Virginia Commonwealth University School of Medicine Information Security Standard

Similar documents
Virginia Commonwealth University School of Medicine Information Security Standard

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Information Technology Standards

Media Protection Program

Subject: University Information Technology Resource Security Policy: OUTDATED

Policy and Procedure: SDM Guidance for HIPAA Business Associates

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Information Security Data Classification Procedure

COMPUTER & INFORMATION TECHNOLOGY CENTER. Information Transfer Policy

Dublin City University

Red Flags/Identity Theft Prevention Policy: Purpose

Department of Public Health O F S A N F R A N C I S C O

Table of Contents. PCI Information Security Policy

Checklist: Credit Union Information Security and Privacy Policies

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

01.0 Policy Responsibilities and Oversight

UTAH VALLEY UNIVERSITY Policies and Procedures

Information Security Policy

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Personal Communication Devices and Voic Procedure

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Identity Theft Prevention Policy

Security Standards for Information Systems

Policies and Procedures Date: February 28, 2012

INFORMATION ASSET MANAGEMENT POLICY

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Access to University Data Policy

Acceptable Use Policy

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Southern Adventist University Information Security Policy. Version 1 Revised Apr

HIPAA Security and Privacy Policies & Procedures

UCOP ITS Systemwide CISO Office Systemwide IT Policy

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Standard for Security of Information Technology Resources

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Security Awareness, Training, And Education Plan

Lakeshore Technical College Official Policy

The Common Controls Framework BY ADOBE

Juniper Vendor Security Requirements

Records Retention Policy

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Jacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope

Physical Safeguards Policy July 19, 2016

CYBER SECURITY POLICY REVISION: 12

AUTHORITY FOR ELECTRICITY REGULATION

Red Flags Program. Purpose

Date of Next Review: May Cross References: Electronic Communication Systems- Acceptable Use policy (A.29) Highway Traffic Act

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

DETAILED POLICY STATEMENT

ADIENT VENDOR SECURITY STANDARD

Standard CIP 007 4a Cyber Security Systems Security Management

Acceptable Use Policy

Enterprise Income Verification (EIV) System User Access Authorization Form

Mobile Device policy Frequently Asked Questions April 2016

PS 176 Removable Media Policy

Research Data Use Agreement (RDUA)

SPRING-FORD AREA SCHOOL DISTRICT

4.2 Electronic Mail Policy

MIS5206-Section Protecting Information Assets-Exam 1

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

University Policies and Procedures ELECTRONIC MAIL POLICY

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

Privacy Breach Policy

Information Classification & Protection Policy

HIPAA FOR BROKERS. revised 10/17

Security Policies and Procedures Principles and Practices

Red Flag Policy and Identity Theft Prevention Program

Louisiana State University System

Data Encryption Policy

Bring Your Own Device Policy

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Acceptable Use Policy

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Acceptable Use Policy

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

DATA STEWARDSHIP STANDARDS

IAM Security & Privacy Policies Scott Bradner

Support for the HIPAA Security Rule

II.C.4. Policy: Southeastern Technical College Computer Use

Acceptable Use Policy

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Chapter 9 Section 3. Digital Imaging (Scanned) And Electronic (Born-Digital) Records Process And Formats

Cell Phone Policy. 1. Purpose: Establish a policy for cell phone use and compensation allowance.

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Transcription:

Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Removable Storage Media Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval Date: July 1, 2010 Effective Date: July 1, 2010 Compliance Date: January 1, 2011 Authority: VCU School of Medicine Information Security Manager Review Frequency: Annually, or as needed Revision History: Version Date Revision Issuance 1.0 January 25, 2010 Draft approved by IT Audit Resolution Committee 1.1 June 14, 2010 Modifications related to changes in data classification guidelines 1.2 June 29, 2010 Modifications related to ITARC members feedback Removable Media Security Page 1

I. PURPOSE The Removable Storage Media Security Standard addresses the security and configuration of removable storage media used to store sensitive School of Medicine data. II. III. POLICY Various removable storage media can currently be used to store business data. The data stored on these devices may be sensitive in nature, and the confidentiality, integrity and security for the sensitive data must be ensured in order to comply with any legal, regulatory and administrative requirements. This document states the minimum security standards with regard to the storage of sensitive data on removable storage media in the VCU School of Medicine. All VCU School of Medicine personnel are expected to abide by the requirements stated within this standard. DEFINITIONS Authorized User An individual who has been granted access to specific data in order to perform his / her assigned duties in the VCU School of Medicine. Confidential and Protected Data Confidential and Protected data are considered the most sensitive, and must be protected with the highest security standards. These data are protected specifically by federal or state law and regulations (e.g. HIPAA, FERPA.) Loss of confidential and protected data can result in long term loss of funding, ranking and reputation for the school, as well as possible legal actions against the University, School, or the data owner. Confidential and protected data are a subset of sensitive data; therefore, all confidential and protected data are also classified as sensitive. Examples include student or employee SSN, date of birth, Electronic Protected Health Information (EPHI), and student grades. Refer to the "School of Medicine Data Classification Guidelines" for authoritative definitions. Data Owner The Data Owner is the VCU or VCUHS employee responsible for the policy and practice decisions regarding data, and is responsible for evaluating and classifying sensitivity of the data; defining protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs; communicating data protection requirements to the System Owner; defining requirements for access to the data. External User A user who is not a VCU School of Medicine system user. Examples of such users are family members of employees, undergraduate students, and faculty or staff from other schools within the University. Removable Media Security Page 2

IT System - An IT System is a combination of people, hardware (computer workstation, mobile device, removable storage media, server), software, communication devices, network and data resources that processes (can be storing, retrieving, transforming information) data and information for a specific purpose. Non-sensitive Business Data - Non-sensitive business data are non-personal data that are not necessarily proprietary to an institution. The protection of these data are neither regulated nor controlled by law or contractual obligations, as the protection of the data is at the discretion of the data owner. If lost or illegitimately modified, these data will generate no negative impacts to individual business units or the institution as a whole. Refer to the "School of Medicine Data Classification Guidelines" for authoritative definitions. Principle of Least Privilege This principle requires that each user in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. Removable Storage Media - Device or media that is readable and/or writeable by a system user and is able to be moved from computer to computer without physical modification to the computer. This includes flash memory devices such as thumb drives, cameras, MP3 players and memory cards; removable hard drives (including hard drive-based MP3 players); optical disks such as CD and DVD disks; floppy disks and any commercial music and software disks. Sensitive Data Data that are proprietary to an institution, where if lost or illegitimately modified, can cause negative impact to the individual units or the institution as a whole. Examples include employee performance evaluations, faculty salary or contract information, and proprietary research data. System Administrator An analyst, engineer, or consultant who implements, manages, and/or operates an IT system and manages the data that is stored on that system at the direction of the System Owner and Data Owner. The System Administrator implements security controls and other requirements of SOM information security program on an IT system for which he or she has been assigned responsibility. System User A VCU or VCUHS personnel who is authorized by the System Owner to have access to a VCU School of Medicine computer workstation. A system user can consist of faculty members, graduate students, post doctoral associates, staff members, vendors, external organization users, and any other affiliates who have access to a VCU School of Medicine computer workstation. Removable Media Security Page 3

IV. RESPONSIBILITIES All VCU School of Medicine system users who use computer workstations to access, process and store sensitive business data, including proprietary research data is responsible for following the security requirements set forth in this standard. The data owner of sensitive data, including proprietary research data is directly responsible for the confidentiality, integrity and security of the data stored, processed, and/or transmitted via any communication medium. Further, the data owner is also responsible for authorizing, reviewing and revoking access to these data for authorized VCU or VCUHS personnel. The system administrator is directly responsible for providing and revoking access to data at the direction of the System Owner and Data Owner. The VCU School of Medicine Information Security Manager is responsible for reviewing and auditing this standard annually. V. LOGICAL ACCESS CONTROL A. Any storage of sensitive data on removable storage media must be approved by the data owner. B. All removable storage media used to store sensitive data must utilize industry approved encryption standard. Any confidential and protected data stored on removable storage media must be encrypted with FIPS 140-2 compliant encryption protocols. C. Removable storage media used to store sensitive data must require mandatory password authentication at a minimum, where the removable storage media requires its user to setup a password prior to usage. D. Removable storage devices shared with any external users must not be used to store sensitive data. VI. PHYSICAL ACCESS CONTROL A. Removable storage media containing sensitive data must never be left unattended in a publicly accessible area. B. All users of VCU or VCUHS issued removable storage media must return the issued devices prior to separation. Removable Media Security Page 4

VII. DATA STORAGE AND TRANSMISSION A. Any sensitive data stored on removable storage media must be deleted if it no longer needs to be stored on the device. VIII. REPORTING LOSS AND THEFT OF EQUIPMENT OR DATA In the event a removable storage media used to store sensitive data is lost or stolen, the theft or loss must be reported immediately to the VCU police at 828-1196. The theft or loss of sensitive data must also be reported immediately to the VCU information security office at 828 1105 or VCUHS information security office at 628 1144. IX. DISPOSAL OF DEVICE A. All sensitive data on removable storage media must be securely removed prior to disposal. The data removal process must be in compliance with the DOD 5220.22-M standards, where no data recovery will be possible. B. Backups of sensitive data that are no longer needed must also be securely destroyed according to the DOD 5220.22-M standards. X. EXCEPTIONS Exception requests to this standard must be filed with, and submitted to, VCU School of Medicine Information Security Manager. Any exception request should use the exception request form attached in appendix A. XI. XII. COMPLIANCE Compliance with this Removable Storage Media Security standard is the responsibility of all personnel who use removable storage media to store sensitive VCU School of Medicine data. This document establishes standards for these personnel s actions in recognition of the fact that these personnel are provided unique system and data access, and that non-compliance to this standard will be enforced through sanctions commensurate with the level of infraction. Administrative actions due to failure to follow this standard may range from a verbal or written report, temporary revocation of system and data access, termination of employment, to legal proceedings against the personnel depending on the severity of the violation. All personnel who have access to School of Medicine data are expected to read, understand and agree to the responsibilities defined in this standard and any published revisions of this standard. REFERENCES A. VCU Information Security Standard section 6: Data Protection B. VCU Affiliated Covered Entity ACE-0014: Device and Media Controls C. NIST Special Publication 800-68 Removable Media Security Page 5

D. NIST Special Publication 800-18 Revision 1: Guide for Developing Security Plans for Federal Information Systems Removable Media Security Page 6

Appendix A. VCU SOM Information Security Standards Exception Request Form Requestor: Unit Name: Authoritative Unit Head: Contact phone: Requirement to which an exception is requested (Section, Item #) Date: 1. Provide the business or technical justification for exception: 2. Describe the scope, including quantification and requested duration (not to exceed 1 year): 3. Describe all associated risks, including the sensitivity and criticality of hardware or data involved in exception: 4. Identify the compensating controls to mitigate the risks: 5. Identify any unmitigated risks: 6. When will compliance with policy be achieved? By submitting this form, the Authoritative Unit Head acknowledges that he or she has evaluated the business issues associated with this request and accepts any and all associated risks as being reasonable under the circumstances. Authoritative Unit Head Signature: Date: SOM Information Security Manager Use Only Approval: Approved Denied VCU/VCUHS Approval Required Comments: Signature: Date: Removable Media Security Page 7

VCU / VCUHS Information Security Officer (ISO) Use Only Approval: Comments: Approved Denied Signature: Date: VCU / VCUHS Chief Information Officer (CIO) Use Only Approval: Comments: Approved Denied Signature: Date: VCU / VCUHS Chief Information Officer (CIO) Use Only (Used for Appeal) Approval: Comments: Approved Denied Signature: Date: Completed exception forms must be submitted to SOM Information Security Manager by e-mail, somsecurity@vcu.edu Contact information: SOM Information Security Manager: 827-9907 Phone VCU Information Security Officer: 828 1015 Phone VCUHS Information Security Officer: 628 1144 Phone Removable Media Security Page 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback