Just an FYI...

When California amended its Information Practices Act to include
notification of unauthorized access, UCSC put together the following

I was the records manager at the time and worked with the CIO (Vice
Provost of IT) and a computing director to put a plan into place.  We
used basic RM principles:

1. Inventory - Where does PII (personal identity information) exist?
This was very hard as the U had many different systems with PII and many
different owners of those systems.

2. Assign Ownership: - Like assigning RC's
We called it "system stewardship."  All computer systems had to have
ownership, especially those systems with PII. (Some RC's were System

3. Assign Responsibility: - System Stewards are RESPONSIBLE for the info
in their systems (They must know what is in their system)...
Again, like the RC concept, the stewards were the zoo keepers for their
systems and we made them responsible for the data and the protection of
the data within the system. Some IT folks who became stewards resisted
this because they had never been responsible for content, but eventually
understood their new responsibility. 

4. Provide guidance: System Stewards need guidelines
I worked with the IT Directors to provide an enterprise wide guideline
(Standard).  We also worked very hard to educate stewards. We held many
sessions and made sure the stewards attended. 

5. Executive Ownership: CIO got it and supported it.
Our CIO assumed responsibility for the process and understood the
negative consequences of not doing the work.

Added benefit of implementing all of the above was the discovery of gaps
in our information processes and IT security (which have since been

Sadly some of the links are out of date, and my name appears to still be
there (I haven't worked there in 1.5 yrs) but the site may be of use...

Chuck Piotrowski
Records Manager
...this computer runs on Cow Power...

List archives at
Contact [log in to unmask] for assistance