PROTECTION BY DATA CLASSIFICATION SECURITY STANDARD

Similar documents
Policy Scope: The policy applies across the Division to all DPH workgroups who maintain, use, have access to, or come into contact with IIHI.

BERKELEY COLLEGE DATA SECURITY POLICY

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Virginia Commonwealth University School of Medicine Information Security Standard

Statement of Policy. Reason for Policy

ALTA OFFICE SECURITY AND PRIVACY GUIDELINES ALTA

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

8.03 Health Insurance Portability and Accountability Act (HIPAA)

Retention & Destruction

Information Security Policy

Pierce County Policy on Computer Use and Information Systems

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Preservation and Production of Electronic Records

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

HIPAA Security Alert

Information Technology (IT) Security Guidelines for External Companies

Approved By: Agency Name Management

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Western Oregon University Information Security Manual v1.6

SAFEGUARDING PROTECTED HEALTH INFORMATION (PHI): FOCUS POINTS FOR OFFSITE TRANSCRIPTIONISTS

ICT Policies & Procedures

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

How To Protect A Hampden County Hmis From Being Hacked

Administrators Guide Multi User Systems. Calendar Year

Volume UC DAVIS HEALTH SYSTEM. HIPAA Security Compliance Workbook. Multi User Guide

Policies and Procedures for Electronic Protected Health Information (ephi) and Personally Identifiable Information (PII)

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

Order. Directive Number: IM Stephen E. Barber Chief Management Officer

System Security Plan University of Texas Health Science Center School of Public Health

HIPAA Training for Hospice Staff and Volunteers

Cyber Self Assessment

INFORMATION SECURITY POLICY

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Data Management Policies. Sage ERP Online

HIPAA 101: Privacy and Security Basics

CHIS, Inc. Privacy General Guidelines

LSE PCI-DSS Cardholder Data Environments Information Security Policy

HIPAA Training for Staff and Volunteers

PHI- Protected Health Information

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

Information Technology Acceptable Use Policies and Procedures

Appropriate Use Policy Technology & Information

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

OIT OPERATIONAL PROCEDURE

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

AUBURN WATER SYSTEM. Identity Theft Prevention Program. Effective October 20, 2008

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

Other terms are defined in the Providence Privacy and Security Glossary

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY

2014 Core Training 1

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

Volume UC DAVIS HEALTH SYSTEM. HIPAA Security Compliance Workbook. Single - User Guide

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014

TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE 2.0 PURPOSE 3.0 SCOPE 4.

PCI Data Security and Classification Standards Summary

Information Resources Security Guidelines

How To Write A Health Care Security Rule For A University

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

Information Circular

Cellular/Smart Phone Use Procedure

HIPAA: Bigger and More Annoying

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

plantemoran.com What School Personnel Administrators Need to know

FDOH Information and Privacy Awareness Training Learner Course Guide

Health Insurance Portability and Accountability Act (HIPAA) Overview

C.T. Hellmuth & Associates, Inc.

How To Protect Data At Northeast Alabama Community College

Department of Health and Human Services Policy ADMN 004, Attachment A

MCOLES Information and Tracking Network. Security Policy. Version 2.0

How To Protect Decd Information From Harm

Legal and statutory obligations, in particular under the Data Protection Act, will be followed, whatever the protective marking used.

Supplier Information Security Addendum for GE Restricted Data

MISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY

Smith College Information Security Risk Assessment Checklist

CITY UNIVERSITY OF HONG KONG. Information Classification and

HIPAA Security Education. Updated May 2016

Information Security Policy

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

OF MICHIGAN HEALTH SYSTEM

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

By the end of this course you will demonstrate:

Why do we need to protect our information? What happens if we don t?

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

HIPAA Auditing Tool. Department: Site Location: Visit Date:

HIPAA Awareness Training

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Transcription:

PROTECTION BY DATA CLASSIFICATION SECURITY STANDARD Security Standards are mandatory security rules applicable to the defined scope with respect to the subject. Overview Scope Purpose Information must be protected according to its sensitivity, criticality, and value, whether it is printed, stored, or transmitted. All elements of protection need to be taken into consideration, which include but are not limited to: desktops, servers, networking equipment, filing cabinets, fax machines, voice mail, paper, etc. Information resources need protection from unauthorized access, modification, disclosure, or destruction. Data classification with protection requirements communicate the specific expectations. All departments, offices, and schools are responsible for UTHSCSA s information resources and must protect information according to its importance. UTHSCSA s data classifications create a framework of information categories for evaluating the information s relative value and defining appropriate controls for protection by this security standard. When evaluating data that may have overlapping classifications based on data and circumstances, the document should be rated at the higher classification. The data owner, with support from the data custodian, is ultimately responsible for assigning data classifications. This standard applies to all applicable documents and data created or modified after the effective date of this standard. Other documents, data, records, etc., may be classified as time permits. The purpose of this document is to communicate protection for information resources based on UTHSCSA s Data Classification Policy. It is the responsibility of all UTHSCSA departments, offices, and schools to protect the information based on the requirements outlined in this document. In all cases, reasonable precautions and protections should be taken, regardless of classification. UTHSCSA Data Classification Internal Use only Page 1

Protection Definition Examples Information that is widely available to the public through publications, pamphlets, web content, and other distribution methods Patient brochures, news releases, pamphlets, web sites, marketing materials Routine operational information requiring no special measures to protect from unauthorized access, modifications, or disclosure, but not widely available to the public Routine correspondence, employee newsletters, internal phone directories, inter-office memoranda, internal policies & procedures Confidential or sensitive information that would not necessarily, due to Federal or State law, expose the University to significant loss, but the data owner has determined security measures are needed to protect from unauthorized access, modifications, or disclosure Intellectual property licensed and/or under development, contract research protocols, records, department financial data, purchasing information, vendor contracts, system configurations, system logs, risk reports Information requiring the highest levels of protection because disclosure is likely to result in significant adverse impact to the institution (embarrassment, financial loss, sanctions, penalties, etc.) Protected Health Information (PHI), Student Identifiable Information (SII), personnel information, Social Security Numbers; intellectual property licensed and/or under development Marking 1. Documents 1. No restrictions 1. Bottom of every page should be labeled Internal Use Only, whether stored, printed, or transmitted 1. Top of every page should be labeled Confidential whether stored, printed, or transmitted 1. Top and bottom of every page must be marked Confidential whether stored, printed, or transmitted 2. Internally-routed 2. No restrictions 2. No requirements 2. Marked Confidential 2. Marked Confidential envelopes 3. Externally-routed envelopes 3. No restrictions 3. No requirements 3. Contain an internal envelope marked Confidential, but the external envelope should not reflect the sensitivity of the information 3. Contain an internal envelope marked Confidential, but the external envelope must not reflect the sensitivity of the information UTHSCSA Data Classification Internal Use only Page 2

Release Transmission by Spoken Word Examples include conversations, meetings, telephones, cellular phones, voicemail, and answering machines Available to the general public and for distribution outside of the organization No special precautions Intended for use only within the organization May be shared outside the organization only if there is a legitimate business need to know, and is approved by management Reasonable precautions to prevent inadvertent disclosure Access limited to a need-toknow basis and not to be released externally, unless in accordance with specified policies and procedures on release of information When releasing information, sensitivity and protection requirements must be communicated Controls must be in place to prevent unauthorized copying or use of intellectual property Active measures to prevent unauthorized parties from overhearing information Discuss in private setting with lowered voices Avoid conversations in public areas, e.g. elevators, hallways, cafeterias, etc. Avoid proximity to unauthorized listeners Use speaker phone in secure area only Use of cellular telephones discouraged, wired line preferred No public announcements Initiate calls or positively identify the person you are speaking with Access limited to as few persons as possible on a needto-know basis and not to be released externally, unless in accordance with specified policies and procedures on release of information When releasing information, sensitivity and protection requirements must be communicated Controls must be in place to prevent unauthorized copying or use of intellectual property Information is very sensitive and must be closely controlled from creation to destruction Active measures and close control to limit information to as few persons as possible Discuss in enclosed meeting areas only Discussions in public areas prohibited Avoid proximity to unauthorized listeners Use speaker phone in enclosed secure area only, though use is generally discouraged Use of cellular telephones discouraged, wired line preferred No public announcements Initiate calls or positively identify the person you are speaking with UTHSCSA Data Classification Internal Use only Page 3

Transmission by Post 1. Mail within the organization (interoffice) 2. Mail outside of the organization Transmission by facsimile (fax) 1. Ensure appropriate routing information is used (name, address, etc.) 2. Ensure appropriate routing information is used (name, address, etc.) 1. Ensure appropriate routing information is used (name, address, etc.) 2. Ensure appropriate routing information is used (name, address, etc.) 1. Location of fax 1. No special restrictions 1. Located in area not 1. Sealed inter-office envelope marked Confidential. Ensure appropriate routing information is used (name, address, etc.) 2. 1st class mail (minimum requirement). Trackable delivery preferred, e.g. messenger, FedEx,U.S. express or certified, return receipt mail. Ensure appropriate routing information is used (name, address, etc.) 1. Located in area not 2. Handling procedures 2. Reasonable care in dialing 2. Reasonable care in dialing 2. Required Handling: Cover sheet labeled Confidential Procedures to validate transmission to intended recipient, e.g. validated direct dial key, confirmation print out Ensure remote fax machine is being monitored by authorized recipient Removal of received fax immediately If automated, similar controls should be implemented. 1. Sealed inter-office envelope marked Confidential. Notify recipient in advance. Ensure appropriate routing information is used (name, address, etc.) 2. Trackable delivery, e.g., messenger, FedEx, DHL, U.S. express or certified, return receipt mail. Ensure appropriate routing information is used (name, address, etc.) 1. Located in area not and/or unauthorized persons 2. Required Handling Coversheet labeled Confidential Preferred telephone notification prior to transmission and subsequent telephone confirmation of receipt Ensure remote fax machine is being monitored by authorized recipient Removal of received fax immediately If automated, similar controls must be implemented UTHSCSA Data Classification Internal Use only Page 4

Transmission to Printer 1. Location of Printer 1. No special restrictions 1. Located in area not 2. Handling 2. No special restrictions 2. Reasonable care in validating printer location Transmissions Internally 1. E-mail within the organization Transmissions Externally (IM, email, Chat, file transmission, etc.) 1. Data transfers (file transmissions, website, etc.) 2. E-mail outside of the organization 1. No special handling 1. No special handling, but reasonable precautions should be taken 1. No special precautions are 1. Encryption is recommended but not 2. No special handling 2. No special handling, but reasonable precautions should be taken 1. Located in area not 2. Required Handling: Ensure device is being monitored by authorized individual Removal of printed material immediately 1. Use of e-mail to transfer confidential information is discouraged. Forwarding only allowed by data owner 1. Encryption is when sending information over the Internet 2. Use of e-mail strongly discouraged. Consider using encryption. Broadcast to distribution lists is prohibited. Forwarding only allowed by data owner 1. Located in area not and/or unauthorized persons 2. Required Handling: Ensure device is being monitored by authorized individual Removal of printed material immediately 1. Use of e-mail to transfer confidential information is discouraged.. Forwarding only allowed by data owner 1. Encryption is when sending information over the Internet 2. Encryption is. Broadcast to distribution lists is prohibited.. Forwarding only allowed by data owner UTHSCSA Data Classification Internal Use only Page 5

Display/Print Media (Paper, Film, Fiche, Copiers, Scanners, Video, Cameras,etc.) 1. Printed or digital materials 2. Visual (monitors, screens, LCDs, etc,) 1. No special precautions 2. No special precautions Storage 1. Printed materials 1. No special precautions 2. Electronic documents 2. Storage on all drives allowed but access controls must be enforced 3. E-mail 3. No special precautions 4. Portable devices 4. No special precautions Reasonable precautions to prevent inadvertent disclosure 1. Remove and store out of sight of non-employees including all copies. 2. Positioned, shielded or presented to prevent viewing by non-employees. 1. Reasonable precautions to prevent access by nonemployees 2. Storage on all drives allowed but access controls must be enforced 3. Reasonable precautions to prevent access by non-staff & employees 4. Use lockable containers or devices. Where possible use UTHSCSA managed stored encryption solutions Active measures to prevent unauthorized parties from viewing information 1. Remove and store information in a secure location including all copies. 2. Positioned or shielded to prevent unauthorized viewing and use password screen saver, etc. 1. Storage in a secure manner, e.g., secure area, lockable enclosure. Must be locked when unattended 2. Store on secure drives or secure shared drives only. Data should be stored on an internally accessible server, and cannot be stored on a server directly accessible from the Internet, such as a public web server 3. Store in a secure manner, e.g. password access or reduce to printed format, delete electronic form, and store in accordance with storage of print materials 4. Use lockable containers or devices. Where possible use UTHSCSA managed stored encryption solutions Active measures and close control to limit information to as few persons as possible 1. Remove and store information in a secure location including all copies. 2. Positioned or shielded to prevent unauthorized viewing and use password screen saver, etc. 1. Storage in a lockable enclosure. Must be locked when not in use 2. Storage on secure drives only. Password protection of document preferred. Cannot be stored on an Internet web server; data must be stored on a server that is only accessible internally 3. Store in a secure manner, e.g. password access or reduce to printed format, delete electronic form, and store in accordance with storage of print materials 4. Use lockable containers or devices. Where possible use UTHSCSA managed stored encryption solutions UTHSCSA Data Classification Internal Use only Page 6

5. Storage by business associates (Non- UTHSCSA) 5. No special precautions Destruction (HOP 5.8.22) 1. Destruction 1. No special precautions 2. Location of waste paper bins 2. No special precautions 5. Business agreements and non-disclosure agreements. Secured with lockable enclosures and access controls for only those who have been authorized by UTHSCSA. Annual offsite inspection recommended 1. No special precautions 2. No special precautions 3. Paper recycling 3. Permitted 3. Permitted, but shredding recommended 4. Electronic storage media 4. No special precautions. See HOP 5.8.22 Physical Security (HOP 5.8.27) 1. Workstations 1. Password screen-saver to be used when briefly unattended. Sign-off work stations or terminals when not in use or leaving work 2. Servers 2. Must be located in secured areas with limited access based on job functions 4. No special precautions. See HOP 5.8.22 1. Password screen-saver to be used when briefly unattended. Sign-off work stations or terminals when not in use or leaving work 2. Must be located in secured areas with limited access based on job functions 5. Business agreements and non-disclosure agreements. Secured with lockable enclosures and access controls for only those who have been authorized by UTHSCSA. Annual offsite inspection recommended 1. Destroy in a manner that protects confidentiality 2. Secure area not accessible to unauthorized persons. Information must be shredded prior to disposal 5. Business agreements and non-disclosure agreements. Secured with lockable enclosures and access controls for only those who have been authorized by UTHSCSA. Annual offsite inspection recommended 1. Destroy in a manner that protects confidentiality 2. Secure area not accessible to unauthorized persons. Information must be shredded prior to disposal 3. Prohibited, unless shredded 3. Prohibited unless shredded 4. Methods of destruction must be approved by the Information Security Office. See HOP 5.8.22 1. Password screen-saver to be used when briefly unattended. Sign-off work stations or terminals when not in use or leaving work 2. Must be located in secured areas with limited access based on job functions 4. Methods of destruction must be approved by the Information Security Office. See HOP 5.8.22 1. Password screen-saver to be used when briefly unattended. Sign-off work stations or terminals when not in use or leaving work 2. Must be located in secured areas with limited access based on job functions UTHSCSA Data Classification Internal Use only Page 7

3. Printing 3. No special precautions 4. Office access 4. No special precautions 5. Portable devices: laptops, PDAs, Treos, thumb drives, etc. 5. Computers must not be left unattended at any time without being secured. Places easily accessible by others (hotel, auto, classroom, etc) are not considered secure, thus, lockable solutions are Access Control All access control is determined by the data owner (HOP 5.8.4) 1. General 1. Available to the general public. However, content changes must have access controls which allow only those who are authorized for this job function 2. Internal connection 2. Available to the general public. However, content changes must have access controls which allow only those who are authorized for this job 3. Take reasonable precautions in collecting printed material quickly 4. No special precautions 5. Computers must not be left unattended at any time without being secured. Places easily accessible by others (hotel, auto, classroom, etc) are not considered secure, thus, lockable solutions are 1. Generally available to all staff on a need-to-know basis. Access rights should have checks and balances with no single point of failure 2. Password access control or controlled shares based on general guidance 3. Printing of documents minimized and only when necessary. Unattended printing is permitted only if physical access is used to prevent unauthorized persons from viewing the material being printed 4. Access to areas containing sensitive information must be physically restricted. Sensitive information should be locked when left in an unattended room 5. Computers must not be left unattended at any time without being secured with lockable cables, cabinets, drawers, etc. 1. Must have a business need to know the information. Must have approval of the data owner. Should routinely review access to the information. Access rights should have checks and balances with no single point of failure 2. Password access control or controlled shares based on general guidance 3. Printing of documents when necessary only. Printers must not be left unattended. The person attending the printer must be authorized to examine the information being printed 4. Access to areas containing sensitive information must be physically restricted. Confidential High Risk information must be locked when left in an unattended room 5. Computers must not be left unattended at any time without being secured with lockable cables, cabinets, drawers, etc. 1. Must have a business need to know the information. Must have approval of the data owner. Must routinely review access to the information. Access rights must have checks and balances with no single point of failure 2. Password access control or controlled shares based on general guidance. UTHSCSA managed storage encryption may also be considered UTHSCSA Data Classification Internal Use only Page 8

3. UTHSCSA external connection 3. Available to the general public. However, content changes must have access controls which allow only those who are authorized for this job function 4. Non-UTHSCSA 4. Available to the general public. However, content changes must have access controls which allow only those who are authorized for this job function 3. Prefer encryption via web browser or VPN access with user authentication and managed roles 4. Must be approved by the data owner prior to access. Encryption via web browser or VPN access with user authentication and managed roles 3. Encryption via web browser or VPN access with user authentication and managed roles 4. Business agreements and non-disclosure agreements prior to access. Encryption via web browser or VPN access with user authentication and managed roles 3. Encryption via web browser or VPN access with user authentication and managed roles 4. Business agreements and non-disclosure agreements prior to access. Encryption via web browser or VPN access with user authentication and managed roles UTHSCSA Data Classification Internal Use only Page 9

Backup and Recovery (HOP 5.8.23) Should be backed up monthly and incrementally based on content change Monthly and incremental backups should remain separate processes and labeled accordingly Never overwrite the most recent backups Should be able to restore in a timely manner from a partial disaster or a full disaster as for business operations Backups should be kept in a secured location Backups should be tested regularly to ensure reliability Must comply with records retention requirements Should be backed up monthly and incrementally based on information recovery requirements by data owners and business operational needs Monthly and incremental backups should remain separate processes and labeled accordingly with tracking controls Never overwrite the most recent backups Should be able to restore in a timely manner from a partial disaster or a full disaster as for business operations Backups should be kept in a secured location Backups should be tested regularly to ensure reliability Must comply with records retention requirements Should be backed up monthly and incrementally based on information recovery requirements by data owners and business operational needs Monthly and incremental backups should remain separate processes and labeled accordingly with strict tracking controls Never overwrite the most recent backups Should be able to restore in a timely manner from a partial disaster or a full disaster as for business operations Backups should be kept in a secured location Backups should be tested regularly to ensure reliability Access to backups should be controlled and authorized by data owners Courier services must be trusted sources and authorized by data owners Must comply with records retention requirements Must be backed up monthly and incrementally based on information recovery requirements by data owners and business operational needs Monthly and incremental backups must remain separate processes and labeled accordingly with strict tracking controls Never overwrite the most recent backups Must be able to restore in a timely manner from a partial disaster or a full disaster as for business operations Backups must be kept in a secured location Backups must be tested regularly to ensure reliability Access to backups must be controlled and authorized by data owners Courier services must be trusted sources and authorized by data owners Must comply with records retention requirements UTHSCSA Data Classification Internal Use only Page 10

Lost, Disclosed, or Stolen 1. Data 1. No special requirements, but should be restored from a valid backup as soon as possible 2. Physical 2. Notify University Police, 210-567-2800 1. Should be reported to departmental TSRs 2. Notify University Police, 210-567-2800, and departmental TSRs 1. Immediately notify the Information Security Office, 210-567-5900 2. Immediately notify University Police, 210-567-2800, and the Information Security Office, 201-567-5900 1. Immediately notify the Information Security Office, 210-567-5900 2. Immediately notify University Police, 210-567-2800, and the Information Security Office, 201-567-5900 UTHSCSA Data Classification Internal Use only Page 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information