Access to University Data Policy

Similar documents
UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

UTAH VALLEY UNIVERSITY Policies and Procedures

01.0 Policy Responsibilities and Oversight

Virginia Commonwealth University School of Medicine Information Security Standard

University of Sunderland Business Assurance PCI Security Policy

Table of Contents. PCI Information Security Policy

Subject: University Information Technology Resource Security Policy: OUTDATED

DATA STEWARDSHIP STANDARDS

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Identity Theft Prevention Policy

Information Security Incident Response and Reporting

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Oracle Data Cloud ( ODC ) Inbound Security Policies

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Cybersecurity in Higher Ed

Employee Security Awareness Training Program

Information Classification & Protection Policy

Red Flags/Identity Theft Prevention Policy: Purpose

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Privacy Policy on the Responsibilities of Third Party Service Providers

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Seven Requirements for Successfully Implementing Information Security Policies and Standards

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

POLICIES AND PROCEDURES

CERTIFICATE POLICY CIGNA PKI Certificates

Red Flags Program. Purpose

Policies and Procedures Date: February 28, 2012

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

eprost System Policies & Procedures

Security Standards for Information Systems

Putting It All Together:

DRAFT 2012 UC Davis Cyber-Safety Survey

IAM Security & Privacy Policies Scott Bradner

SECURITY & PRIVACY DOCUMENTATION

Remote Access Policy

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Ohio Supercomputer Center

University of Pittsburgh Security Assessment Questionnaire (v1.7)

HIPAA Security and Privacy Policies & Procedures

Access Control Policy

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

SCHOOL SUPPLIERS. What schools should be asking!

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Department of Public Health O F S A N F R A N C I S C O

Information Security Policy

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

The University of British Columbia Board of Governors

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Data Backup and Contingency Planning Procedure

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Post-Secondary Institution Data-Security Overview and Requirements

Standard for Security of Information Technology Resources

Guidelines for Data Protection

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Data Privacy Breach Policy and Procedure

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Data Processing Agreement

Integrating HIPAA into Your Managed Care Compliance Program

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

PS Mailing Services Ltd Data Protection Policy May 2018

RMU-IT-SEC-01 Acceptable Use Policy

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

Mobile Device policy Frequently Asked Questions April 2016

Cyber Security Program

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Regulation P & GLBA Training

Data Governance Framework

Virginia Commonwealth University School of Medicine Information Security Standard

University Policies and Procedures ELECTRONIC MAIL POLICY

Emsi Privacy Shield Policy

SPRING-FORD AREA SCHOOL DISTRICT

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Texas Health Resources

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

State of West Virginia Department of Health and Human Resources (DHHR) Office of Management Information Services (OMIS)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Swanson School of Engineering University of Pittsburgh

Rev.1 Solution Brief

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Technology Control Plan

Southern Adventist University Information Security Policy. Version 1 Revised Apr

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

Data Security Policy for Research Projects

POLICY 8200 NETWORK SECURITY

Transcription:

UNIVERSITY OF OKLAHOMA Health Sciences Center Information Technology Security Policy Access to University Data Policy 1. Purpose This policy defines roles and responsibilities for protecting OUHSC s non-public data and the Information Systems (IS) on which the data are maintained from unauthorized access, unauthorized disclosure, or misuse. 2. Policy Access to University data and IS must be authorized by the IS Owner prior to granting access for business use. The following defines OUHSC s requirements for managing logical access to data and IS. 2.1 University Data Must Be Classified OUHSC data shall be classified by the IS Owner and/or the IS Administrator and/or IT Security, in accordance with OUHSC s Information System and Data Classification Policy. 2.2 Information System Access Control Procedures IS Owners must document and implement procedures for the authorization, establishment, modification, and removal of access to data and IS, to be maintained by the IS Owner. A template is available from IT Security to assist in these documentation efforts. At a minimum, these procedures must include: For All Category A and Category B data and Information Systems Only 1. The levels of access available in the IS. 2. Procedures for authorization and approval to grant new access, modify access, and delete access requests, in accordance with departmental Role-Based Access Worksheets or to only those with a need to know, to prevent unauthorized access to IS. 3. Procedures for tracking access requests of any type (new, modify, delete). 4. Procedures and assigned roles/responsibilities for reviewing access levels, at least annually, and more frequent, as necessary. 5. How logical access to Category A or Category B data is logged, in accordance with OUHSC s Activity Log Review Policy and Standard. 2.3 Information Flow Enforcement As part of the Information Security Risk Assessment process, IS Owners and/or IS Administrators are responsible for providing IT Security with the following information regarding an Information System s data flow prior to an Information System going into production use: 1. Network protocol (TCP/IP/UPD) ports necessary for IS communication 2. Encryption protocol used during transmission 3. Direction of information flow (inbound or outbound) 4. Source and destination IP addresses of IS 5. Business purpose for information flow OUHSC Information Technology Security Policies: Access to University Data Page 1 of 5

2.4 Separation of Duties For Category A Information Systems Only The principle of separation of duties is to eliminate conflicts of interest in the responsibilities and duties assigned to individuals. The following must be considered when assigning roles and responsibilities within an IS: 1. Ensure that audit functions are not performed by the same personnel who are responsible for administering access control. 2. Maintain a limited number of administrators, each of whom will have access to administrative functions based upon the minimum necessary or as-needed basis. 3. Ensure that the IS Owner and/or IS Administrator are not responsible for conducting information security testing of the IS. 2.5 Primary Authentication Method OUHSC s preferred method of authentication is OUHSC s Active Directory Lightweight Directory Access Protocol (LDAP). IS must be configured to use this authentication method, wherever possible. If OUHSC s LDAP is unavailable as the authentication method, the following must be configured by the IS to automatically enforce: 1. IS accounts must meet the OUHSC Password Management Policy and Standard: a. Complexity of passwords b. Maximum 90-day expiration for passwords c. Account lock after 5 failed login attempts d. Session or application lock after fifteen minutes of inactivity e. Passwords must be kept private and not shared with others See http://it.ouhsc.edu/policies/password_management_policy.asp and http://it.ouhsc.edu/policies/passwords.asp For Category A and B IS Only 2. IS must be configured to display the following system use notification message or banner before granting access to the IS: "This system is for the use of authorized users only. Activities on this system may be monitored and/or recorded by systems personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible criminal activity or policy violation, system personnel may provide the evidence of such monitoring to law enforcement or University officials, as appropriate." 2.6 Permitted Actions Without Identification or Authentication IS Owners, IS Administrators, or IS Suppliers are responsible for identifying user actions that can be performed on the IS without identification or authentication (public access). These actions should be supplied to IT Security during the IT Product Review/Risk Assessment Process for new products and upon requests for products in place prior to the adoption of the Product Review/Risk Assessment. 2.7 Remote and External Third-Party Access to OUHSC Data Remote access into OUHSC s environment is authorized through the following mechanisms: OUHSC VPN (Requiring multi-factor authentication) OUHSC user-initiated web conference sessions for remote support purposes For Category A Information Systems Only Access by external parties to OUHSC Category A Data and the IS on which the data are maintained must be governed by the contract for goods or services, Business Associate Agreement, Memoranda of Agreement/Understanding (MOA/MOU), or other legally binding agreement that covers the access. OUHSC Information Technology Security Policies: Access to University Data Page 2 of 5

2.8 Information Sharing IS Owners and/or IS Administrators are responsible for providing IT Security with pertinent details when University data is exchanged with OUHSC IS or External Parties as part of the technical configuration, requiring network firewall rules to permit the data exchange. The following information must be supplied to IT Security as part of the IT Product Review Process, prior to the IS being placed into production use: 1. The source and destination IP address of the communication path; 2. The specific data types being shared; 3. The network protocol ports used for data sharing; 4. The file format of the file being shared; 5. The frequency of the file transfer; 6. IT Contact for data recipient in the event of technical issues; 7. Business purpose for information sharing 8. Business contact for third party 9. Other information, as requested 2.9 Training All Business Unit IS Owners and/or IS Administrators must undergo annual, and more frequently as needed, training to provide guidance for complying with the Access to University Data Policy. 3. Enforcement This policy is authorized and approved by the OUHSC Dean s Council and Senior Vice President and Provost and enforced by the IT Chief Information Officer. Internal Audit and other authorized departments of the University may periodically assess Business Unit compliance with this policy and may report violations to the University Administration and Board of Regents. 4. Scope This policy is applicable to all OUHSC faculty, staff, students, employees, Business Associates, contractors, vendors, OU Health Care Components, and others entrusted with data maintained in the University s information repositories. 5. Regulatory References FISMA Access Control Family HIPAA 45 CFR 164.308(a)(1)(ii)(B) 16 CFR Part 314 Standards for Safeguarding Customer Information [section 501(b) of the Gramm-Leach- Bliley Act ( GLB Act ), Standards for Safeguarding Customer Information, State of Oklahoma Information Security, Policy, Procedures, and Guidelines Payment Card Industry Data Security Standard (PCI DSS) 6. Related Policies IT Information System and Data Classification Policy IT Access to University Data Standard OUHSC Information Technology Security Policies: Access to University Data Page 3 of 5

IT Activity Log Review Policy 7. Review Frequency This policy is scheduled to be reviewed, updated, and modified as necessary, but at least annually. 8. Revision, Approval and Review 8.1 Revision History Version Date Updates Made By Updates Made 1.0 03/14/2007 OUHSC IT Baseline Version 2.0 08/24/2015 OUHSC IT Revised purpose and scope. Added clear responsibility in the policy statement. Annual policy review by IT. 3.0 10/18/2016 IT Security Updated Purpose statement. Updated Policy statements to include external parties and clearly define responsibilities. 3.1 10/31/2016 IT Security 3.2 03/28/2017 OUHSC IT Revised policy statements to align with FISMA Access Control families. Added classification policy statement Updated Access Control procedure policy statements Added information flow enforcement policy statement Added separation of duties policy statement Added permitted actions without identification or authentication policy statement Combined OUHSC Telework policy statements into section 2.7 policy statements Added 2.8 Information Shareing policy statements 3.3 04/03/2017 OUHSC Director of IT Information Security Added content from Password Standard and Login Banner policy. 3.4 04/04/2017 OUHSC IT Consolidated comments received from IT Security team review. Updated language to include a template available from IT Security to meet procedural requirements. 3.5 05/11/2017 OUHSC IT Security Consolidated feedback from IT and Legal Counsel review: Updated references to IS to include data Updated IT Product Review reference to IS Risk Assessment OUHSC Information Technology Security Policies: Access to University Data Page 4 of 5

8.2 Approval History Version Date Approved By 1.0 03/14/2007 Deans Council 3.5 08/08/2017 Information Security Review Board (ISRB) 3.5 10/10/2017 OUHSC Dean s Council and Senior Vice President and Provost 8.3 Review History Date Reviewed By 11/12/2014 OUHSC IT 08/24/2015 OUHSC IT 06/20/2016 OUHSC IT 10/28/2016 Legal Counsel 04/03/2017 OUHSC IT 04/04/2017 08/08/2017 ISRB OUHSC Information Technology Security Policies: Access to University Data Page 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback