DOCUMENT INFORMATION VCSATS Policy Number: VCSATSP 100-100 Title: Restricted Data Access Policy Policy Owner: Director Technology Services Effective Date: 2/1/2014 Revision: 4.0 TABLE OF CONTENTS DOCUMENT INFORMATION... 1 TABLE OF CONTENTS... 1 1. PURPOSE... 2 2. SCOPE... 2 3. RESPONSIBILITIES... 2 4. REFERENCES... 2 5. DEFINITIONS... 3 6. POLICY... 5 6.1 Management of this Policy... 5 6.2 Proper Use... 5 6.3 Administration and Configuration of Controls for Users and Technology Accessing Restricted Data... 6 6.4 Device Security... 8 6.5 Service Provider Management... 8 7. ENFORCEMENT... 8 8. COMPLIANCE REFERENCE INDEX... 9 9. HISTORY... 9 Page 1 of 9
1. PURPOSE Unauthorized access, breach of confidentiality, loss of integrity, disruption of availability, and other risks threaten VCSATS resources. This policy protects VCSATS resources by establishing rules that reduce exposure of those resources to threats 45 C.F.R. 164.514(d)(2)(ii). 2. SCOPE This policy applies to all systems owned or maintained by Vice Chancellor Student Affairs that process, store or make readable Restricted Data. 3. RESPONSIBILITIES TABLE 1 - ROLES AND RESPONSIBILITIES Role Responsibility Director Technology Services Review and approve changes to this document Infrastructure Manager Oversee the performance of this process Ensure this document remains current and is updated whenever changes to the process occur Ensure execution of duties described in sections 6.1 Management of this Policy, 6.3 Administration and Configuration of Controls for Users and Technology Accessing Restricted Data, 6.4 Device Security, and 6.5 Service Provider Management Critical Technology Users Adhere to this policy and related work instructions. 4. REFERENCES TABLE 2 - REFERENCES Reference VCSATSP 100-010 Policy Guidance Location VCSATS Policy Center Page 2 of 9
5. DEFINITIONS The terms and definitions found in VCSATSP 100-010 Policy Guidance, as referenced in section 4 references, shall apply, unless a term is expressly defined here. The scope of every term expressly defined in this section is limited to this document. TABLE 3 - LOCAL DEFINITIONS Term, Abbreviation, Acronym Acceptable Network Location Critical Technologies Definition Acceptable Network Locations include the VCSA network or approved technology for remotely accessing the VCSA network, including but not limited to VPN and Outlook Web App. Examples of using Critical Technology through unacceptable network locations include non-vcsa TS issued laptops/tablets/phones via public wifi or accessing the Environment from a public computer outside of UCR grounds, buildings, and offices. Critical Technologies are those that access the environment (as defined below). If a technology does not access the environment, it is not considered Critical Technology. For example, removable electronic media that does not have access to the environment is not considered Critical Technology. Examples of critical technologies include, but are not limited to remote access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), smartphones, email, internet. Critical Technology Users All personnel, including full-time employees, part time employees, temporary employees/personnel, contractors, consultants, vendors and business partners who are resident on the UCR campus or otherwise have access to the Environment. Environment For the purposes of this policy, environment refers to any and all Restricted Data environments within VCSA. Remote Access Network-level access originating from outside of the VCSA network. Page 3 of 9
Term, Abbreviation, Acronym Service Provider User access to Restricted data Definition A third party or outsourced supplier: With access to the Environment; or those who send or receive Restricted Data as part of a service This term includes, but is not limited to the following: Use of Restricted data which meets the HIPAA definition of Limited Data Set. Use of Restricted data Disclosure of Restricted data Requests for Restricted data Page 4 of 9
6. POLICY 6.1 Management of this Policy 6.1.1 This policy shall be published to all users who access or may access Restricted Data, including but not limited to Critical Technology Users as defined in Table 3 - Local Definitions. 6.2 Proper Use 6.2.1 User access to Restricted data, as defined in Section 5, shall only be provided when all of the following conditions are met 45 C.F.R. 164.514(d)(2)(ii) 45 C.F.R. 164.514(d)(3),, 45 C.F.R. 164.514(d)(5), 45 C.F.R. 164.514(e) : 6.2.1.1 Access to the Restricted data is necessary for the user to perform assigned duties 45 C.F.R. 164.514(d)(2)(i)(A), PCI DSS 7.1. 6.2.1.2 Access to the Restricted data is based on conditions appropriate to such access 45 C.F.R. 164.514(d)(2)(i)(B). 6.2.1.3 The conditional access to the Restricted data is documented and approved by the appropriate Privacy Officer, Managed Services Officer, and/or Data Owner. 6.2.1.4 The privileges necessary to access the Restricted data are documented and approved by the Infrastructure Manager, appropriate Privacy Officer, Managed Services Officer, and/or Data Owner. 6.2.2 Proper Use of Critical Technologies: 6.2.2.1 Critical Technologies must be used for VCSA business, only. They may not be used for personal reasons. 6.2.2.2 Critical Technologies may not be shared. Examples of prohibited sharing include lending your phone to others if it is synched to the Environment and allowing others to use your logged in session without oversight. 6.2.2.3 Explicit approval must be provided by the Infrastructure Manager and any other authorized parties, with evidence vaulted, and the intended/acceptable user of the Critical Technology documented prior to using Critical Technology PCI DSS 12.3.1, PCI DSS 12.3.5. This is to be done in a manner consistent with Section 6.2.1. Page 5 of 9
6.2.3 All copy, move, and storage of cardholder data onto local hard drives and removable electronic media while remotely accessing the Restricted environment is prohibited unless explicitly authorized for a defined business need PCI DSS 12.3.10 (a). 6.2.4 Initiate sessions to the Restricted environment only when necessary. Terminate the session once there is no longer an immediate need to access the Restricted environment. 6.2.5 Devices must be screen-locked when leaving a workstation. 6.3 Administration and Configuration of Controls for Users and Technology Accessing Restricted Data 6.3.1 An access control system shall be in place for systems with multiple users to restrict access Restricted data based on a user s job function, need to know, and shall be set to deny all unless specifically allowed, as follows PCI DSS 7.1.4, PCI DSS 7.2 : 6.3.1.1 Access control systems shall be in place on all system components PCI DSS 7.2.1. 6.3.1.2 Access control systems shall be configured to enforce privileges PCI DSS assigned to individuals based on job classification and function 7.2.2. 6.3.1.3 Access control systems shall have a default deny-all setting PCI DSS 7.2.3. 6.3.2 Users shall be assigned a unique ID before receiving access to system components or Restricted data PCI DSS 8.1. 6.3.3 In addition to assigning a unique ID, one or more of the following methods shall be employed to authenticate all users, including but not limited to users of Critical Technology PCI DSS 8.2, PCI DSS 12.3.3 : 6.3.3.1 Something the user knows, such as a password or passphrase 6.3.3.2 Something the user has, such as a token device or smart card 6.3.3.3 Something the user is, such as a biometric 6.3.4 Group, shared, and generic accounts/passwords/other authentication methods are expressly prohibited PCI DSS 8.5.8 : 6.3.4.1 Generic user IDs and accounts shall be disabled or removed. 6.3.4.2 Shared user IDs for system administration activities and other critical functions shall not exist. 6.3.4.3 Shared and generic user IDs shall not be used to administer any system components. Page 6 of 9
6.3.5 Controls shall be implemented to protect databases that access or store Restricted data. 6.3.5.1 All access to any database containing Restricted data shall be authenticated consistent with the full set of instructions in this policy. This includes access by applications, administrators, and all other users PCI DSS 8.5.16 (a). 6.3.5.2 All user access to, user queries of, and user actions on a database containing Restricted data shall be through programmatic methods only (for example, through stored procedures) PCI DSS 8.5.16 (b). 6.3.5.3 The ability for a user to directly access or query a database containing PCI DSS 8.5.16 Restricted data shall be limited to database administrators (c). 6.3.5.4 Application IDs with database access shall only be able to be used by the intended applications and not by individual users or other processes PCI DSS 8.5.16 (d). 6.3.6 Controls shall be implemented for Critical Technologies to protect Restricted data and environments as follows: 6.3.6.1 Use of Critical Technology must require authentication in a manner PCI DSS 8.3, PCI DSS consistent with the full set of instructions in this policy 12.3.2. 6.3.6.1.1 Software and devices, including phones and laptops, must be configured to require a password to access the device. 6.3.6.1.2 Networks and systems must be configured to require twofactor authentication to remotely access the Environment. 6.3.6.1.3 Service accounts (non-human) are exempt from the twofactor authentication requirement. 6.3.6.2 Critical Technologies shall only be used with Acceptable Network Locations PCI DSS 12.3.6. 6.3.6.2.1 Devices that have the ability to be configured to automatically connect to network locations shall be configured to disable automatic connection to network locations other than Acceptable Network Locations. 6.3.6.3 Sessions for remote access to the Environment shall time out after a period of inactivity PCI DSS 12.3.8. Page 7 of 9
6.3.6.4 Critical Technologies used by vendors and business partners to remotely access the Environment shall be activated only when needed and shall be immediately deactivated after use PCI DSS 12.3.9. 6.3.6.5 Critical Technologies used by vendors and business partners to PCI DSS remotely access the Environment shall be monitored when in use 8.5.6. 6.4 Device Security 6.4.1 A list of all Critical Technology shall be maintained, including PCI DSS 12.3.3 : 6.4.1.1 All devices using or constituting Critical Technology PCI DSS 12.3.3. 6.4.1.2 All personnel authorized to use the devices PCI DSS 12.3.3. 6.4.2 All handheld devices using or constituting Critical Technology shall be enabled to automatically lockout after a long idle period PCI DSS 9.1.3. 6.4.3 All handheld devices using or constituting Critical Technology shall be configured to require a password when powering on PCI DSS 9.1.3. 6.4.4 All devices using or constituting Critical Technology shall be labeled in accordance with VCSATSP 100-170 Physical Security of Restricted Data PCI DSS 12.3.4. 6.5 Service Provider Management 6.5.1 An agreement must be in place and approved in written form by UCR Purchasing and a director from either UCR C&C or VCSATS PCI DSS 12.8.2. 6.5.1.1 The agreement must include an acknowledgement that the service provider is responsible for the security of Restricted Data in their possession PCI DSS 12.8.2. 6.5.2 A list of service providers shall be maintained PCI DSS 12.8.1. 6.5.3 Evidence of Service Provider compliance status shall be vaulted as required for: PCI DSS 12.8.4 6.5.3.1 PCI DSS 6.5.3.2 HIPAA 6.5.3.3 Other applicable regulatory or contractual requirements. 7. ENFORCEMENT Any employee found to have violated this work instruction may be subject to disciplinary action. Page 8 of 9
8. COMPLIANCE REFERENCE INDEX 45 C.F.R. 164.514(d)(2)(i)(A)... 5 45 C.F.R. 164.514(d)(2)(i)(B)... 5 45 C.F.R. 164.514(d)(2)(ii)... 2, 5 45 C.F.R. 164.514(d)(3)... 5 45 C.F.R. 164.514(d)(5)... 5 45 C.F.R. 164.514(e)... 5 PCI DSS 12.3.1... 5 PCI DSS 12.3.10 (a)... 6 PCI DSS 12.3.2... 7 PCI DSS 12.3.3... 6, 8 PCI DSS 12.3.4... 8 PCI DSS 12.3.5... 5 PCI DSS 12.3.6... 7 PCI DSS 12.3.8... 7 PCI DSS 12.3.9... 8 PCI DSS 12.8.1... 8 PCI DSS 12.8.2... 8 PCI DSS 12.8.4... 8 PCI DSS 7.1... 5 PCI DSS 7.1.4... 6 PCI DSS 7.2... 6 PCI DSS 7.2.1... 6 PCI DSS 7.2.2... 6 PCI DSS 7.2.3... 6 PCI DSS 8.1... 6 PCI DSS 8.2... 6 PCI DSS 8.3... 7 PCI DSS 8.5.16 (a)... 7 PCI DSS 8.5.16 (b)... 7 PCI DSS 8.5.16 (c)... 7 PCI DSS 8.5.16 (d)... 7 PCI DSS 8.5.6... 8 PCI DSS 8.5.8... 6 PCI DSS 9.1.3... 8 9. HISTORY FogBugz Case Description of Changes 1490 Create initial version of this Policy. 5323, 5324 Requested approval for version 1.0 of this policy. (Not Approved) 6795, 6796 Requested approval for version 2.0 of this policy. 8270, 8311, 8314, 8315, 8317, 8407, 8409, 8504, 8788 Added support for 45 C.F.R. 164.514, PCI DSS Requirements 7, 8, 9 and 12. 8916, 8917 Requested approval for version 2.0 of this policy 15518 Added sections 6.2.4 and 6.2.5. 15878, 15979 Requested approval for version 4.0 of this policy Page 9 of 9