Resource Management, Data Integrity, and the Computing Environment Sandra Featherson Office of the Controller Doug Drury Information Systems & Computing September 15, 2011

Agenda Computing Environment Computing Environment Resource Management Resource Management Data Integrity Data Integrity

Computing Environment Maintaining a reliable computing environment: Why is this important? Why is this important?

Computing Environment Physical Security Equipment is properly secured Equipment is properly secured Equipment is maintained Equipment is maintained

Computing Environment Systems Development IS-10 – UC Policy IS-10 – UC Policy Establish a plan Establish a plan Well trained technical professionals Well trained technical professionals Identify projects Identify projects Define scope, benefits, risks, priorities, timing, and implementation method Define scope, benefits, risks, priorities, timing, and implementation method

Computing Environment Systems Development What is ‘System Development’? What is ‘System Development’? Impact of the project Impact of the project Determine staffing, equipment, and other needs Determine staffing, equipment, and other needs Funding requirements and sources Funding requirements and sources Documentation of system Documentation of system UC Policy – IS-2, IS-3, IS-10, IS-11 UC Policy – IS-2, IS-3, IS-10, IS-11

Computing Environment Other Things to Think About: Systems Management Systems Management Password Maintenance Password Maintenance Disaster Recovery Disaster Recovery Separating Employees Separating Employees

Electronic Personal Information: What Is It? ● SB1386 designed to address identity theft – took effect July 1 st, 2003 – added § , § to State Civil Code (Information Practices Act) – created disclosure requirements upon a security breach of systems containing “unencrypted” personal information  An individual’s first name or initial and last name in combination with one or more of the following:  Social Security Number  Driver’s License Number  Financial account or credit card number in combination with any password that would permit access to the individual's account See for more information See for more information

Electronic Personal Information UCSB Campus Roles Data Proprietor - A personal information data store proprietor is the department director or senior manager who is the functional owner of the application that is the primary source of the personal information. It is the responsibility of the data store proprietor to ensure that the inventory of personal information data stores is kept current for the data stores for which the proprietor is responsible. Data Proprietor - A personal information data store proprietor is the department director or senior manager who is the functional owner of the application that is the primary source of the personal information. It is the responsibility of the data store proprietor to ensure that the inventory of personal information data stores is kept current for the data stores for which the proprietor is responsible.

Electronic Personal Information UCSB Campus Roles Data Custodian - A personal information data store custodian is an individual or organization that is responsible for providing technical or system administration support for the data store. It is the responsibility of the personal information data store custodian to ensure that the implementation and administration of the personal information data store conforms to IS-3 requirements, as a minimum, and to campus and industry best practices for system security where appropriate. Data Custodian - A personal information data store custodian is an individual or organization that is responsible for providing technical or system administration support for the data store. It is the responsibility of the personal information data store custodian to ensure that the implementation and administration of the personal information data store conforms to IS-3 requirements, as a minimum, and to campus and industry best practices for system security where appropriate. Campus Sensitive Data Incident Coordinators - Doug Drury Campus Sensitive Data Incident Coordinators - Doug Drury Karl Heins Karl Heins

Electronic Personal Information Policy & Guidelines UC Policy IS-3 and IS-11 define policy regarding management of Electronic Personal Information (as well as other information system issues) UC Policy IS-3 and IS-11 define policy regarding management of Electronic Personal Information (as well as other information system issues) UCSB Guideline provides process for handling exposure of personal information UCSB Guideline provides process for handling exposure of personal information

Electronic Personal Information Best Practices Don’t Store It Unless Absolutely Necessary Don’t Store It Unless Absolutely Necessary If You Do Store It If You Do Store It Follow IS-3 Policy Follow IS-3 Policy Retain contact information for stored individuals Retain contact information for stored individuals Submit Inventory Data To Campus Coordinators ( Submit Inventory Data To Campus Coordinators and / ) Follow Industry Best Practices For System Security Follow Industry Best Practices For System Security UC Electronic Communication Policy allows UC campuses to encrypt personal information data stores – ENCRYPT IF POSSIBLE UC Electronic Communication Policy allows UC campuses to encrypt personal information data stores – ENCRYPT IF POSSIBLE

Electronic Personal Information Incident Process Incident Detection Incident Detection Requires active monitoring of data store Requires active monitoring of data store Requires extensive analysis to determine if a breach as occurred Requires extensive analysis to determine if a breach as occurred UCSB Guideline provides assessment guidance UCSB Guideline provides assessment guidance Incident Handling Process Incident Handling Process Follow the UCSB Guideline closely Follow the UCSB Guideline closely Allow appointed UCSB/UC officials to handle any communication Allow appointed UCSB/UC officials to handle any communication

Electronic Personal Information Information Sources UC Policy: UC Policy: UCSB Guideline: UCSB Guideline: California Law: California Law: Finally – The UC/UCSB definition of Personal Data is evolving. You will be kept up to date if the definition changes Finally – The UC/UCSB definition of Personal Data is evolving. You will be kept up to date if the definition changes

Resource Management Financial Data Financial Data Value of Budgets Value of Budgets Analyze Costs, Benefits, and Risks Analyze Costs, Benefits, and Risks Asset Management Asset Management

Resource Management: Financial Data Verify data is accurate and complete Verify data is accurate and complete Compare GLO60 to any Shadow System Compare GLO60 to any Shadow System Review significant deviations Review significant deviations Document corrective action Document corrective action

Resource Management: Value of Budgets Represents your financial plan for future periods Represents your financial plan for future periods Decisions based on data Decisions based on data Proper use of resources Proper use of resources Valuable control Valuable control Evaluate resource opportunities Evaluate resource opportunities

Resource Management: Value of Budgets Budget for: Departmental Operations Departmental Operations Events Events Projects Projects

Resource Management and SAS 112 Department Key Controls GL Reconciliation GL Reconciliation Review of Budget Reports Review of Budget Reports Equipment Inventory Equipment Inventory

Scenario #1 Your department is hosting an international conference. The expected number of participants is 250. Pre-registration is required. The PI, who is the host, believes $500 is the going rate for conferences. In Groups: List the steps you would take to develop the budget and track expenditures for the conference.

Resource Management: Analyze Costs, Benefits, and Risks Something sounds like a good idea, but is it?

Resource Management: Analyze Costs, Benefits, and Risks Components of Analysis Statement of Purpose Statement of Purpose Statement of Benefits Statement of Benefits Assumptions Assumptions Impact on administrative support Impact on administrative support

Resource Management: Analyze Costs, Benefits, and Risks Components of Analysis Quantify costs (one time vs. on-going), space needs, and capital outlay Quantify costs (one time vs. on-going), space needs, and capital outlay Funding sources Funding sources Potential risks/problems Potential risks/problems

Resource Management: Analyze Costs, Benefits, and Risks Components of Analysis Performance follow-up Performance follow-up Did cost projections come in on target? Did cost projections come in on target? Did the benefits outweigh the costs? Did the benefits outweigh the costs? Did the results meet expectations? Did the results meet expectations?

Scenario #2 Your department wants to purchase new desktops for the office. In Groups: Do a cost-benefit-risk analysis and make a recommendation to your department about the purchase of new desktop machines.

Resource Management: Asset Management Cash Cash Receivables Receivables University Resources/Equipment University Resources/Equipment People People

Resource Management: Asset Management Cash Proper receiving and storing Proper receiving and storing Proper depositing and recording Proper depositing and recording Reconcile the deposits Reconcile the deposits

Resource Management: Asset Management Cash Management: Short Term Investment Pool (STIP) Depository bank accounts Depository bank accounts Disbursement bank accounts Disbursement bank accounts Vendor Vendor Payroll Payroll Balances are invested in STIP daily Balances are invested in STIP daily

Resource Management: Asset Management Cash Management: Short Term Investment Pool (STIP) Earnings are credited back to the funds which generated the interest Earnings are credited back to the funds which generated the interest The interest for “campus owned” funds is distributed back to the campus The interest for “campus owned” funds is distributed back to the campus

Resource Management: Asset Management Receivables Do you have any? Do you have any? Collections Collections Monitor status Monitor status Collection Agencies Collection Agencies Write Off Write Off If you have receivables, you should be using the BA/RC process If you have receivables, you should be using the BA/RC process

Discussion Item #1 Do you have any cash management issues?

Resource Management: Asset Management University Resources Use of the University Seal Use of the University Seal Use of the University Name/Logo Use of the University Name/Logo

Resource Management: Asset Management Use of the University Name/Logo Use of the University Name/Logo Policy 5010: Policy 5010: “Use of the University’s Name” Use of the University Seal Use of the University Seal Policy 5015: Policy 5015: “Use of the Unofficial Seal”

Resource Management: Asset Management Campus designees to authorize use of the Campus designees to authorize use of the seal/name/logo are: Meta Clow Meta Clow Mark Beisecker (for commercial products) Mark Beisecker (for commercial products)

Resource Management: Asset Management Equipment Proper purchasing Proper purchasing Proper tracking Proper tracking Physical assets are compared to recorded assets and discrepancies are resolved Physical assets are compared to recorded assets and discrepancies are resolved Proper disposing Proper disposing

Resource Management: Asset Management People - This is our most important asset! Proper training Proper training Formal delegations Formal delegations Current job descriptions Current job descriptions Timely evaluations Timely evaluations Consistent and fair treatment Consistent and fair treatment

Data Integrity Why do we care? What could go wrong?

Data Integrity How do you maintain data integrity? Separation of duties Separation of duties Small departments might need to partner with other departments Small departments might need to partner with other departments Adequate documentation and description Adequate documentation and description Well trained employees Well trained employees

Data Integrity How do you maintain data integrity? Compliance with policies and procedures Compliance with policies and procedures Coding Transactions Correctly Coding Transactions Correctly Reconcile departmental reports to the GLO60 Reconcile departmental reports to the GLO60 Reconcile the GLO60 on a timely basis Reconcile the GLO60 on a timely basis Record retention Record retention

Data Integrity Coding Transactions Correctly Types of Costs Direct Direct Indirect Indirect Unallowable Unallowable Function of Cost Teaching Teaching Research Research Public Service Public Service Purpose of Costs Travel Travel Office Supplies Office Supplies Services Services Consistency in treatment of costs is a critical policy for the federal government.

Discussion Item #2 You are given a list of transactions for today’s activity. Identify the correct coding for each transaction.

Data Integrity: Record Retention Why is this important? The institution needs to consistently apply a records management program The institution needs to consistently apply a records management program If your practice is to keep everything, you will be expected to produce what is requested If your practice is to keep everything, you will be expected to produce what is requested If you can show that you consistently follow the record management program, the court will accept your inability to produce the record If you can show that you consistently follow the record management program, the court will accept your inability to produce the record

Data Integrity: Record Retention How long do we have to keep records? The UC Records Disposition Schedules Manual specifies the length of time records must be maintained by the office of record and others: The UC Records Disposition Schedules Manual specifies the length of time records must be maintained by the office of record and others:

Data Integrity: Record Retention Who is the office of record? The office of record is the office responsible for retaining the original record, and for producing a requested record The office of record is the office responsible for retaining the original record, and for producing a requested record

Data Integrity: Record Retention Who do you call if you have questions? Meta Clow, the Campus Policy and Records Management Coordinator: Meta Clow, the Campus Policy and Records Management Coordinator: x4212 x4212

Questions?