resource management, data integrity, and computing environment

Resource Management, Resource Management, Data Integrity, and the Data Integrity, and the

Computing EnvironmentComputing Environment

Sandra FeathersonSandra FeathersonOffice of the ControllerOffice of the Controller

Doug DruryDoug DruryInformation Systems & Information Systems &

ComputingComputing

September 13, 2007September 13, 2007

AgendaAgenda

Computing EnvironmentComputing EnvironmentResource ManagementResource ManagementData IntegrityData Integrity


Maintaining a reliable computing Maintaining a reliable computing environment:environment: Why is this important?Why is this important?


Physical SecurityPhysical SecurityEquipment is properly securedEquipment is properly securedEquipment is maintainedEquipment is maintained


Systems DevelopmentSystems Development IS-10 – UC PolicyIS-10 – UC PolicyEstablish a planEstablish a planWell trained technical professionalsWell trained technical professionals Identify projectsIdentify projectsDefine scope, benefits, risks, priorities, Define scope, benefits, risks, priorities,

timing, and implementation methodtiming, and implementation method


Systems DevelopmentSystems DevelopmentWhat is ‘System Development’?What is ‘System Development’? Impact of the projectImpact of the projectDetermine staffing, equipment, and other Determine staffing, equipment, and other

needsneedsFunding requirements and sourcesFunding requirements and sourcesDocumentation of systemDocumentation of system


Other Things to Think About:Other Things to Think About:Systems ManagementSystems ManagementPassword MaintenancePassword MaintenanceDisaster RecoveryDisaster RecoverySeparating EmployeesSeparating Employees

Electronic Personal Information: Electronic Personal Information: What Is It?What Is It?

● SB1386 designed to address SB1386 designed to address identity theftidentity theft– took effect July 1took effect July 1stst, 2003, 2003– added §1798.29, §1798.82 to State Civil Code (Information Practices Act)added §1798.29, §1798.82 to State Civil Code (Information Practices Act)– created disclosure requirements upon a security breach of systems created disclosure requirements upon a security breach of systems

containing “unencrypted” personal informationcontaining “unencrypted” personal information

An individual’s first name or initial and last name in An individual’s first name or initial and last name in combination with one or more of the following:combination with one or more of the following:

Social Security NumberSocial Security Number

Driver’s License NumberDriver’s License Number

Financial account or credit card number in combination with any Financial account or credit card number in combination with any password that would permit access to the individual's accountpassword that would permit access to the individual's account

• See See http://isc.ucsb.edu/decaf/SB1386.pdf for more information for more information

Electronic Personal Electronic Personal InformationInformation

UCSB Campus RolesUCSB Campus Roles Data ProprietorData Proprietor - - A personal information data A personal information data

store proprietor is the department director or store proprietor is the department director or senior manager who is the functional owner of senior manager who is the functional owner of the application that is the primary source of the the application that is the primary source of the personal information. It is the responsibility of personal information. It is the responsibility of the data store proprietor to ensure that the the data store proprietor to ensure that the inventory of personal information data stores is inventory of personal information data stores is kept current for the data stores for which the kept current for the data stores for which the proprietor is responsible. proprietor is responsible.

Electronic Personal Electronic Personal InformationInformation

UCSB Campus RolesUCSB Campus Roles Data CustodianData Custodian - - A A personal information data personal information data

store custodian is an individual or organization store custodian is an individual or organization that is responsible for providing technical or that is responsible for providing technical or system administration support for the data store. system administration support for the data store. It is the responsibility of the personal information It is the responsibility of the personal information data store custodian to ensure that the data store custodian to ensure that the implementation and administration of the implementation and administration of the personal information data store conforms to IS-3 personal information data store conforms to IS-3 requirements, as a minimum, and to campus and requirements, as a minimum, and to campus and industry best practices for system security where industry best practices for system security where appropriate.appropriate.

Campus Sensitive Data Incident CoordinatorCampus Sensitive Data Incident Coordinator - - Doug Drury [email protected] Drury [email protected]

Electronic Personal Information Electronic Personal Information Policy & GuidelinesPolicy & Guidelines

UC Policy IS-3 defines policy regarding UC Policy IS-3 defines policy regarding management of Electronic Personal Information management of Electronic Personal Information (as well as other information system issues) (as well as other information system issues) http://www.ucop.edu/ucophome/policies/bfb/is3.pdf

UCSB Guideline provides process for handling UCSB Guideline provides process for handling exposure of personal information exposure of personal information http://www.oit.ucsb.edu/committees/ITPG/sb1386.asp

Electronic Personal Information Electronic Personal Information Best PracticesBest Practices

Don’t Store It Unless Absolutely NecessaryDon’t Store It Unless Absolutely Necessary If You Do Store ItIf You Do Store It

Follow IS-3 PolicyFollow IS-3 Policy Retain contact information for stored individualsRetain contact information for stored individuals Submit Inventory Data To Campus Coordinator (Submit Inventory Data To Campus Coordinator (

[email protected]) Follow Industry Best Practices For System SecurityFollow Industry Best Practices For System Security UC Electronic Communication Policy allows UC UC Electronic Communication Policy allows UC

campuses to encrypt personal information data campuses to encrypt personal information data stores – ENCRYPT IF POSSIBLE stores – ENCRYPT IF POSSIBLE (http://www.ucop.edu/ucophome/coordrev/ucpolicies/policymanuals.html)

Electronic Personal InformationElectronic Personal InformationIncident ProcessIncident Process

Incident DetectionIncident Detection Requires active monitoring of data storeRequires active monitoring of data store Requires extensive analysis to determine if a breach Requires extensive analysis to determine if a breach

as occurredas occurred UCSB Guideline provides assessment guidanceUCSB Guideline provides assessment guidance

http://www.oit.ucsb.edu/committees/ITPG/sb1386.asp Incident Handling Process Incident Handling Process

Follow the UCSB Guideline closelyFollow the UCSB Guideline closely Allow appointed UCSB/UC officials to handle any Allow appointed UCSB/UC officials to handle any

communicationcommunication

Electronic Personal Information Electronic Personal Information Information SourcesInformation Sources

UC Policy: UC Policy: http://www.ucop.edu/ucophome/policies/bfb/is3.pdf

UCSB Guideline: UCSB Guideline: http://www.oit.ucsb.edu/committees/ITPG/sb1386.asp

California Law: California Law: http://isc.ucsb.edu/decaf/SB1386.pdf

Finally – The UC/UCSB definition of Finally – The UC/UCSB definition of Personal Data is evolving. You will be kept Personal Data is evolving. You will be kept up to date if the definition changesup to date if the definition changes

Resource ManagementResource Management

Financial DataFinancial DataValue of BudgetsValue of BudgetsAnalyze Costs, Benefits, and RisksAnalyze Costs, Benefits, and RisksAsset ManagementAsset Management

Resource Management:Resource Management:Financial DataFinancial Data

Verify data is accurate and completeVerify data is accurate and completeCompare GLO60 to any Shadow SystemCompare GLO60 to any Shadow SystemReview significant deviationsReview significant deviationsDocument corrective actionDocument corrective action

Resource Management:Resource Management:Value of BudgetsValue of Budgets

Represents your financial plan for future Represents your financial plan for future periodsperiods

Decisions based on dataDecisions based on dataProper use of resourcesProper use of resourcesValuable controlValuable controlEvaluate resource opportunitiesEvaluate resource opportunities

Resource Management:Resource Management:Value of BudgetsValue of Budgets

Budget for:Budget for:Departmental OperationsDepartmental OperationsEventsEventsProjectsProjects

Resource Management andResource Management andSAS 112SAS 112

Department Key ControlsDepartment Key ControlsGL ReconciliationGL ReconciliationReview of Budget ReportsReview of Budget ReportsEquipment InventoryEquipment Inventory

Scenario #1Scenario #1

Your department is hosting an international Your department is hosting an international conference. The expected number of conference. The expected number of participants is 250. Pre-registration is participants is 250. Pre-registration is required. The PI, who is the host, believes required. The PI, who is the host, believes $500 is the going rate for conferences. $500 is the going rate for conferences.

In Groups:List the steps you would take to develop the

budget and track expenditures for the conference.

Resource Management:Resource Management:Analyze Costs, Benefits, and Analyze Costs, Benefits, and

RisksRisks

Something sounds like a good idea, Something sounds like a good idea,

but is it?but is it?


RisksRisks

Components of AnalysisComponents of AnalysisStatement of PurposeStatement of PurposeStatement of BenefitsStatement of BenefitsAssumptionsAssumptions Impact on administrative supportImpact on administrative support


RisksRisks

Components of AnalysisComponents of AnalysisQuantify costs (one time vs. on-going), Quantify costs (one time vs. on-going),

space needs, and capital outlayspace needs, and capital outlayFunding sourcesFunding sourcesPotential risks/problemsPotential risks/problems


RisksRisks

Components of AnalysisComponents of AnalysisPerformance follow-upPerformance follow-up

Did cost projections come in on target?Did cost projections come in on target?Did the benefits outweigh the costs?Did the benefits outweigh the costs?Did the results meet expectations?Did the results meet expectations?

Scenario #2Scenario #2

Your department wants to purchase new Your department wants to purchase new desktops for the office.desktops for the office.

In Groups:Do a cost-benefit-risk analysis for your

department purchasing the desktops. Present your recommendations to the department.

Resource Management:Resource Management:Asset ManagementAsset Management

CashCashReceivablesReceivablesUniversity Resources/EquipmentUniversity Resources/EquipmentPeoplePeople


CashCashProper receiving and storingProper receiving and storingProper depositing and recordingProper depositing and recordingReconcile the depositsReconcile the deposits


Cash Management:Cash Management:

Short Term Investment Pool (STIP)Short Term Investment Pool (STIP)Depository bank accountsDepository bank accountsDisbursement bank accountsDisbursement bank accounts

VendorVendorPayrollPayroll

Balances are invested in STIP dailyBalances are invested in STIP daily


Cash Management: Cash Management:

Short Term Investment Pool (STIP)Short Term Investment Pool (STIP)Earnings are credited back to the funds Earnings are credited back to the funds

which generated the interestwhich generated the interestThe interest for “campus owned” funds is The interest for “campus owned” funds is

distributed back to the campusdistributed back to the campus


ReceivablesReceivablesDo you have any?Do you have any?

CollectionsCollectionsMonitor statusMonitor status

Collection AgenciesCollection AgenciesWrite OffWrite Off

If you have receivables, you should be If you have receivables, you should be using the BA/RC processusing the BA/RC process

Discussion Item #1Discussion Item #1

Do you have any cash Do you have any cash

management issues?management issues?


University ResourcesUniversity ResourcesUse of the University SealUse of the University SealUse of the University Name/LogoUse of the University Name/Logo


Use of the University Name/LogoUse of the University Name/LogoPolicy 5010:Policy 5010:

““Use of the University’s Name”Use of the University’s Name”Use of the University SealUse of the University Seal

Policy 5015:Policy 5015:

““Use of the Unofficial Seal”Use of the Unofficial Seal”


Campus designees to authorize use of theCampus designees to authorize use of theseal/name/logo are:seal/name/logo are:Meta Clow Meta Clow Jeri Pollard (for commercial products)Jeri Pollard (for commercial products)


EquipmentEquipmentProper purchasingProper purchasingProper trackingProper tracking

Physical assets are compared to recorded Physical assets are compared to recorded assets and discrepancies are resolvedassets and discrepancies are resolved

Proper disposingProper disposing


People - This is our most important asset!People - This is our most important asset!Proper trainingProper trainingFormal delegationsFormal delegationsCurrent job descriptionsCurrent job descriptionsTimely evaluationsTimely evaluationsConsistent and fair treatmentConsistent and fair treatment

Data IntegrityData Integrity

Why do we care? Why do we care?

What could go wrong?What could go wrong?


How do you maintain data integrity?How do you maintain data integrity?Separation of dutiesSeparation of duties

Small departments might need to partner with Small departments might need to partner with other departmentsother departments

Adequate documentation and descriptionAdequate documentation and descriptionWell trained employeesWell trained employees


How do you maintain data integrity?How do you maintain data integrity?Compliance with policies and proceduresCompliance with policies and proceduresCoding Transactions CorrectlyCoding Transactions CorrectlyReconcile departmental reports to the Reconcile departmental reports to the

GLO60GLO60Reconcile the GLO60 on a timely basisReconcile the GLO60 on a timely basisRecord retentionRecord retention

Data IntegrityData IntegrityCoding Transactions CorrectlyCoding Transactions Correctly

Types of CostsTypes of Costs DirectDirect IndirectIndirect UnallowableUnallowable

Function of CostFunction of Cost TeachingTeaching ResearchResearch Public ServicePublic Service

Purpose of CostsPurpose of Costs TravelTravel Office SuppliesOffice Supplies ServicesServices

Consistency in treatment Consistency in treatment of costs is a critical of costs is a critical policy for the federal policy for the federal government.government.

Discussion Item #2Discussion Item #2

You are given a list of transactions for You are given a list of transactions for today’s activity. today’s activity.

Identify the correct coding forIdentify the correct coding foreach transaction.each transaction.

Data Integrity:Data Integrity:Record RetentionRecord Retention

Why is this important?Why is this important? The institution needs to consistently apply a The institution needs to consistently apply a

records management programrecords management program If your practice is to keep everything, you will be If your practice is to keep everything, you will be

expected to produce what is requestedexpected to produce what is requested If you can show that you consistently follow the If you can show that you consistently follow the

record management program, the court will record management program, the court will accept your inability to produce the recordaccept your inability to produce the record


How long do we have to keep records?How long do we have to keep records?The UC Records Disposition Schedules The UC Records Disposition Schedules

Manual specifies the length of time Manual specifies the length of time records must be maintained by the office records must be maintained by the office of record and others:of record and others:

http://www.policies.uci.edu/adm/records/721-11a.htmlhttp://www.policies.uci.edu/adm/records/721-11a.html


Who is the office of record?Who is the office of record?The office of record is the office The office of record is the office

responsible for retaining the original responsible for retaining the original record, and for producing a requested record, and for producing a requested recordrecord


Who do you call if you have questions?Who do you call if you have questions?Meta Clow, the Campus Policy and Meta Clow, the Campus Policy and

Records Management Coordinator:Records Management Coordinator:[email protected]@vcadmin.ucsb.edu

Questions?Questions?

resource management, data integrity, and computing environment

Documents

inventory data

contact information

information system issueshttp

reliable computing environment

system development

resource opportunities

risks asset management

occurred ucsb guideline