Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5



Similar documents
INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

R345, Information Technology Resource Security 1

Virginia Commonwealth University Information Security Standard

The Design Society. Information Security Policy

Use & Disclosure of Protected Health Information by Business Associates

Virginia Commonwealth University School of Medicine Information Security Standard

Information Security Policy

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

Information Resources Security Guidelines

Encryption Security Standard

Information Security Program Management Standard

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Policy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:

Healthcare Compliance and Hybrid Entity Designation

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Page 1 of 15. VISC Third Party Guideline

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Customer-Facing Information Security Policy

Information Security and Electronic Communications Acceptable Use Policy (AUP)

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Standard: Information Security Incident Management

Health Sciences Compliance Plan

Overview of the HIPAA Security Rule

Wright State University Information Security

P Mobile Device Security.

Whitefish School District. PERSONNEL 5510 page 1 of 5 HIPAA

Information Security Manager Training

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

COMPLIANCE ALERT 10-12

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

California State University, Sacramento INFORMATION SECURITY PROGRAM

Camera Use. Policy Statement and Purpose. Table of Contents

University of Sunderland Business Assurance Information Security Policy

Information Security Program

HIPAA Employee Training Guide. Revision Date: April 11, 2015

H 6191 SUBSTITUTE A AS AMENDED ======= LC02663/SUB A/2 ======= STATE OF RHODE ISLAND IN GENERAL ASSEMBLY JANUARY SESSION, A.D.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Executive Memorandum No. 27

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Top Ten Technology Risks Facing Colleges and Universities

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Information Security Incident Response

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Appendix A: Rules of Behavior for VA Employees

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

College of DuPage Information Technology. Information Security Plan

BUDGET LETTER PEER-TO-PEER FILE SHARING , , EXECUTIVE ORDER S-16-04

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA

Rowan University Data Governance Policy

The statements in this policy document establish HEALTHeLINK's expectations with respect to incident management.

SOCIAL MEDIA AND POLICY FOR SCHOOL OF MEDICINE AND HEALTH SCIENCES

Virginia Commonwealth University School of Medicine Information Security Standard

ITECH Net Monitor. Standards Compliance

Legislative Language

SAMPLE BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE ADDENDUM

Information Technology Security Policies

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Protecting Patient Privacy It s Everyone s Responsibility

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

HIPAA Business Associate Addendum

Data Security Incident Response Plan. [Insert Organization Name]

Information Security Policy

HIPAA BUSINESS ASSOCIATE AGREEMENT

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

ACCEPTABLE USE POLICY

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

Policy on Privileged Access

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

PII Personally Identifiable Information Training and Fraud Prevention

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

BERKELEY COLLEGE DATA SECURITY POLICY

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Approved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee

Vulnerability Management Policy

Security Incident Procedures Response and Reporting Policy

Information Security Policy

University of Maryland Baltimore Information Technology Acceptable Use Policy

Administrative Procedure 3720 Computer and Network Use

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Authorized. User Agreement

How To Protect Data At Northeast Alabama Community College

plantemoran.com What School Personnel Administrators Need to know

HIPAA COMPLIANCE PLAN. For. CHARLES RETINA INSTITUTE (Practice Name)

BUSINESS ASSOCIATE AGREEMENT ( BAA )

ISO Controls and Objectives

ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

New River Community College. Information Technology Policy and Procedure Manual

Transcription:

Information Security Policy Type: Administrative Responsible Office: Office of Technology Services Initial Policy Approved: 09/30/2009 Current Revision Approved: 08/10/2015 Policy Statement and Purpose Information technology enables more accurate, reliable, and faster information processing with information more readily available to administration, faculty, staff, and students. However, Information technology has also brought new administrative concerns, challenges, and responsibilities. Information assets must be protected from natural, technological and human hazards. Policies and practices must be established to ensure that hazards are reduced or their effects minimized. The focus of information security is ensuring reasonable and proportionate protection of information and continuation of program operations. Providing efficient accessibility to necessary information is the impetus for establishing and maintaining information systems. Noncompliance with this policy may result in disciplinary action up to and including termination. VCU supports an environment free from retaliation. Retaliation against any employee who brings forth a good faith concern, asks a clarifying question, or participates in an investigation is prohibited. Table of Contents Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5 Who Should Know This Policy All employees, contractors, students and affiliates who generates, processes, transmits, stores or accesses VCU information are responsible for knowing this policy and familiarizing themselves with its contents and provisions. Information Security - 1 - Approved: 08/10/2015

Definitions Code of Virginia The Code of Virginia is the statutory law of the U.S. State of Virginia, and consists of the codified legislation of the Virginia General Assembly. FERPA The Family Education Rights and Privacy Act (FERPA) is a federal legislation that protects the privacy of students personally identifiable information and other relevant student educational records. In the University, FERPA typically grants the students with exclusive rights over the dissemination and distribution of their protected student educational records to third parties and requires written consent from the student before such information is disclosed, provided the student is over 18 years of age and those records are not defined as FERPA directory information. HIPAA The Health Insurance Portability and Accountability Act (HIPAA) is a federal law used to govern the healthcare industry. The law is applicable to covered entities that are involved in the provision of healthcare, billing or insurance purposes. VCU is a hybrid entity under HIPAA, meaning that certain areas in the University is covered under HIPAA Organizational Unit Within the context of this document, an organizational unit is a school, a department, or division that reports directly to a vice president. Examples of organizational units include School of Engineering, College of Humanities and Sciences, School of Medicine, Office of Technology Services, Enrollment Services, and Facilities Management. PCI-DSS Payment Card Industry Data Security Standard is a set of comprehensive requirements for enhancing payment card data security. Compliance with the PCI DSS helps to alleviate vulnerabilities that put cardholder data at risk. Server A server is any computer or device connected to the network that manages resources for other users. Examples include file, print, Web, application and database servers. Unit Head A unit head is the administrative employee responsible for the operations of an organizational unit. A unit head can be a dean of a school or the director of a department or division. VCU Information Information in paper, electronic or oral form that is collected, generated, transmitted, processed or stored by a VCU employee, consultant, contractor or other affiliate in the course of their work and is used to support the academic, research, patient care or administrative operations in VCU. Information Security - 2 - Approved: 08/10/2015

Contacts VCU Office of Technology Services officially interprets this policy. VCU Office of Technology Services is responsible for obtaining approval for any revisions as required by the policy Creating and Maintaining Policies and Procedures through the appropriate governance structures. Please direct policy questions to Office of Technology Services. Policy Specifics and Procedures Information Security Program Based on sensitivity and risk, the VCU information security program is established to protect VCU information and information assets, which includes: Physical protection of information processing facilities and equipment. Maintenance of application and data integrity. Assurance that information systems perform their critical functions correctly, in a timely manner, and under adequate controls. Protection against unauthorized access to information, information systems and protection against unauthorized disclosure of information. Assurance of the continued availability of reliable and critical information. The VCU Information Security Program addresses information security from three distinct perspectives: 1. Information Confidentiality: Certain information that is collected, generated, processed, transmitted or stored by University academic, research, patient care and administrative operations is protected by various industry and legal regulations, such as FERPA, HIPAA, Code of VA, and PCI-DSS among others. Information protected under such regulations must be kept confidential and protected from unauthorized disclosure and access. Failure to protect this information can result in legal, financial and reputational damage to the University and our own selves. 2. Information Integrity: Information entered, processed, stored, generated, or disseminated by information systems must be protected from internal data or programming errors and from misuse by individuals inside or outside of VCU. Specifically, the information must be protected from unauthorized or accidental modification, destruction, or disclosure. Otherwise, we risk compromising the integrity of VCU programs, violating individual rights to privacy, violating copyrights, triggering financial and reputational damage to the University, or facing criminal or civil penalties 3. Information Availability: Many academic, research, patient care and administrative operations within the University are fully dependent upon the availability of information technology services to perform and support their daily functions. The interruptions, disruption, Information Security - 3 - Approved: 08/10/2015

or loss of information technology services may adversely affect VCU's ability to administer programs and provide services. The effects of such risks must be minimized. Information Classification and Protection In order to successfully implement the information security program, VCU shall classify its information based on sensitivity and risk. VCU shall then apply reasonable and proportionate security protection to safeguard the confidentiality, integrity and availability of this information. The following items are applicable to organizational units. Each organizational unit in VCU is responsible for the classification of the VCU information managed by the unit according to sensitivity and risk. Classification of information will follow the requirements delineated in the VCU Data Classification Standard. Each individual who handles or stores VCU information is expected to follow all applicable laws, regulations, policies, including but not limited to the VCU Information Security Standards and any associated procedures and baselines when generating, accessing, processing, transmitting, storing and deleting VCU information. Each individual who handles or stores VCU information is expected to follow reasonable and proportionate care to safeguard such information from any misuse, loss or theft, including but not limited to unauthorized access, modification and deletion. Each individual who handles or stores VCU information is expected to report any observed misuse, loss or theft of such information or assets containing such information to the VCU Information Security Office in a prompt manner and without unreasonable delay. Each individual who handles or stores VCU information is expected to exercise reasonable and proportionate care to ensure the accuracy, completeness, and integrity of such information. Unit head of each organizational unit is ultimately responsible for the confidentiality, integrity, and security of VCU information managed by the unit. Reporting, investigation and resolution of violations Any faculty member, staff member, student, visitor or contractor who suspects a violation of the Information Security Policy is expected to report the suspected violation to the office or department where the suspected violation occurs, the Integrity and Compliance Office or the VCU Helpline, or to the Chief Information Officer. The office or department initially receiving this information is expected to report all suspected violations without any unreasonable delay to the Chief Information Officer. The office or department is also expected to safeguard and forward all available paper and electronic material related to the suspected violation to the Chief Information Officer. If a suspected violation involves an immediate perceived danger or threat, or a suspected violation of law, the employee of the office or department initially receiving the information is expected to notify and report the incident to the VCU Police Department immediately. Information Security - 4 - Approved: 08/10/2015

All violations of the Information Security Policy will be perceived and treated as violations of the Computer and Network Use policy and will follow the same investigation and resolution procedures documented in the Computer and Network Resource Use Policy. Forms Related Documents Revision History 1. Information Security Policy Exception Form 1. VCU Information Security Standard 2. VCU Data Classification Standard 3. VCU Computer and Network Use Policy This policy supersedes the following archived policies: FAQs 9/30/2009 Information Security Policy 08/10/2015 Information Security 1. I am not an employee of VCU, does this policy still apply to me? The VCU Information Security policy and associated standards applies to VCU information. Therefore, any personnel who handle VCU information must read, understand and abide by the information security policies and standards. Information Security - 5 - Approved: 08/10/2015

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information