UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Similar documents
Employee Security Awareness Training Program

Access to University Data Policy

Table of Contents. PCI Information Security Policy

SECURITY & PRIVACY DOCUMENTATION

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Acceptable Use Policy

Subject: University Information Technology Resource Security Policy: OUTDATED

Enterprise Income Verification (EIV) System User Access Authorization Form

Checklist: Credit Union Information Security and Privacy Policies

UTAH VALLEY UNIVERSITY Policies and Procedures

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

POLICY 8200 NETWORK SECURITY

The Common Controls Framework BY ADOBE

This regulation outlines the policy and procedures for the implementation of wireless networking for the University Campus.

Cyber Security Program

INFORMATION RESOURCE SECURITY CONFIGURATION AND MANAGEMENT

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Virginia Commonwealth University School of Medicine Information Security Standard

01.0 Policy Responsibilities and Oversight

IAM Security & Privacy Policies Scott Bradner

Red Flags/Identity Theft Prevention Policy: Purpose

Information Security Incident Response and Reporting

Department of Public Health O F S A N F R A N C I S C O

Responsible Officer Approved by

Information Technology Standards

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Lakeshore Technical College Official Policy

Information Security Policy

University Policies and Procedures ELECTRONIC MAIL POLICY

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

Data Compromise Notice Procedure Summary and Guide

HIPAA Security and Privacy Policies & Procedures

IT ACCEPTABLE USE POLICY

Wireless Network Policy and Procedures Version 1.5 Dated November 27, 2002

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Wireless Security Access Policy and Agreement

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

PTLGateway Data Breach Policy

Learning Management System - Privacy Policy

Policies & Regulations

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Security and Privacy Breach Notification

Texas Education Agency

Corporate Information Security Policy

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Information Security Data Classification Procedure

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

Privacy Policy on the Responsibilities of Third Party Service Providers

ISSP Network Security Plan

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Red Flags Program. Purpose

Oracle Data Cloud ( ODC ) Inbound Security Policies

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

GREATER ESSEX COUNTY DISTRICT SCHOOL BOARD

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

Texas Health Resources

Policy and Procedure: SDM Guidance for HIPAA Business Associates

BFB-IS-3: Electronic Information Security

University of Pittsburgh Security Assessment Questionnaire (v1.7)

SECURITY POLICY FOR USER. 1.Purpose: The policy aims at providing secure and acceptable use of client systems.

NYSIF.com Online Account Third-Party Billers.V3

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

1.2 Participant means a third party who interacts with the Services as a result of that party s relationship with or connection to you.

INFORMATION ASSET MANAGEMENT POLICY

Children s Health System. Remote User Policy

Remote Access Policy

I. PURPOSE III. PROCEDURE

ADIENT VENDOR SECURITY STANDARD

Information Classification & Protection Policy

NYSIF.com Online Account Medical Providers.V4. April 26, 2018

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Department of Public Health O F S A N F R A N C I S C O

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

HIPAA FOR BROKERS. revised 10/17

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

University of North Texas System Administration Identity Theft Prevention Program

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

University of Ulster Standard Cover Sheet

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Emsi Privacy Shield Policy

State of Colorado Cyber Security Policies

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

7.16 INFORMATION TECHNOLOGY SECURITY

IDENTITY THEFT PREVENTION Policy Statement

The University of British Columbia Board of Governors

Mile Privacy Policy. Ticket payment platform with Blockchain. Airline mileage system utilizing Ethereum platform. Mileico.com

HIPAA Regulatory Compliance

Bring Your Own Device Policy

Schedule Identity Services

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Transcription:

ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary to perform their role and responsibilities. Appropriate security measures shall be implemented to ensure the protection of all UT Health San Antonio Information Resources and Data with respect to privacy, unauthorized disclosure, unauthorized modification, denial of service and unauthorized access. All UT Health San Antonio schools, offices and departments that create and manage access accounts for networks, servers or applications must manage the accounts in accordance with defined processes in compliance with this policy and the requirements of the UT System Identity Management Federation Member Operating Practices (MOP). Access Control All non-public UT Health San Antonio Information Resources must be accessed through an access control system that allows users to be individually identified and authenticated. An access management process must incorporate procedures for: a. assigning a unique identifier for each applicant, student, employee, insured dependent, research subject patient, alumnus, donor, contractor, and other individuals, as applicable, at the earliest possible point of contact between the individual and the institution; b. assigning a Custodian for each Information Resource or Data element responsible for: i. defining security profiles for group and role membership; and ii. account provisioning, monitoring and review; Page 1 of 7

c. enforcing password strength (e.g., complexity) that minimally conforms to the UT Health San Antonio password standards; d. where possible, automatic log-off or password protected screen locking should be used to prevent unauthorized persons from accessing an unattended system that is logged in with an authorized account; e. creating uniquely identifiable accounts for all users. This includes accounts created for use by third-parties and contractors; f. disabling all generic and default accounts; g. reviewing, removing and/or disabling accounts at least quarterly, or more often if warranted by risk, to reflect current user needs or changes of user role or employment status; h. expiring passwords or disabling accounts based on risk; and i. managing access from wired and wireless devices, and from remote locations. Passwords Policies, Standards and Procedures defining passwords to access Information Resources shall be adopted with processes for: a. ensuring user identity when issuing or resetting a password; b. establishing and enforcing password strength; c. changing passwords; d. managing security tokens when applicable; e. securing unattended computing devices from unauthorized access by implementing mechanisms to prevent password guessing (e.g., lockout after multiple login attempts) and to block access to idle sessions (e.g., a password protected locking screen saver, session time-outs); and f. ensuring that passwords are only accessed by or visible to the Page 2 of 7

authenticating user, device or system. Unless otherwise allowed by Policy, users must not share passwords or similar information, or devices used for identification and authorization purposes. Shared Accounts In some cases, an application or business need will require that an account be accessible for use by multiple users. In these cases, a Shared Account can be created. Shared Accounts must be approved by the Chief Information Security (CISO) with a single user designated as the Primary Account Holder. The Primary Account Holder is responsible for maintenance of the account including: a. granting and revoking other users access to the account; b. changing the account password when users with knowledge of the account ID and password terminate, transfer roles or otherwise no longer need access to the Information Resource and in compliance with the institution s Policies and Standards; c. tracking user access; and d. reporting problems and security incidents to the CISO. If the Primary Account Holder s job function or status changes and cannot continue to be responsible for the account, it must be reestablished with a new Primary Account Holder designated. In most cases, group accounts will only be approved in situations where technological limitations of an application require group access to a single account. Remote and Wireless Access Remote and wireless access to UT Health San Antonio network infrastructure must be managed to preserve the integrity, availability and confidentiality of the institution s information. Remote and wireless access Standards and Procedures must: a. establish and communicate to users the role and conditions under which remote or wireless access to Information Resources Page 3 of 7

containing confidential data is permitted; b. require the use of secure and encrypted connections when accessing Information Resources containing confidential data across the Internet, or across open segments of the institution s network or wireless network (e.g., use of VPN for access, SFTP for transfers, encrypted wireless); and c. require monitoring for identifying and disabling of unauthorized (e.g., rogue) wireless access points. Access to Network Infrastructure Through appropriate use of administrative, physical and technical controls the Department of Infrastructure and Security Engineering is required to establish processes for approval of all network hardware connected to the UT Health San Antonio network and the methods and requirements for attachment, including any non- UT Health San Antonio owned computer systems or devices, to ensure that such access does not compromise the operations and reliability of the network or compromise the integrity or use of information contained within the network. Data Access Control All Information Resource Owners and Custodians must control and monitor access to data within their scope of responsibility based on data sensitivity and risk, and through use of appropriate administrative, physical and technical safeguards including the following: a. Information Resource Owners and Custodians must limit access to records containing confidential data to those employees who need access for the performance of the employees job responsibilities. An employee may not access confidential data if it is not necessary and relevant to the employee s job function; b. Information Resource Owners and Custodians must monitor access to records containing confidential data by the use of appropriate measures as determined by applicable Policies, Standards, Procedures and regulatory requirements; c. Information Resource Owners and Custodians must establish log capture and review processes based on risk and applicable Policies, Standards, Procedures and regulatory requirements. Page 4 of 7

Such processes must define: i. the data elements to be captured in logs; ii. the time interval for custodial review of the logs; and iii. the appropriate retention period for logs. d. employees may not disclose confidential data to unauthorized persons, institutions, vendors or organizations except: i. as required or permitted by law, and, if required, with the consent of the Information Resource Owner; ii. where the third-party is the agent or contractor for UT Health San Antonio and the safeguards described in institutional policy are in place to prevent unauthorized distribution; or iii. as approved by UT Health San Antonio Legal or Compliance Office or UT System Office of General Counsel. Access for Third- Parties Third-parties acting as an agent of or otherwise on behalf of UT Health San Antonio must execute a written agreement that specifies: a. the data and systems authorized to be accessed; b. the circumstances under and purposes for which the data may be used; and c. that all data must be returned to UT Health San Antonio or destroyed, in a manner specified by UT Health San Antonio upon termination or expiration of the third-party engagement. If UT Health San Antonio determines that its provision of data or access to the institution s computing environment or network infrastructure to a third-party will result in significant risk to the confidentiality, integrity or availability of such data, computing environment or network infrastructure, the agreement between UT Health San Antonio and thirdparty must specify terms and conditions including appropriate Page 5 of 7

administrative, physical and technical safeguards for protecting the data, computing environment and network infrastructure. Two-Factor Authentication Two-factor authentication is required in the following situations: a. when an employee or other individual providing services on behalf of UT Health San Antonio (such as student employee, contractor, vendor or volunteer) logs on to the institution s network using an enterprise remote access gateway such as VPN, Terminal Server, Citrix or similar services; b. when an employee or other individual providing services on behalf of UT Health San Antonio (such as student employee, contractor, vendor or volunteer) who is working from a remote location uses an online function, such as a web page to modify employee banking, tax, or financial information; or c. when an employee or other individual providing services on behalf of UT Health San Antonio (such as student employee, contractor, vendor or volunteer) working from a remote location uses administrator credentials (also referred to as Privileged Access ) to access a server that contains or has access to confidential data. Least Privilege and Segregation of Duties Granting access to information and information systems must be based on separation of duties and the principle of least privilege. Separation of duties refers to dividing roles and responsibilities so that a single individual cannot subvert a critical process. Least privilege means granting users only those accesses they need to perform their official duties. Accountability Departmental Deans, Chairs, and Directors are accountable for ensuring that their department remains in compliance with all State and federal laws and regulations and UT Health San Antonio and UT System Policies and Standards. If it is determined that the UT Health San Antonio network, systems, Page 6 of 7

data, or mission have been put at risk due to a willful or negligent lack of compliance with information security policies, Information Management and Services (IMS) are authorized to terminate or restrict access to the Information Resources as appropriate to mitigate the risk. Individual Users Users are responsible for: a. understanding, agreeing to and complying with all security policies governing UT Health San Antonio Information Resources and with all federal, state laws and regulatory rules governing access to the Information Resource; b. safeguarding individual user names and passwords and/or other sensitive access control information. Individual user names and passwords must not be shared, copied, un-securely transmitted across a public or private network, nor converted from encrypted or enciphered form to unencrypted form or legible text. If a user suspects an unauthorized user may have discovered or guessed a password, the password must be changed promptly and the incident reported to the Chief Information Security. Violations of this policy are subject to disciplinary action as described in Section 2.1.2, Handbook of Operating Procedures. References U.T. System Policy 165 Standard 4 U.T. System Policy 165 Standard 15 Page 7 of 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback