University.
L4 Examples
- Passwords and PINs
- System credentials
- Private encryption keys
- Government issued identifiers (e.g. Social Security Number, Passport number, driver's license)
- Individually identifiable financial account information (e.g. band account, credit or debit card numbers)
- Individually identifiable health or medical information***
- Security system procedures and architectures
- Trade secrets|
- Systems managing critical Operational Technology
***UofL units or programs that qualify as "covered entities" under the Health Insurance Portability and Accountability Act (HIPAA) must comly with HIPAA's data security rules.
Data that could place the subject at severe risk of harm or data with contractual requirements for exceptional security measures.
L5 Examples:
- Research data classified as Level 5 by IRB
- Information or research under a contract stipulating specific security controls beyond L4
Control Requirements
- Proper user authentication and authorization prior to data access
- Users with elevated access must have 2nd factor authentication
- Log in attempts must be controlled
- Where technically feasible, data is encrypted when not accessed. Encryption can occur at the database, application, OS levels, or hardware level. Where not technically feasible, other compensating controls, such as physical security controls, must be implemented to protect the data at rest.
- Transmission of data through its flow must be secure via cryptographic means or other secure means (e.g., locked box during transport, etc.). Network traffic must be encrypted using strong cryptography (e.g., TLS v1.2)
- Data must go through integrity checks during transmission and actions through software and hardware controls. (e.g., ECC RAM, SHA-256, data validation)
- Systems where data is stored must have security and access logs enabled.
- Data must be secure-wiped (e.g., DBAN) from storage media prior to destruction or re-use.
Acronym Key
Health Insurance Portability and Accountability Act
- Federal law that sets a national standard to protect medical records and other personal health information.
Family Educational Rights and Privacy
Social Security Number
Payment Card Industry
Kentucky Revised Statutes
International Traffic in Arms Regulations
Institutional Review Board