Specifications include, but are not limited to: Vendor will, with assistance from UAIR staff, produce the following policies, procedures, and training material. Vendor is free to rearrange the creation of the work product and/or work on multiple materials simultaneously. Vendor should provide a proposed order of operations for start of work on each portion prior to start of contract, which must be agreed upon by the University. Work products that will be produced during the contract shall include the following: 5.3.1 UAIR Statement of Vision and Goals for dissemination and usage of data 5.3.2 UAIR Data Governance Policy Charter, covering Principles, Values, Purpose, Scope, Roles, and Responsibilities 5.3.2.1 Formal declarations of responsibilities of end users (security training, etc.), data custodians (systems staff), data stewards (delegates of trustees who approve access changes), and data trustees (designated owners of source systems) 5.3.2.2 Formal declaration of process for data cleansing in source systems and data warehouses 5.3.2.3 Formal declaration of who owns and who approves access to data from each source system 5.3.2.4 Formal declaration of types of sensitive and restricted data, and when to involve the Office of General Counsel and/or University Privacy Office 5.3.2.5 Formal declaration of data ethics 5.3.3 UAIR Data Governance Procedures manuals in the areas of: 5.3.3.1 Data Classification Procedure- Requesting, approving, and reviewing changes to what data elements, tables, and subject areas fall under each data role. Also, which data is permitted in the main data warehouse vs. which requires special handling (SSNs, HIPAA). 5.3.3.2 Data Authorization Procedure- Requesting, approving, and reviewing changes to who is allows each data role, including upon position and status change events 5.3.3.3 Data Security Procedure- Procedures to secure access to data warehouses and associated systems (anti-malware, patching, monitoring, penetration testing)
