Information Technology Standards

Similar documents
Employee Security Awareness Training Program

Data Compromise Notice Procedure Summary and Guide

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Virginia Commonwealth University School of Medicine Information Security Standard

DETAILED POLICY STATEMENT

Virginia Commonwealth University School of Medicine Information Security Standard

Media Protection Program

Red Flags Program. Purpose

IAM Security & Privacy Policies Scott Bradner

Data Security Policy for Research Projects

Red Flags/Identity Theft Prevention Policy: Purpose

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

UTAH VALLEY UNIVERSITY Policies and Procedures

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Protecting Your Gear, Your Work & Cal Poly

Checklist: Credit Union Information Security and Privacy Policies

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Subject: University Information Technology Resource Security Policy: OUTDATED

Mobile Device policy Frequently Asked Questions April 2016

GM Information Security Controls

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

NEOMED OPERATIONAL POLICY

University of North Texas System Administration Identity Theft Prevention Program

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

POLICY 8200 NETWORK SECURITY

ANNUAL SECURITY AWARENESS TRAINING 2012

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Department of Public Health O F S A N F R A N C I S C O

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Identity Theft Prevention Policy

7.16 INFORMATION TECHNOLOGY SECURITY

Data Protection Policy

HIPAA Security and Research VALERIE GOLDEN, HIPAA SECURITY OFFICER

INFORMATION ASSET MANAGEMENT POLICY

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Department of Public Health O F S A N F R A N C I S C O

Name of Policy: Computer Use Policy

Data Backup and Contingency Planning Procedure

Computing Policies / Procedures

Security and Privacy Breach Notification

Wireless Security Access Policy and Agreement

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

SHS Annual Information Privacy and Security Training

Annenberg Public Policy Center Sensitive National Annenberg Election Survey Data 1 Access: Application

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

IDENTITY THEFT PREVENTION Policy Statement

HIPAA FOR BROKERS. revised 10/17

TIME SYSTEM SECURITY AWARENESS HANDOUT

Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

Standard for Security of Information Technology Resources

Acceptable Use Policy

TABLE OF CONTENTS. I. Policy 2. III. Supportive Data 2. IV. Signature Block with Effective Date 3. V. Definitions 3. VI. Protocol 4. VII.

HIPAA and HIPAA Compliance with PHI/PII in Research

Privacy & Information Security Protocol: Breach Notification & Mitigation

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

Information Technology Update

Cybersecurity in Higher Ed

Information Classification & Protection Policy

ISSP Network Security Plan

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Federal Security Rule H I P A A

Information Security Policy for Associates and Contractors

HIPAA Compliance Checklist

Guidelines for Use of IT Devices On Government Network

NMHC HIPAA Security Training Version

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

HIPAA Security and Privacy Policies & Procedures

PCA Staff guide: Information Security Code of Practice (ISCoP)

Information Security Data Classification Procedure

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

HIPAA Privacy and Security Training Program

HELPFUL TIPS: MOBILE DEVICE SECURITY

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

Information Security Policy

PS 176 Removable Media Policy

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Ulster University Standard Cover Sheet

University of Wisconsin-Madison Policy and Procedure

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

GREATER ESSEX COUNTY DISTRICT SCHOOL BOARD

FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM

RMU-IT-SEC-01 Acceptable Use Policy

Wireless Services Allowance Procedure

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Red Flag Policy and Identity Theft Prevention Program

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

Altius IT Policy Collection Compliance and Standards Matrix

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Enviro Technology Services Ltd Data Protection Policy

Company Policy Documents. Information Security Incident Management Policy

Transcription:

Information Technology Standards IT Standard Issued: 9/16/2009 Supersedes: New Standard Mobile Device Security Responsible Executive: HSC CIO Responsible Office: HSC IT Contact: For questions about this standard, please contact The HSC Security Officer. For assistance in compling with this standard, please call user support at HSLIC 272-1694 or UNMH at 272-DATA. Summary of Standard: As mobile devices further incorporate features traditionally found in a personal computer, their smaller size and affordability make these devices a valuable tool in a wide variety of applications. However, these devices are also subject to increased risk of loss, breakage, theft and unauthorized use. Glossary: HSC Mobile device: includes any HSC owned device that is both portable and capable of collecting, storing, transmitting or processing electronic data or images. Examples include, but are not limited to, laptops or tablet PCs, personal digital assistants (PDAs), and smart phones such as Blackberries. This definition also includes storage media, such as USB hard drives or memory sticks, SD or CompactFlash cards, and any peripherals connected to a mobile device. This standard does not apply to device covered by other standards, such as security badges with magnetic or embedded storage technologies or any mobile medical device not intended as a personal computing, communication or storage device. Personal mobile device: includes any mobile device that is not owned or issued by the University of New Mexico Health Sciences Center. Sensitive information: includes, but is not limited to, Personal identity information (PII): includes Social Security Numbers, credit card numbers, bank and credit union account numbers, health insurance plan identification numbers, drivers license numbers, dates of birth, and other similar information associated with an individual student or employee that, misused, might enable assumption of that individual's identity ("identity theft") to compromise that person's personal or financial security. Protected health information (PHI): includes health information that is associated with at least one of eighteen identifiers that make the information individually identifiable. The eighteen identifiers include name, address, SSN, date of birth, date of health care, and other elements listed in the HIPAA regulations. Health information about groups of people (population data, mean and median data, aggregate data, etc.) that cannot be related to individuals is not PHI. Student educational record information: includes records that are based on student status and maintained by the University or a party acting for the University. Access to student records is governed by the UNM Student Records Policy and the Family Educational Rights and Privacy Act (FERPA). Sole possession records, medical or psychological records, alumni records, employment records, and law enforcement records are not considered student educational records and not subject to FERPA. HSC IT Security Mobile Device Security 1 of 5

Who is Affected by this Standard: All HSC faculty, staff, and students; employees of the University Medical Group UMG;.as well as vendors, contractors or any others who utilize a HSC mobile device to access the HSC network or store HSC information. This policy applies to everyone at all campuses and sites of the HSC. There are no exemptions. Resources: All electronic HSC mobile devices that are used to access the University of New Mexico Health Science Center s network or to store UNM HSC information. Why We Have this Standard: The purpose of this standard is to provide guidelines for the appropriate use and configuration of HSC mobile devices as necessary to protect the restricted HSC network and\or information from unauthorized access or disclosure. Responsibilities: Standards: I. General Guidelines for the Use of HSC Mobile Devices Personal mobile devices that are used to access the UNM HSC network must conform to the security requirements outlined in the HSC s Information Technology Standards for Users Recovery software. All portable computers (laptops and tablets) owned by the University or the HSC Research Institutes must have tracking data or software installed to enable their identification and retrieval in the event of loss or theft. Physical protection. Mobile devices owned or issued by the University must not be left unattended in a public space and, where possible, must be physically locked away or secured Device identification. All laptops, tablets, PDAs, Blackberries, smart phones and portable hard drives owned or issued by the University must be permanently marked as "Property of the University of New Mexico or UNM Hospitals" and indicate a method of return if the device is lost. Virus protection. Any HSC mobile device that is capable of using antivirus software must have the software installed and configured to maintain updated virus software and signatures. Contact Support/Help Desk (2- DATA,2-1694) for information on approved antivirus software. Security Updates. A procedure must be established and implemented to ensure that all security patches and updates relevant to the device or installed applications are promptly applied in compliance with the HSC s Standards. Disable unused services. Wireless, infrared, Bluetooth or other connection features should be turned off when not in use. Storage of passwords. The storage of user IDs and passwords which allow access to the HSC network or its systems is prohibited on all mobile devices, unless done in accordance with approved HSC Standards. Termination of University relationship. All University-owned mobile devices must be returned to the appropriate HSC department immediately upon termination of the assigned user s relationship with the department or HSC IT Security Mobile Device Security 2 of 5

University. In addition, any software applications purchased by the University and installed on personal mobile devices must be removed immediately by the user. Report any suspected misuse or theft of a mobile device immediately to Information Security and the campus police. II. Additional Requirements for HSC Mobile Devices Used to Access or Store Sensitive Information The following represent best practices for anyone utilizing a mobile device; however, HSC mobile devices used to access or store sensitive information must meet the following requirements. Access and use sensitive information appropriately. Sensitive information must not be stored on mobile devices without prior approval from your department Director or Chair. For more information on identifying and handling sensitive information, refer to (Data Classification Standard, locate at http://cio.unm.edu/standards/index.html) Use of personal devices is restricted. Official records may only be stored on or accessed directly by mobile devices that are owned, issued or approved for use in writing by UNM or UNMH. Use of personal USB drives (also known as "thumb drives") or such devices without proper encryption and password protection for the storage of sensitive information is prohibited. Device registration and certification. Any mobile device used to access or store sensitive information must be registered with and certified by Information Technology Security prior to its use. Contact the Information Security staff for information about mobile device registration and certification. Physical protection. Users must make every reasonable effort to physically secure mobile devices. Mobile devices used to access or store sensitive information must not be left unattended in public or other unsecured areas and, where possible, must be physically locked away or secured. In addition, any portable media (for example, portable hard drives, CD-R or DVD-R disks used for backup of systems containing sensitive information must be stored securely in locked drawers, cabinets or other secure enclosures. Exclusivity of use. Any mobile device that has been registered and approved to store sensitive information must not be shared with any other person without prior written approval from Information Security. Password protection. Access to the mobile device must be protected by the use of a password that meets the requirements outlined in the UNM password standard. Use of encryption. All mobile devices containing sensitive information must consistently encrypt all files using an encryption method that has been approved by Information Security. Contact the Information Security staff for information on approved encryption solutions. Secure connectivity. Any sensitive information transmitted to or from the mobile device (e.g., wireless or the Internet) must be encrypted. Synchronization. Mobile devices containing sensitive information must only synchronize data with sync stations, workstations or other devices that also have been approved for the storage of the sensitive information. HSC IT Security Mobile Device Security 3 of 5

Protection of information. Reasonable care must be taken when using mobile computing facilities in public places, meeting rooms or other unprotected areas outside of the HSC s premises to avoid the unauthorized access to or disclosure of the information stored on or accessed by the device. Termination of University or department relationship. Sensitive information must be removed from the device immediately upon termination of the assigned user s relationship with the University. Dispose of the device properly. Mobile devices and other electronic equipment that contain, are used to access sensitive information, or have been used to access sensitive information in the past must be disposed of as outlined in the HSC Policy titled 7.4 - Disposal - ephi Backup. Any single instance, critical data, stored on a HSC mobile device must be transferred to the official electronic medical record system for backup. Exceptions Requests for exceptions to this standard may be granted only under special circumstances. Any requests must be submitted in writing to the Information Security Officer for approval. Exceptions will be permitted only on receipt of written approval from Information Security. Information Security will retain documentation of currently permitted exceptions and will review them on an annual basis. Enforcement Suspected or known violations of this standard will be reported to the appropriate University officials, and may result in: Loss of individual computing privileges. Accountability for conduct under any applicable University or campus policies, procedures, or collective bargaining agreements, including disciplinary action. Disconnection of non-compliant systems from the UNM/HSC network Suspected or known violations of University regulations and/or State and Federal law will be processed by the appropriate University authorities and/or law enforcement agencies. Website Address for this Standard: https://hsc.unm.edu/about/cio/user-support/it-policies-and-standards.html Related Documents: HSC: Password Management ephi, UNMH: IT Security- Password Management, Controls and Standards, HSC: Encryption ephi, HSC: Workstation Use and Security ephi, HSC: Disposal ephi, UNMH: IT Security-ePHI Information Disposal Contact information For information on this policy, please contact: HSC IT Security Mobile Device Security 4 of 5

Information Security Officer Barney Metzner HSC Security Office MSC09-5100 272-1696 HSC CIO Dr. Holly Buchanan HSC Chief Information Officer 272-2548 UNMH CIO Ron Margolis Chief Information Officer 272-2168 Public Safety Officer UNM Campus police 2500 Campus Blvd. NE, Hokona Hall Albuquerque, NM 87124 505) 277-2241 To report suspected non-compliance activities to a corporate compliance officer: UNM Hospitals 272-8761 University Physicians Associates 272-6036 SOM Office of Research 272-1887 HSC Compliance Hotline 1-888-899-6092 (anonymous) HSC Legal Department 272-2463 UNMH Security Dispatch 272-2160 HSC IT Security Mobile Device Security 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback