Virginia Commonwealth University School of Medicine Information Security Standard

Similar documents
Virginia Commonwealth University School of Medicine Information Security Standard

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

01.0 Policy Responsibilities and Oversight

Subject: University Information Technology Resource Security Policy: OUTDATED

UTAH VALLEY UNIVERSITY Policies and Procedures

Red Flags/Identity Theft Prevention Policy: Purpose

Information Security Incident Response and Reporting

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Information Technology Standards

Seven Requirements for Successfully Implementing Information Security Policies and Standards

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Policy and Procedure: SDM Guidance for HIPAA Business Associates

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Security and Privacy Breach Notification

Access to University Data Policy

Information Security Policy

Standard for Security of Information Technology Resources

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Acceptable Use Policy

Southern Adventist University Information Security Policy. Version 1 Revised Apr

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

Privacy Breach Policy

II.C.4. Policy: Southeastern Technical College Computer Use

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Enterprise Income Verification (EIV) System User Access Authorization Form

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Table of Contents. PCI Information Security Policy

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

University Policies and Procedures ELECTRONIC MAIL POLICY

CYBER SECURITY POLICY REVISION: 12

Employee Security Awareness Training Program

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

GDPR Draft: Data Access Control and Password Policy

Bring Your Own Device Policy

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

INFORMATION ASSET MANAGEMENT POLICY

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Juniper Vendor Security Requirements

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Trust Services Principles and Criteria

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Information Security Data Classification Procedure

Personal Communication Devices and Voic Procedure

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

ISSP Network Security Plan

Jacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope

DETAILED POLICY STATEMENT

Integrating HIPAA into Your Managed Care Compliance Program

Client for Contractors (C4C) Security Agreement - Standard

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Policies and Procedures Date: February 28, 2012

Policies & Regulations

Cell Phone Policy. 1. Purpose: Establish a policy for cell phone use and compensation allowance.

Department of Public Health O F S A N F R A N C I S C O

Emsi Privacy Shield Policy

Acceptable Use Policy

Red Flag Policy and Identity Theft Prevention Program

HIPAA Security and Privacy Policies & Procedures

Remote Access Policy

Lakeshore Technical College Official Policy

Responsible Officer Approved by

Acceptable Use Policy

BFB-IS-3: Electronic Information Security

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

Date of Next Review: May Cross References: Electronic Communication Systems- Acceptable Use policy (A.29) Highway Traffic Act

Checklist: Credit Union Information Security and Privacy Policies

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Identity Theft Prevention Policy

PA TURNPIKE COMMISSION POLICY

Department of Public Health O F S A N F R A N C I S C O

IDENTITY THEFT PREVENTION Policy Statement

Acceptable Use Policy

The Common Controls Framework BY ADOBE

Acceptable Use Policy

Louisiana State University System

Customer Proprietary Network Information

University of North Texas System Administration Identity Theft Prevention Program

Dublin City University

ADIENT VENDOR SECURITY STANDARD

State of West Virginia Department of Health and Human Resources (DHHR) Office of Management Information Services (OMIS)

1. Policy Responsibilities & Oversight

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Terms and Conditions 01 January 2016

XAVIER UNIVERSITY Building Access Control Policy

Acceptable Use Policy

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY

Wireless Communication Stipend Effective Date: 9/1/2008

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Information Security for Mail Processing/Mail Handling Equipment

The University of British Columbia Board of Governors

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Access to personal accounts and lawful business monitoring

Access Control Policy

Transcription:

Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval Date: July 1, 2010 Effective Date: July 1, 2010 Compliance Date: January 1, 2011 Authority: VCU School of Medicine Information Security Manager Review Frequency: Annually, or as needed Revision History: Version Date Revision Issuance 1.0 January 25, 2010 Draft approved by IT Audit Resolution Committee 1.1 June 14, 2010 Modifications related to changes in data classification guidelines 1.2 June 29, 2010 Modifications related to ITARC members feedback 1.3 July 9, 2010 Modifications related to further review by SOM senior management Personnel Security Page 1

I. PURPOSE The Personnel Security Standard delineates the steps necessary to restrict access to IT systems and data to individuals who require such access as part of their job duties in the VCU School of Medicine. II. III. POLICY Access to various VCU School of Medicine business data are granted to employees, contractors, and affiliates of the VCU School of Medicine. In order to protect the confidentiality, integrity and availability of these data from abuse, misuse, and destruction by individuals, all access to VCU School of Medicine business data will require proper authentication and authorization. DEFINITIONS Administrative Rights The highest level of permission that is granted to a computer user. This level of permission allows the user to install any software, hardware, and change security control and configuration settings on a computer. Authoritative Unit head An authoritative unit head is a dean or equivalent administrative officer (e.g. associate vice president/provost). The authoritative unit head has responsibility for the security of data, systems and technology under their direct management control. Authoritative unit heads may receive advice and input from the CIO and ISO regarding security issues but ultimately must manage their data and technology in accordance with these standards commensurate with risk and cost. Authorized User An individual who has been granted access to specific data in order to perform his / her assigned duties in the VCU School of Medicine. Business Function Owner A VCU or VCUHS employee who is directly responsible for providing the oversight for the performance and operations of a particular business function. Confidential and Protected Data Confidential and Protected data are considered the most sensitive, and must be protected with the highest security standards. These data are protected specifically by federal or state law and regulations (e.g. HIPAA, FERPA.) Loss of confidential and protected data can result in long term loss of funding, ranking and reputation for the school, as well as possible legal actions against the University, School, or the data owner. Confidential and protected data are a subset of sensitive data; therefore, all confidential and protected data are also classified as sensitive. Examples include student or employee SSN, date of birth, Electronic Protected Health Information (EPHI), and student grades. Refer to the Personnel Security Page 2

"School of Medicine Data Classification Guidelines" for authoritative definitions. Data Owner The Data Owner is the VCU or VCUHS employee responsible for the policy and practice decisions regarding data, and is responsible for evaluating and classifying sensitivity of the data; defining protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs; communicating data protection requirements to the System Owner; defining requirements for access to the data. IT System - An IT System is a combination of people, hardware (computer workstation, mobile device, removable storage media, server), software, communication devices, network and data resources that processes (can be storing, retrieving, transforming information) data and information for a specific purpose. IT System Users IT system users are VCU and VCUHS employees, contractors, vendors, third-party providers, and any other authorized users of VCU School of Medicine IT systems, applications, telecommunication networks, data, and related resources. Non-sensitive Business Data - Non-sensitive business data are non-personal data that are not necessarily proprietary to an institution. The protection of these data are neither regulated nor controlled by law or contractual obligations, as the protection of the data is at the discretion of the data owner. If lost or illegitimately modified, these data will generate no negative impacts to individual business units or the institution as a whole. Refer to the "School of Medicine Data Classification Guidelines" for authoritative definitions. Principle of Least Privilege This principle requires that each user in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. Sensitive Data Data that are proprietary to an institution, where if lost or illegitimately modified, can cause negative impact to the individual units or the institution as a whole. Examples include employee performance evaluations, faculty salary or contract information, and proprietary research data. Separation of Duties Assignment of responsibilities such that no one individual or function has control of an entire process. It is a technique for maintaining and monitoring accountability and responsibility for IT systems and data. Personnel Security Page 3

System Administrator An analyst, engineer, or consultant who implements, manages, and/or operates an IT system and manages the data that is stored on that system at the direction of the System Owner and Data Owner. The System Administrator implements security controls and other requirements of SOM information security program on an IT system for which he or she has been assigned responsibility. IV. RESPONSIBILITIES Every member of VCU School of Medicine faculty, staff, contractors, and affiliates with access to sensitive business data is responsible for the confidentiality, integrity and security of the sensitive data stored, processed, and/or transmitted physically and electronically. All personnel with access to sensitive business data are required to follow the security requirements set forth in this standard. The VCU School of Medicine Information Security Manager is responsible for reviewing and auditing this standard annually. V. ACCESS DETERMINATION AND CONTROL A. Access to sensitive data in the VCU School of Medicine must be authorized and approved by the data owner. B. Authorization of physical and logical access to sensitive IT systems and data and the facilities that houses them must follow the principle of least privilege. C. Unique user names and passwords must be assigned to individuals for access to sensitive data stored in any VCU School of Medicine systems. D. Individuals with access to sensitive data must keep his or her login information (combination of user IDs and passwords) confidential. Any sharing of individual user names or passwords is strictly prohibited. E. The supervisors of IT system users must notify Human Resources department to conduct background investigations of IT system users commensurate with risks associated with access to sensitive IT systems or data as directed by VCU or VCUHS Human Resources. Existing users may be grandfathered under the policy and may not be required to have background investigations (Human Resources will coordinate the background investigation). Personnel Security Page 4

F. The supervisor of the IT system user must notify the appropriate system administrator(s) and IT support staff within 24 hours of personnel transfer, termination, or suspension due to disciplinary purposes. The system administrator(s) and IT staff must remove the personnel s physical and logical access to systems under their control within 3 business days of the receipt of this notification. G. Upon transfer or termination, the supervisor of the IT system user must ensure the return of VCU logical and physical assets that provide access to sensitive IT systems, data, and the facilities that house them. H. The business function owner must establish separation of duties in order to protect sensitive IT systems and data, or establish compensating controls when constraints or limitations of VCU prohibit a complete separation of duties, as directed by VCU Controller s Office. VI. INFORMATION SECURITY AWARENESS AND TRAINING Information Security Awareness and Training requirements identify the steps necessary to provide all IT system users with awareness of information security requirements and of their responsibilities to protect information systems and data: A. All IT systems users with access to sensitive data must complete an information security awareness training annually and certify their acceptance and understanding of the VCU and / or VCUHS ACE, and SOM information security standards. B. All IT system users must receive information security training before (or as soon as practicable after) receiving access rights to VCU School of Medicine IT systems, and in order to maintain these access rights. VII. ACCEPTABLE USE Acceptable use requirements identify the steps necessary to define acceptable and permitted use of IT systems: A. Any discussion and disclosure of sensitive data to individuals who are not authorized to receive these data is strictly prohibited. B. All authorized users of sensitive data must accept, follow and certify their understanding of the VCU Acceptable Use Policy. The VCU Acceptable Use Policy can be found at http://www.ts.vcu.edu/policies/computeruse.html. C. All IT System users must understand and accept the fact that VCU reserves the right to monitor, and access all data created, sent, received, Personnel Security Page 5

processed, or stored on VCU systems with a reasonable cause, at reasonable times, and after reasonable notice, except in the event of a bona fide emergency. D. Administrative rights to IT systems that contain sensitive data must be authorized by authoritative unit head and restricted to authorized users only. E. Copyrighted and licensed materials must be used in compliance with the applicable intellectual property and fair use laws and the VCU Intellectual Properties Policy. The VCU Intellectual Properties Policy can be found at http://www.research.vcu.edu/p_and_g/ippolicy.htm F. Unencrypted transmission of confidential and protected data via electronic mail or other electronic transmission medium is strictly prohibited. All electronic transmission of confidential and protected data must be encrypted. VIII. REPORTING LOSS AND THEFT OF EQUIPMENT OR DATA In the event a computer workstation is lost or stolen, the theft or loss must be reported immediately to the VCU police at 828-1196. In the event that sensitive data is suspected lost or stolen, the theft or loss must be reported immediately to the VCU information security office at 828 1105 or VCUHS information security office at 628 1144. IX. EXCEPTIONS Exception requests to this standard must be filed with, and submitted to, VCU School of Medicine Information Security Manager. Any exception request should use the exception request form attached in appendix A. X. COMPLIANCE Compliance with this Personnel Security standard is the responsibility of all personnel who are authorized to access sensitive VCU School of Medicine data. This establishes standards for these personnel s actions in recognition of the fact that these personnel are provided unique system and data access, and that non-compliance to this standard will be enforced through sanctions commensurate with the level of infraction. Administrative actions due to failure to follow this standard may range from a verbal or written report, temporary revocation of system and data access, termination of employment, to legal proceedings against the personnel depending on the severity of the violation. All personnel who have access to School of Medicine data are expected to read, understand and agree to the responsibilities defined in this standard and any published revisions of this standard. Personnel Security Page 6

XI. REFERENCES A. VCU Information Security Standard section 6: Data protection B. VCU Affiliated Covered Entity ACE-0015: Access Controls C. VCU Affiliated Covered Entity ACE-0018: Person or Entity Identification D. NIST Special Publication 800-18 Revision 1: Guide for Developing Security Plans for Federal Information Systems Personnel Security Page 7

Appendix A. VCU SOM Policy and Standard Exception Request Form Requestor: Unit Name: Authoritative Unit Head: Contact phone: Requirement to which an exception is requested: Date: 1. Provide the business or technical justification for exception: 2. Describe the scope, including quantification and requested duration (not to exceed 1 year): 3. Describe all associated risks, including the sensitivity and criticality of hardware or data involved in exception: 4. Identify the compensating controls to mitigate the risks: 5. Identify any unmitigated risks: 6. When will compliance with policy be achieved? By submitting this form, the Authoritative Unit Head acknowledges that they have evaluated the business issues associated with this request and accepts any and all associated risks as being reasonable under the circumstances. Authoritative Unit Head Signature: Date: VCU / VCUHS Information Security Officer (ISO) Use Only Approval: Approved Denied: CISO: Comments: Date: Personnel Security Page 8

VCU / VCUHS Chief Information Officer (CIO) Use Only Approval: Approved Denied: Agency Head: Comments: Date: VCU / VCUHS Chief Information Officer (CIO) Use Only (Used for Appeal) Approval: Comments: Approved Denied: CIO: Date: Completed exception forms must be submitted to VCU Information Security Office or VCUHS Information Security Office depending on the ownership of the data involved Contact information: VCU Information Security Officer: 828 1015 Phone VCUHS Information Security Officer: 628 1144 Phone Personnel Security Page 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback