Information Systems/Data Integrity
1. Authority and Responsibility
Major responsibilities that cannot be delegated:
- Establishing and implementing systems to ensure the confidentiality, availability and integrity of the data on which decisions are made.
- Assuring that systems access and transactions are in accordance with management's authorization and are recorded in the university records in an accurate and timely manner.
- Appointing a Data Security Administrator for the department.
- Determining approval hierarchies to establish appropriate separation of duties. Determining which employees should be given access to what core data.
- Determining which employees are designated as transaction "preparers" or "reviewers.”
- Managing reported or suspected access and security violations in accordance with university policies.
2. Delegations
Major responsibilities that can be delegated:
- Establishing appropriate access to computer systems as determined by department management.
- Establishing core systems transaction preparation and review as determined by department management.
- Training on computer access, security, software, and appropriate use of university information.
- Monitoring departmental core systems transactions.
3. Requirements to Reduce Potential Risks
- Appropriate controls must be established in computer systems to ensure the confidentiality, integrity, and availability of information through authorization, accountability, and authentication of users. The sharing of passwords and user accounts is strictly prohibited.
- Each department must ensure that all financial and personnel transactions are recorded accurately and in a timely manner. Transactions should reflect accurately the actual value or information involved, and contain sufficient detail to support post authorization review and audit. Transactions should be stored securely, readily retrievable, and safeguarded against improper alteration, disclosure or use.
- Systems developed by departments must be secure, reliable, responsive, and accessible. These systems must be designed, tested, documented, and maintained according to university policy and UC development and implementation standards. They should be built upon sound data models and employ technology that meets user needs and allows data to be shared appropriately.
- Systems developed by departments must contain controls to ensure that data is synchronized with and validated against core systems. These systems must also contain appropriate interfaces to any core financial systems.
- Local and wide area networks (including electronic mail and calendaring) must be reliable, stable, and secure.
- Appropriate systems backup, recovery and contingency planning must be established in accordance with UC Business & Finance Bulletin IS-3 and guidelines established by the Campus Information Security Guidelines Coordinator, who has initiatives posted on the web at http://security.ucdavis.edu/
The validity of the charges and credits appearing on the general ledger and payroll/personnel system should be certified at the end of each accounting period (i.e., monthly). The person approving KFS purchasing and accounts payable documents shall be someone other than the person initiating the documents as required by UC Davis PPM 310-11.
- Employees must be adequately trained in the use of on-line systems and transactions.
- Encourage employees to report any compromise or break down in the unit's data integrity without fear of reprisal.
- A unit’s financial reporting and monitoring process should be integrated with UC Davis PPS data warehouse and Decision Support.
4. Resources
Department
Policies/Procedures
- Communications and Technology
- Campus wide Information Technology Policy and Planning
- Disclosure of Information from Student Records Network Security
- Electronic Info Security-UCOP
- Electronic Info Security - UCD
- Improper Governmental Activities
- Legal Requirements on Privacy of and Access to Information
- Privacy and Access to Information