Rowan University IT ACQUISITION POLICY

Similar documents
ACCEPTABLE USE POLICY

Rowan University Data Governance Policy

Health Sciences Compliance Plan

Security Awareness Training Policy

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Protection of Clients' Personal Health Information G & G LIVING CENTERS, INC.'s Privacy Practices

RESPONSIBLE COMPUTER USE POLICY (ADOPTED AUGUST 3, 2006)

Virginia Commonwealth University School of Medicine Information Security Standard

Information Security Policy

NMSU Procedural Guidelines (Policy Security Cameras on University Premises)

RUTGERS POLICY. Policy Name: Standards for Privacy of Individually Identifiable Health Information

ROWAN UNIVERSITY POLICY

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Virginia Commonwealth University Information Security Standard

Healthcare Compliance and Hybrid Entity Designation

UNIVERSITY HOSPITAL POLICY

ARKANSAS OFFICE OF HEALTH INFORMATION TECHNOLOGY (OHIT) PRIVACY POLICIES

College of DuPage Information Technology. Information Security Plan

Information Security Program

FSIS DIRECTIVE

SAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS

II-105 Acceptable Use of Information Resources

2/3/2015 DATA GOVERNANCE AND FERPA FOUR THINGS YOU CAN DO RIGHT NOW

Virginia Commonwealth University School of Medicine Information Security Standard

California State University, Sacramento INFORMATION SECURITY PROGRAM

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Information Resources Security Guidelines

Approved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee

M E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Training For Research Investigators and Study Staff

How To Manage Information Security At A University

HIPAA BUSINESS ASSOCIATE ADDENDUM

Executive Memorandum No. 27

SCDA and SCDA Member Benefits Group

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Policy on Privileged Access

DATA SECURITY AGREEMENT. Addendum # to Contract #

Document Title: System Administrator Policy

Information Security Policy

OLYMPIC COLLEGE POLICY

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

The statements in this policy document establish HEALTHeLINK's expectations with respect to incident management.

PII Personally Identifiable Information Training and Fraud Prevention

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Contact: Henry Torres, (870)

Cloud Computing Policy 1.0 INTRODUCTION 2.0 PURPOSE. Effective Date: July 28, 2015

Vulnerability Management Policy

Institutional Data Management and Systems Acquisition

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

BUSINESS ASSOCIATE AGREEMENT

Policy # 5.58 SOUTHERN UTAH UNIVERSITY Date Approved: 01/13/12

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

PROTECTED HEALTH INFORMATION

The Federal Financial Management Improvement Act (C)

SOCIAL MEDIA AND POLICY FOR SCHOOL OF MEDICINE AND HEALTH SCIENCES

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

BUSINESS ASSOCIATE AGREEMENT

INSTITUTIONAL COMPLIANCE PLAN

Cardiology Consultants of Atlanta, P.C N. Decatur Rd. Suite 395, Decatur GA, (404) phone (678) fax

ALLINA HOSPITALS & CLINICS System-wide Policy

Definitions: Policy: Duties and Responsibilities: The Privacy Officer will have the following responsibilities and duties:

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

Business Associate Agreement Involving the Access to Protected Health Information

Information Security Policy

Information Security Operational Procedures Banner Student Information System Security Policy

SUMMARY OF POSITION ROLE/RESPONSIBILITIES:

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

Institutional Data Governance Policy

BUSINESS ASSOCIATE AGREEMENT. Recitals

COMPLIANCE WITH LAWS AND REGULATIONS (CLR)

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Policy and Guidelines for Personal Use of Social Media*

HIPAA Employee Training Guide. Revision Date: April 11, 2015

Virginia Commonwealth University School of Medicine Information Security Standard

HIPAA S BUSINESS ASSOCIATE REQUIREMENTS FOR PATHOLOGISTS AND LABORATORIES

Acceptable Use and Security of UBC Electronic Information and Systems

HIPAA PRIVACY AND SECURITY AWARENESS

7.0 Information Security Protections The aggregation and analysis of large collections of data and the development

Marist College. Information Security Policy

Cal Poly Information Security Program

University of Maryland Baltimore Information Technology Acceptable Use Policy

Model Business Associate Agreement

MSO/IPA Compliance Program

Table of Contents. Miami University Page 2

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

Policy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:

HIPAA COMPLIANCE PLAN. For. CHARLES RETINA INSTITUTE (Practice Name)

General HIPAA Implementation FAQ

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Purchase College Information Security Program Charter January 2008

University of Wisconsin-Madison Policy and Procedure

Bates Technical College. Information Technology Acceptable Use Policy

Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS

Transcription:

Rowan University IT ACQUISITION POLICY Effective: January 2014 Data Governance: IT Acquisition Policy Page 1 of 6

IT ACQUISITION POLICY Title: Data Governance: IT Acquisition Policy Subject: Information Resources and Technology Policy No: CIO: 2013:02 Applies: University-wide Issuing Authority: Vice President for Information Resources and Chief Information Officer Responsible Officer: Vice President for Information Resources and Chief Information Officer Date Adopted: 12-02-2013 Last Revision: 12-02-2013 Last Review: I. PURPOSE A. This policy sets forth the process for the approval and acquisition of all Information Technology (IT) including, but not limited to software, hardware, IT consulting, and IT services. II. ACCOUNTABILITY A. Under the direction of the Chief Information Officer, Rowan University management shall implement and ensure compliance with this policy. III. APPLICABILITY A. This policy applies to all members of the Rowan community who seek to acquire IT Resources using University funds, including grant funds from contracts and/or transmittal forms between the University and external funding sources (public and private), are covered by this policy. IV. DEFINITIONS A. Academic IT Resources any software, hardware, IT consulting or IT services that is used to support users (faculty and students) in their teaching, learning, and research activities. Academic IT Resources can be distributed and accessed locally or through the cloud. B. Administrative IT Resources any software, hardware, IT consulting or IT services that is used as an ancillary system in support of Rowan University s Enterprise Relationship Management system (Ellucian s Banner System), whether to augment or replace specific functions with best-of-breed niche products. Data Governance: IT Acquisition Policy Page 2 of 6

C. Clinical IT Resources any software, hardware, IT consulting or IT services that allows the user to enter patient specific information, and using formulae or other forms of analysis based on clinical information, glean from that information a patient-specific diagnosis or treatment recommendation that is used to assist in making a clinical decision. D. Software computer programs that direct the operation of a computer or processing electronic data. E. Hardware computer devices that use, process, store, or transmit electronic information. F. IT Consulting a third party used to provide IT consulting services including system design, planning, auditing, and/or advisory services. G. IT Services a third party used to provide any other IT services, not classified as IT consulting, including IT management, hosting, repair, installation, maintenance, etc. H. Information Resources and Technology (IRT) the Rowan University department responsible for the governance of all information and technology. I. Rowan University IT Purchasers faculty, staff, non-employees, students, attending physicians, contractors, covered entities, agents, and any other third parties of Rowan. J. FERPA - The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects students' privacy by prohibiting disclosure of education records without adult consent. K. GLBA - The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that institutions deal with the private information of individuals. L. HIPAA The Health Insurance Portability and Accountability Act (HIPAA) is the federal law passed by Congress in 1996 that requires the protection and confidential handling of protected health information V. REFERENCES A. Data Governance Policy VI. POLICY A. Rowan University wants to ensure that we are meeting our responsibilities as IT users by guaranteeing that all IT Resources purchased within Rowan University are compatible with Rowan s information technology (IT) and in compliance with security requirements and regulations. IT purchasing can be an intricate process involving obscure terminology and possible legal or financial obligations for you and the University. Accordingly, prospective purchasers will obtain consultation and approval from Information Resources and Technology personnel who are familiar with these details, and who routinely implement and manage these IT Resources. B. Requirements: Data Governance: IT Acquisition Policy Page 3 of 6

1. All IT acquisitions by academic, administrative, and clinical departments will require approval for purchase from the Office of IRT (Information Resources and Technology) since IT Resources: a. May be used by more than a single individual and/or have the likely potential for the same or b. May need to interface with other University IT Resources or c. May be used to process, store, or transmit University data. 2. The IT purchaser is responsible for obtaining all funds needed to purchase, install, and maintain the IT Resource for current and future costs. These funds will be transferred into the IRT budget via yearly DCA transfers (or other means as needed). The transfers will cover all cost, including: C. Responsibilities: D. Procedures a. The internal cost to install the IT Resource(s). b. Any consulting required configuring or maintaining the IT Resource(s). c. Any additional cost for bandwidth and storage. d. Ongoing annual maintenance, licensing, and fees. e. Any additional cost to properly protect University data. 1. IT purchasers will submit IT acquisition requests, and make themselves available during the IT evaluation process to answer questions. IT purchasers are required to notify IRT of any changes and/or cancellations prior to the renewal of IT Resources. IT purchasers are required to complete DCAs within 10 days of notice from ITR so that funds are available to IRT to purchase or maintain IT Resources. 2. IRT functional leaders (or relevant committees) will evaluate each IT acquisition request and recommend approvals to the CIO within a reasonable time frame 1. Requests for the acquisition of IT Resources will be submitted to the Office of IRT via the University s On-line IT Acquisition Form available as an option in the Finance section of Banner Self Service. 2. Academic IT Resources a. IRT functional leaders will review the request based upon the information provided in the on-line form s Justification section along with the following criteria: Can the University: Utilize concurrent licensing to eliminate wasteful per-workstation license costs and only purchase based on actual monitored need. Data Governance: IT Acquisition Policy Page 4 of 6

Where concurrent licensing is not available from a necessary vendor, leverage all individual licenses into one master agreement. Utilize existing University-licensed software (or other IT Resources) for the request to achieve similar functionality. Utilize open sources or other lower cost alternatives if they provide similar functionality. b. Office of IRT will complete their section of the University s On-line IT Acquisition Form within 10 business days of its receipt. c. All academic IT purchases must meet security requirements including but not limited to FERPA, GLBA, and HIPAA. 3. Administrative IT Resources a. IRT functional leaders meet with the requesting office to review the request based upon the following criteria: Does this IT Resource provide functionality that currently exists in other administrative IT Resources the University already licenses? Does the proposed IT Resource need to interface to existing administrative IT Resources that the University already supports? Will the proposed IT Resource contain data that the University will need to report upon via the Office of IERP? Area all offices that may be impacted as a result of implementing such IT Resource fully informed of the IT Resource s potential impact on their operations? Assess all cost associated with IRT continuous support of the IT Resource(s). Assess percentage of improvement to current processes in cases where Rowan does not have full capability requested. b. If the CIO determines that it is in the best interest of the University (based upon the recommendations by the IRT leadership team), to purchase the IT Resource requested, the requesting office will be so informed. Prior to actual acquisition, the appropriate staff will work with the requesting office to fully develop an IT Resource implementation and support plan. IRT staff will meet with the requesting office, other impacted offices, and vendor representatives, to develop a proposed implementation and support plan. As part of this IT Resource implementation planning process the IRT staff will assess the maturity of the IT Resource for inclusion within the University s production IT environment. The final plan will take into consideration the vendor s roadmap for updated releases to ensure the IT Resource version purchased is indeed production ready. Only when the Office of IRT has approved the proposed plans will approval be granted for the IT acquisition. These plans will include the proposed project team, which will include the Assistant Director of Enterprise Information Services who will represent IRT on the project team and serve as the technical project lead. Data Governance: IT Acquisition Policy Page 5 of 6

c. All administrative IT purchases must meet security and compliance requirements including but not limited to FERPA, GLBA, and HIPAA. 4. Clinical IT Resources a. IRT functional leaders and Clinical System staff will: Review the IT acquisition request and discuss with the requesting office. Complete a Feasibility Analysis to identify current and future operational processes and problems, requirements (business, application, hardware, network, resources, etc.), training, funding, and on-going support needs. Present Feasibility Analysis to RowanSOM Clinical Governance Committee for review. Governance Committee will determine if project should be funded and when the IT Resource will be implemented based on project prioritize criteria. Notify the requesting department of the outcome. b. All clinical IT purchases must meet security requirements including but not limited to FERPA, GLBA, and HIPAA. VII. NON-COMPLIANCE AND SANCTIONS A. Violations of this policy may require the removal of any unapproved IT Resources at the purchaser s expense and possible disciplinary action. By Direction of the CIO: Mira Lalovic-Hand Vice President and CIO Division of Information Resources and Technology Data Governance: IT Acquisition Policy Page 6 of 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information