DETAILED POLICY STATEMENT

Similar documents
Standard for Security of Information Technology Resources

UTAH VALLEY UNIVERSITY Policies and Procedures

Subject: University Information Technology Resource Security Policy: OUTDATED

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Information Technology Standards

Cyber Security Program

Education Network Security

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Checklist: Credit Union Information Security and Privacy Policies

01.0 Policy Responsibilities and Oversight

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

INFORMATION SECURITY AND RISK POLICY

Virginia Commonwealth University School of Medicine Information Security Standard

Privacy Breach Policy

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Information Security Controls Policy

Lakeshore Technical College Official Policy

HIPAA Security and Privacy Policies & Procedures

Number: USF System Emergency Management Responsible Office: Administrative Services

MNsure Privacy Program Strategic Plan FY

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Information Security Incident Response and Reporting

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Security and Privacy Governance Program Guidelines

A company built on security

Employee Security Awareness Training Program

University of Pittsburgh Security Assessment Questionnaire (v1.7)

SECURITY & PRIVACY DOCUMENTATION

7.16 INFORMATION TECHNOLOGY SECURITY

Policies and Procedures Date: February 28, 2012

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Red Flags/Identity Theft Prevention Policy: Purpose

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Company Policy Documents. Information Security Incident Management Policy

CCISO Blueprint v1. EC-Council

Cybersecurity in Higher Ed

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Red Flags Program. Purpose

Cybersecurity: Incident Response Short

Credit Card Data Compromise: Incident Response Plan

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

A Homeopath Registered Homeopath

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Apex Information Security Policy

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Protecting your data. EY s approach to data privacy and information security

HIPAA Security Manual

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Putting It All Together:

Annual Report on the Status of the Information Security Program

Data Compromise Notice Procedure Summary and Guide

Information Technology General Control Review

Security Policies and Procedures Principles and Practices

Cyber Risks in the Boardroom Conference

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Vulnerability Management Policy

Information technology security and system integrity policy.

The Common Controls Framework BY ADOBE

Information Security Incident Response Plan

Privacy and Security Liaison Program: Annual Compliance and Risk Assessment (Fiscal Year 2013/2014)

Information Technology Branch Organization of Cyber Security Technical Standard

ISC10D026. Report Control Information

Access to University Data Policy

Information Security Controls Policy

Information Security Incident Response Plan

Bring Your Own Device Policy

Higher Education Privacy Update

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

University of North Texas System Administration Identity Theft Prevention Program

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

Virginia Commonwealth University School of Medicine Information Security Standard

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

ISE North America Leadership Summit and Awards

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Cybersecurity and Hospitals: A Board Perspective

IDENTITY THEFT PREVENTION Policy Statement

Data Backup and Contingency Planning Procedure

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

External Supplier Control Obligations. Cyber Security

The University of Tennessee. Information Technology Policy (ITP) Preamble

Big data privacy in Australia

Transcription:

Applies To: HSC Responsible Office: HSC Information Security Office Revised: New 12/2010 Title: HSC-200 Security and Management of HSC IT Resources Policy POLICY STATEMENT The University of New Mexico Health Sciences Center (HSC) expects all individuals using information technology devices that at any time connect to the HSC network to take appropriate measures to manage the security of those devices. DETAILED POLICY STATEMENT The university must preserve its information technology resources, comply with applicable Federal regulations (HIPAA, FERPA, etc.) and state legislation, and maintain good security practices as a matter of public trust and confidence. Toward these ends, faculty, staff, students, and other HSC community members must share in the responsibility for the security of information technology devices. APPLICABILITY All units of the UNM Health Science Center. All UNM workforce members who have access to HSC information systems containing administrative, research, student and patient information. Additionally, all healthcare components of UNM that are under the jurisdiction of HSC as designated in UNM Board of Regents Policy Number 2.13.4 University HIPAA Compliance Policy. WHO SHOULD READ THIS POLICY All members of the UNM Health Sciences Center community. All UNM workforce members who have access to HSC information systems containing administrative, research, student and/or patient information. POLICY AUTHORITY Executive Vice President for Health Sciences HSC Executive Compliance Committee with advice from the IT Security Council HSC Information Security Officer (ISO) / HIPAA Security Officer RELATED DOCUMENTS UNM/HSC Documents UNM Business Policies and Procedures Manual UNM Faculty Handbook UNMH Administration and Human Resources Policies HSC Compliance and HIPAA Policies Security of HSC Electronic Information HSC Unit IT Security Guidelines Current Policies: 1. HSC Policy 8.1, Security Incident Procedure 2. HSC Policy 8.2, Response and Reporting 3. HSC Policy 4.5, Information Access Authorization, Establishment, and Page 1 of 7

Modification 4. HSC Policy 2.1, Security Management Process 5. HSC Policy 7.1, Workstation Use and Security UNM/HSC Training HSC Code of Conduct; HSC Culture of Compliance HSC HIPAA Competencies; HIPAA and Breach Notification Other Documents: Health Insurance Portability and Accountability Act DEFINITIONS The following definitions apply to these terms as they are used in this policy. Information Any adverse event whereby some aspect of UNM/HSC computer security Technology (IT) could be threatened: loss of data confidentiality, disruption of data or Security Incident system integrity, or disruption or denial of availability. A security incident may be logical, physical or organizational, for example a computer intrusion, loss of secrecy, information theft, fire or an alarm that doesn't Information Technology (IT) Device Information Technology (IT) Resources Local Support Provider Software Patch Unit Unit Head Unit Security Liaison User HSC Information Security Officer work properly, and may be accidental or deliberate. Any device involved with the processing, storage, or forwarding of information making use of the UNM/HSC (IT Device) information technology infrastructure or attached to the HSC network. These devices include, but are not limited to, laptop computers, desktop computers, personal digital assistants, smartphones, servers, network devices such as routers or switches, printers, and devices that serve a clinical function. The full set of information technology devices (personal computers, printers, servers, networking devices, etc.) involved in the processing, storage, and transmission of information. An individual (either assigned by central IT support or a member of the unit) with responsibility for local IT device support. These individuals are responsible for meeting HSC IT device standards by following HSC practices with regard to the installation, configuration, security, and ongoing maintenance of an information technology device. Software that is distributed to fix a specific set of problems or vulnerabilities in such things as computer programs or operating systems. A computer vendor will usually distribute a patch as a replacement for or an insertion in compiled code within computer operating systems or applications. An HSC department, program, research center, business service center, or other operating unit. The individual with administrative responsibility for a unit. The person whom the Unit Head designates as the primary contact for the HSC Information Security Officer. Any individual who uses an information technology device such as a computer. The HSC Information Security Officer is the university officer with the authority to coordinate HSC campus information technology security, with a specific focus on Confidential (Level 1) information described in the HIPAA Security Rule. The HSC ISO reports to the IT Security Page 2 of 7

Malware (virus) OVERVIEW Introduction Council and Executive Compliance Committee. Through direction from those committees and through consultation with KMIT Committees and other stakeholders, the HSC ISO determines technical, administrative, and physical IT security procedures and reviews them annually, at a minimum. Shortened form of the term malicious software which is software designed to infiltrate a computer system without the user s informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. The term computer virus is sometimes used as a catch-all phrase to include all types of malware including true viruses. (Reference: Wikipedia Malware ) In order to manage information technology security comprehensively, this policy serves four major purposes. 1. It establishes the principle that every information technology (IT) device connected to the HSC network must have at least one individual managing the security of that device. 2. It requires units to designate Unit Security Liaisons (see the "Obligations of the Unit Security Liaison" segment of this document). 3. It creates the following five categories of individuals, each with specific obligations and responsibilities regarding the security of information technology devices: User; Local Support Provider; Unit Security Liaison; Unit Head; HSC Information Security Officer (HSC ISO). 4. The HSC ISO can modify obligations by submitting additions/modifications for approval by the IT Security Council which would, upon acceptance, submit the changes to the Executive Compliance Committee or the Executive Vice President for Health Sciences for final approval. Note: All users of IT devices must follow the procedures outlined in the "Obligations of Users" segment of this document. Note: The focus of this policy is on the security of information technology devices and resources, and not on specifics for the management of data or any particular class of data. For information concerning data, please consult the following: (1) Policy HSC-210 Security of HSC Electronic Information, which provides the authority for and guidance toward maintenance and protection of institutional information assets and compliance with applicable Federal regulations (HIPAA, FERPA, etc.) and state legislation, and (2) HSC Policy 2.1, Security Management Process, which provides the Page 3 of 7

authority for and guidance toward the development of procedures for the access to, as well as the preservation and proper management of, data in specific functional areas. PROCEDURES Obligations of the User Any individual who uses an IT device (see the "Definitions" section of this document) is a user. Each of these devices may or may not have a Local Support Provider assigned to it. Obligations of a Local Support Provider Typically, HSC-owned IT devices located in campus workspaces have Local Support Providers assigned to them. Note: If you cannot perform or do not understand any of the obligations assigned to users, contact the HSC Support Centers, UNMH at UHHelpDesk@salud.unm.edu or HSLIC at Helpdesk@salud.unm.edu Obligations of a User 1. Understand and comply with current policies, requirements, guidelines, procedures, and protocols concerning the security of the HSC s electronic networks and devices (see the "Related Documents" section of this document). 2. Comply with guidelines and practices established by the Local Support Provider for the IT device. 3. Contact your Local Support Provider or Unit Security Liaison whenever a questionable situation arises regarding the security of your IT device. 4. If there is no Local Support Provider, contact the Unit Security Liaison to determine the appropriate HSC Support Center which will install and maintain HSC-approved security applications (anti-virus, operating system updates, application updates, etc.). 5. Protect the resources under your control with the responsible use of secure passwords. Contact your Local Support Provider or Unit Security Liaison with any questions. 6. Under the direction of the Local Support Provider or appropriate HSC Support Center, assist as requested to remediate a detected vulnerability or compromise. 7. Comply with directives of HSC officials such as the HSC Information Security Officer, as well as the Unit Security Liaison, or Local Support Provider(s), to maintain the security of devices attached to the network. 8. Follow IT security incident reporting requirements in accordance with HSC Policy 8.1, Security Incident Procedure. A Local Support Provider is an individual (either assigned by central IT support or a member of the unit) with responsibility for local IT device support. These individuals are responsible for meeting HSC IT device standards by following HSC practices with regard to the installation, configuration, security, and ongoing maintenance of an IT device. A Local Page 4 of 7

Support Provider seeking guidance or clarification should contact his or her Unit Security Liaison or the HSC Information Security Officer. The Local Support Provider will be knowledgeable and comply with the current policies, requirements, guidelines, procedures and protocols concerning the security of the HSC s information technology resources as defined by this policy and the HSC ISO. 1. Follow the HSC Policy, Security of HSC Electronic Information for configuring and securing IT devices. 2. Understand and document the specific configurations and characteristics of the IT devices he or she supports to be able to respond to emerging information technology threats and to support security event mitigation efforts appropriately. 3. Understand and recommend the appropriate measures to provide security to the resources under his or her unit, including physical, administrative, and technical security as determined by the HSC ISO. 4. Follow IT security incident reporting requirements in accordance with HSC Policy 8.1, Security Incident Procedure. Obligations of the Unit Security Liaison Note: Local Support Providers should be mindful of potential responsibilities they may have as custodians of unit data transmitted or stored on IT devices under their control. Please consult HSC Policy, Security of HSC Electronic Information, for further guidance. The Unit Security Liaison is the person whom the Unit Head designates as the primary contact for the HSC Information Security Officer. For further guidance or clarification, contact the HSC ISO. The Unit Security Liaison is responsible for the following: 1. Act as the unit point of contact with the HSC ISO. 2. Implement a security program consistent with the requirements of this policy (for example, the implementation of security assessment, best practices, education and training), consistent with HSC Policy, Security of Electronic Information and in keeping with the specific information technology security needs of his or her unit. This will include the following: a. Identify the information technology resources within his or her unit. b. Provide proper information and documentation about those resources. c. Oversee compliance with applicable Federal regulations (HIPAA, FERPA, etc.) and state legislation. d. Respond to, coordinate, and support security risk assessments for the unit s information technology resources. 3. Implement unit procedures and protocols for the reporting of IT security incidents in accordance with HSC Policy 8.1, Security Incident Procedure. Note: The Unit Security Liaison may want to take specific measures Page 5 of 7

Obligations of the Unit Head toward the protection of data stored or transmitted on the IT devices for the unit and/or be mindful of any potential responsibilities as custodians of unit data. Please consult with HSC Policy, Security of HSC Electronic Information for guidance. Unit Heads have overall, local responsibility for the security of information technology resources under their control. For further guidance, contact the HSC Information Security Officer. Obligations of the HSC Information Security Officer The Unit Head's oversight responsibilities in relation to security information technology resources include, but are not limited to, the following: 1. Identify a Unit Security Liaison to the HSC Information Security Officer. The Unit Security Liaison may also be the Local Support Provider (depending upon the size of the unit). 2. Ensure that, through the Unit Security Liaison, a security program is implemented for the unit consistent with requirements of this policy (for example, the implementation of security assessment, best practices, education and training). The security program must follow HSC Policy, Security of HSC Electronic Information, as well as address the specific information technology security needs of his or her unit. 3. Control continuity of support for all the IT devices in the unit such that termination or a change in the role of the Local Support Provider will not result in the abandonment of responsibility for those IT devices. 4. Oversee the creation and implementation of procedures for the reporting of IT security incidents in accordance with HSC Policy 8.1, Security Incident Procedure. Note: Unit Heads may want to take specific measures toward the protection of data stored or transmitted on the IT devices under their management. Please consult HSC Policy 2.1, Security Management Process and HSC Policy, Security of HSC Electronic Information for guidance. The HSC Information Security Officer is the university officer with the authority to coordinate HSC campus information technology security, with a specific focus on Confidential (Level 1) information described in the HIPAA Security Rule. The obligations of the HSC Information Security Officer are to: 1. Develop a comprehensive security program that includes risk assessment, best practices, education, and training. 2. Assist or lead IT security incident resolution for the HSC and individual units. 3. Strive for proper identification, analysis, resolution, and reporting of HSC IT security incidents. 4. Develop, implement, and support HSC-level security monitoring and analysis. 5. Support and verify compliance with applicable Federal regulations Page 6 of 7

SUMMARY OF CHANGES New Policy (HIPAA, FERPA, etc.) and state legislation. DOCUMENT APPROVAL & TRACKING Item Contact Date Approval Owner Barney D. Metzner, HSC ISO, HIPAA Security Officer 272-1696 Committee(s) HSC Executive Compliance Committee HSC IT Security Council Y Legal (Required) Scot Sauder, Senior Associate University Counsel-- Health Law Section Leader, Office of University Counsel Y Official Approver Dr. Paul Roth, Executive Vice President for Health Sciences Official Signature Date: 12/21/2010 Origination Date: 12/2010 Issue Date 1/7/2011 ar ATTACHMENTS None. Page 7 of 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback