Data Warehouse Security
· Responsibility and Confidentiality
· Querying Data with Security Restrictions
· Data Stewardship Best Practices
Responsibility and Confidentiality
The Data Warehouse contains confidential and sensitive University data.
In order to use its data, you must have proper authorization. Your authorization means that you have the authority
to use the data and the responsibility to share stewardship of the data
with the other users of the collection.
Once authorized, you can access the data that you need to do your job.
All authorized users are cautioned, however, that they are entrusted to
use the data they retrieve from the Warehouse with care. Confidential
data should not be released to others except for those with a "legitimate
need to know."
Please remember that you should never share Business Objects queries
with other users with the data intact -- send the query without the data.
More information about sending and saving Business Objects documents.
Querying Data with Security Restrictions
If you execute a query requesting data that you are not authorized to
access, you will get results which may be incomplete because they are
missing the data you are not allowed to access.
If your authorization is limited to a specific set of data, be sure when
querying the data that your record selection conditions include your security
restrictions. For example, if you are authorized to access just data for
a particular department, one of your record selection conditions should
state something like "If Organization= 'My Organization'," where My Organization
is the code of your department. This will document why the query gets
the results it does, and will also help your query run faster.
Data Stewardship Best Practices
One of the most effective ways for Penn to safeguard the privacy and security of student, faculty, staff and other information is to make sure that it is only shared with people who clearly need it to do their jobs. This seemingly simple safeguard is sometimes though not so simple to implement.
Penn's Office of Information and Security and Office of Audit, Compliance and Privacy have developed best practices to assist data stewards in ensuring appropriate data controls in IT systems. The best practices focus on procedures for granting, reviewing and terminating data user access as well as appropriate training for data users. Data stewards of all systems, and particularly large systems with sensitive information, should ensure that they are adhering to the controls found in these best practices. Any questions can be directed to Data Administration or to the Office of Information Security.