DATA
AND APPLICATION CONTROL POLICY
The purpose of the Data and
Application Controls Policy is to make sure
that data which are removed from the ASU Data
Warehouse and stored locally in campus units,
are appropriately protected to ensure security,
integrity and availability. This policy applies
to all ASU Data Warehouse users and application
developers as well as to managers of units that
store Warehouse data locally.
It is a common and necessary
practice to query the ASU Data Warehouse and
save data locally on departmental computers,
disks and networks. Often the data are saved
in application software such as BrioQuery, or
Microsoft products such as Word, Excel and Access.
In some cases, Warehouse data may be imported
into a college or department database such as
SQL Server, Sybase or Oracle.
This policy is intended to inform
Data Warehouse users and their managers about
computer-related controls that they should use
when maintaining Warehouse data locally. Access
Controls are necessary to limit and/or detect
access to data or applications, thereby protecting
these resources against unauthorized modification,
loss, and disclosure. Service continuity controls
are designed to prevent and minimize potential
damage and interruption which may make data
or applications containing Warehouse data unavailable.
Failure to appropriately consider these controls
may result in a Data Warehouse user's access
being removed.
ACCESS CONTROLS
Access Controls should provide reasonable assurance
that data and applications are protected against
unauthorized modifications, disclosure, loss
or impairment. Such controls include physical
controls, such as keeping a computer in a locked
room to limit physical access, and logical controls
such as security software programs designed
to prevent or detect unauthorized access to
sensitive files.
Security software provides a
means of specifying who has access to a system,
who has access to specific resources, and what
capabilities authorized users are granted. An
operating system such as Microsoft NT can fulfill
this function by assigning user IDs with properly
maintained passwords and by assigning user ID-based
file permissions. Data users must take note
of where files are maintained and archived,
and understand when and how to delete them.
Users are cautioned when storing data and applications
on network drives, as they must be accessible
to authorized Warehouse users only. Care must
be taken to permanently erase all data files
on a computer or disk before transfer to another
unit, and upon termination, an employee's access
must be removed.
SERVICE CONTINUITY CONTROLS
Service continuity controls are designed to
prevent and minimize potential damage and interruption
which may make data or applications containing
Warehouse data unavailable. Locally developed
applications may become critical to the mission
of campus units. Controls developed to provide
service continuity are best planned by management
level staff based on the criticality of the
data or application to the mission of the unit.
These might include:
Appropriately Trained Staff
Data or an application may become unavailable
in the event that the only staff member who
understands the data resigns. Management must
take appropriate steps to ensure adequate
staffing for data and applications that are
considered necessary to the functioning of
the unit.
Back Up of Data and Applications
Backing up a data file on a hard drive can
be as simple as copying it to a floppy disk,
a network drive, or a zip disk. In situations
where large volumes of data are stored and
applications that manipulate the data are
in use, more traditional back up schemes may
be used, e.g., nightly or weekly dual tape
backups with one copy being stored remotely.
For applications with many transactions, transaction
logging may be considered in addition to tape
or disk dumps. An effective backup plan will
allow recovery of all data and applications
with minimal time and effort.
Protection from Viruses
To protect valued data and applications from
viruses, virus identification and removal
software is critical. Information on virus
software for use at ASU is available at http://www.asu.edu/antivirus/
Documentation and Training
Developing appropriate documentation regarding
stored data and applications is critical so
that they are not lost if the staff who developed
them leaves the unit or is absent. Documentation
should show managers, users, and others, what
the system is supposed to do and how it should
perform. Documentation should include program
flowcharts defining inputs and outputs, data
diagrams, commented source programs, report
printouts, operating instructions, testing
procedures and modification history when applicable.
Both application and data policy training
must be provided for other staff members who
will use the data or application.
Environmental Controls
It may be important to provide appropriate
temperature conditions for servers and workstations,
protection in case of fire, temporary power
supplies for equipment to operate in case
of a power failure, and surge protectors to
prevent equipment from being damaged by electrical
spikes.
Not all of the controls listed
above may be necessary for all Warehouse data
that is stored locally. Service continuity controls
should be appropriate to ensure that critical
operations continue without interruption or
are promptly resumed in the event of interruption,
and that critical and sensitive data are protected.
At minimum, Access Controls must be used to
prevent unauthorized access to Warehouse data.
