An overview of the DSSR
Data sharing requests inform Data Stewards about key compliance issues. For example, they cover:
- The sensitivity of data requested,
- Any laws or regulations that apply, and
- How the requesting system (or service) meets security requirements.
With the DSSR, Data Stewards have the security info they need to make an informed, risk-based decision.
When do DSSRs apply?
There are two scenarios that require a request.
- When sharing data with external parties, such as an online service, and
- When sharing Confidential or Restricted data internally.
Here is a common example.
A University department purchases an online application to help them improve a service. But for the application to perform as intended, it needs to access information inside Banner—the student information system.
To use Banner data, the department will request access from the Data Steward responsible for Student data. However, before the Data Steward approves, they need to know whether the department's application meets security requirements.
This is where the DSSR comes in. It answers important security questions and gives
Data Stewards the information they need to make a decision.
The DSSR Process
This section describes the roles and their responsibilities in the DSSR process.
There are four roles in the request process.
- Organizational Unit (OU) - the University department requesting data.
- Data Steward - the role responsible for making security decisions for information under their charge.
- Technical Expert - an individual that can answer technical questions about the request. Typically, this person works for the online company or is a local system administrator.
- University Information Security Office (UISO) - the University department that provides security and consulting services.
The Organizational Unit will:
1. Identify the appropriate Data Steward.
This roster of data stewards will help you identify the right individual. For example, the Data Steward responsible for Student Records is the Registrar.
2. Determine the classification of the data involved.
Data can fall into one of four classification levels: Public, Internal, Confidential, and Restricted. The data's classification [pdf] will help you determine the classification levels.
3. Request security compliance information from the Technical Expert.
The OU will ask the Technical Expert to determine whether the system meets security requirements. There are two questions in the Technical Expert section that they need to answer.
4. Complete and submit the authorization request to the Data Steward.
Here is an example request [doc] you can send to the Data Steward. It includes all the necessary information.
5. When approved, the OU must initiate annual reviews to ensure the system remains compliant.
The Technical Expert must answer these two key questions.
1. Does your service meet security requirements?
The University and its vendors must comply with State security requirements [xls]. If this is an online (or hosted) service, the requirements in the "Hosted" tab apply.
If the system meets requirements, you can attest to the OU that it does. If any are not met, you must identify those and describe any mitigating controls that help cover compliance gaps.
2. Can you validate that the requirements are met?
The University accepts many different types of validation documents. Popular examples are SOC 2 reports, a FedRAMP cert, or a certification from the Cloud Security Alliance. Most third-party validation reports that can demonstrate the system meets security requirements are accepted.
The University Information Security Office (Optional)
The UISO can answer questions about the process. They also help Data Stewards understand risks to their data.
The Data Steward will review the request, make an approval decision, and communicate their decision to the OU.