Data Discovery and Protection

The Data Discovery and Protection (DDP) program is a campus-wide data management initiative to safeguard all university data. This initiative meets the requirements captured in the Data Management Regulation (REG 08.00.03).

As part of the NC State Data Management Framework (DMF), the DDP program requires a collaborative team of data stewards, data managers, and data custodians to apply the DDP process to their scope of data at least once a year.

DDP Benefits

Performing an annual DDP provides the following benefits:

  • Ensures that all existing data is accounted for.
  • Identifies and corrects insecure storage of sensitive data in a timely manner.
  • Establishes a level of compliance with federal and state laws and regulations, federal agency requirements, industry standards, UNC System Office requirements, and internal policies, regulations and rules.
  • Simplifies responses to eDiscovery requests such as public records and litigation holds. 
  • Accelerates breach incident investigation, containment and notification efforts.
  • Reduces instances of costly data breaches or exposure.
  • Limiting the locations where data can reside is an effective protection strategy — one that campus IT can assist in implementing.

About the DDP Process

The Data Discovery and Protection (DDP) process relies on the REG 08.00.03 Data Management Regulation and its supporting Data Management Framework.  This includes the university data classifications captured and maintained in the ServiceNow Configuration Management Database (CMDB) and the NC State Data Classification Table

Before protecting the data, campus data governance determines the data classification level and, in concert with campus compliance officials, determines any compliance obligations for each identified data category and element.  From this point, we can determine how to protect the data and meet all compliance obligations. 

DDP Procedure

Data stewards, data managers, and data custodians must work together to perform the DDP procedure at least once a year. As the name implies, Data Discovery and Protection (DDP) begins with data discovery:

  1. Review all IT resources within your area of responsibility for the presence of university data.
  2. Identify how all discovered data fits into the following data hierarchy, from the top down:
    1. Data scope — for example, Personal
    2. Data category — for example, Bio/Personal
    3. Data element  — for example, a social security number

    Until further updates become available, target completion dates are as follows:

    • December 2022 — for multi-user systems (such as web applications, servers, storage, network equipment, etc.)
      • NOTE: For multi-user applications, you must designate a data manager, which can be one or more individuals serving as the main point of contact for data custodians seeking clarification about the data.  The data custodian needs the data manager to clearly convey the data that resides not only in the application but also in its supporting infrastructure as well, which could include a database, server, and data storage locations.
    • December 2023 — for single-user systems (such as an individual’s desktop, laptop, tablet, smartphone, etc.)
  3. Update the data inventory in the ServiceNow Configuration Management Database (CMDB):
    1. Select the Configuration Item (CI) you want to update.
    2. Complete the Data and Compliance Details tab to specify the data hierarchy for each data category (and their elements) that you identified in Step 2.
      • NOTE: See the Guided Tour for help.
        • CAUTION: This step is available and in production; however, the Department of Academic Student Affairs (DASA) and OIT are currently testing this step of the DDP process as a proof of concept.
  4. Determine the appropriate data-storage location according to the highest data classification level:
    1. See Storage Locations for University Data for guidance.
      NOTE: If you need to use an alternate storage solution, please reach out to Security & Compliance (OIT_ISRA@help.ncsu.edu) to discuss an exception.

Glossary

data category.  Consists of more than a single data element (for example. a medical record typically contains a name, mailing address, age, and other components — possibly an ultra-sensitive element such as a social security number). The overarching data classification for the category will match the most sensitive element that it contains. Assigning the appropriate data classification level is typically the data steward’s responsibility, sometimes in consultation with others.

data element.  Consists of only one item of information (such as a name, mailing address, social security number and so forth). Most of the data elements used at the university are data fields that comprise a data element (for example, a form such as an I-9 or W-2) or system (such as an Excel database).

data scope. Highest level of organized data managed by a university data trustee. Examples of data scopes: personal, student, employee, finance, athletics, advancement, legal, research, environmental health & safety, and public safety. In some cases, a data scope can be managed by more than one trustee.

IT resource.  NC State University “IT resource” includes any technology used to accomplish the mission of the university. The reference to “IT resources” translates to any assets such as desktops, laptops, servers, storage systems, network equipment, smartphones, tablets, removable storage, the Internet of Things (IoTs), accounts, data, and any other digital assets used by faculty, staff, students and any guest or affiliate of the university who has access to IT resources, regardless of whether such assets are personally or university-owned.