ROWAN UNIVERSITY POLICY

Title: Data Governance: EIS Policies & Procedures

Subject: Information Resources and Technology

Policy No: IRT: 2014:XX

Applies: University-wide 

Issuing Authority: Vice President for Information Resources and Technology, Chief Information Officer

Responsible Officer: Vice President for Information Resources and Technology, Chief Information Officer

Adopted: XX/XX/2014

Amended: XX/XX/2014

Last Revision: XX/XX/2014

I. PURPOSE

This policy is intended to cover any Enterprise Information Services (EIS) for which a separate, approved EIS policy does not exist. All EIS-specific use policies must be consistent with this EIS policy. Additional rules and regulations may be adopted by academic and administrative units to meet specific administrative or academic needs. Such additional requirements must be in compliance with applicable federal and state laws, any contractual agreements with the University and its Vendors, and this policy.

II. ACCOUNTABILITY

Under the direction of the Chief Information Officer, Rowan University management shall implement and ensure compliance with this policy.

III. APPLICABILITY

A. This policy applies to all members of the Rowan community who seek to acquire, develop, manage, or use services Enterprise Information Services. It also applies to any contractors, vendors, or service providers, who may access, host, receive, transmit, or otherwise use Rowan’s EIS data.

B. For the purposes of this policy, EIS is defined as:

Enterprise Information Services is responsible for providing critical enterprise software services, applications and support to enable administrative and academic functions to operate effectively, efficiently and securely.

C. HIPAA – The Health Insurance Portability and Accountability Act (HIPAA) is the federal law passed by Congress in 1996 that requires the protection and confidential handling of protected health information.

IV. DEFINITIONS

A. Information Resources and Technology (IRT) – the Rowan University department responsible for the governance of all information and technology.

B. FERPA - The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects students' privacy by prohibiting disclosure of education records without adult consent.

C. Managing Unit – The Rowan University academic or administrative representative, department or division vested with the day-to-day operations of EIS.

V. POLICY

A. Security of Rowan University’s Banner Systems 

1. Internal and external auditors routinely examine access to and security of Rowan’s Banner ERP system, based upon industry standards and other appropriate means of evaluation.   Issues, if any, are identified and recommendations for changes / improvements are presented to the Audit Committee of the Rowan University Board of Trustees (BOT).    Upon adoption by the BOT, recommendations become mandates for action.  Follow-up reviews are made by the auditors to determine if compliance is achieved and maintained.
2. All mandates issued are complied with or the Audit Committee of the BOT is informed of any such lingering deficiency by the auditors. 
3. Oracle and Ellucian product security are in-built to protect data integrity.
4. Audit trails are maintained by Enterprise Information Services staff, and within Banner, for all user accounts created, the privileges granted each account (i.e., what the user can view and / or update), and any changes made to such privileges for an account.
5. Requests for creation of user accounts are routed to the office / functional area which are the steward for the information (e.g., Registrar for student records information; Human Resources for personnel data; Finance / Controller for financial data).  
6. EIS security staff may create accounts only upon receipt of requests from the approval-awarding-office and only for the privileges specified.   A security audit log is updated daily with all of the transactions that took place that day. 
7. If questions should arise about access to a particular system or by a specific user (account) to a specific system, in a given time frame, the Data Base Administrators can run audits and produce access reports.

• • • All EIS staff is FERPA trained and violations of confidentially of data, student or other, is not tolerated.  Major disciplinary action is invoked should such occur, including immediate termination of employment. (FERPA training is required of all University personnel; non-compliers or violators are expected to be dealt with appropriately by their supervisors.)
    • Senior university administrators and Information Resource Technology unit managers – including EIS managers have no “special access” privileges.
    • Typically the only access accorded such managers is limited to self-service for employees, for access to their personal HR type data.   Department heads also have access to their department’s budget data in Finance and when departmental time entry is undertaken, a manager must have Banner INB access to handle time approval.  (For example,   Jim Henderson and Anne Pinder have Banner HR INB access, for the very limited purpose of reviewing and approving EIS employee timesheets that are entered for Payroll via departmental time entry; as a department head, Henderson also has Finance INB and self-service to view the EIS budget information)

By Direction of the CIO:

__________________________________

Mira Lalovic-Hand,

VP and Chief Information Officer