Virginia Commonwealth University School of Medicine Information Security Standard



Similar documents
Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard

Encryption Security Standard

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Information Security Policy

Research Information Security Guideline

Montclair State University. HIPAA Security Policy

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

Contact: Henry Torres, (870)

ONE Mail Direct for Mobile Devices

Supplier Information Security Addendum for GE Restricted Data

Information Security Policy

McAfee Enterprise Mobility Management

Information Security Program

Policy Title: HIPAA Security Awareness and Training

BERKELEY COLLEGE DATA SECURITY POLICY

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Newcastle University Information Security Procedures Version 3

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Responsible Access and Use of Information Technology Resources and Services Policy

Information Security It s Everyone s Responsibility

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Utica College. Information Security Plan

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

HIPAA Security Alert

Appendix H: End User Rules of Behavior

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

State HIPAA Security Policy State of Connecticut

How To Write A Health Care Security Rule For A University

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Use of tablet devices in NHS environments: Good Practice Guideline

Sophos Mobile Control User guide for Apple ios. Product version: 2 Document date: December 2011

UF IT Risk Assessment Standard

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

State of South Carolina Policy Guidance and Training

Information Security Program Management Standard

Supplier IT Security Guide

HIPAA Security COMPLIANCE Checklist For Employers

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

HIPAA Security Training Manual

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

Table of Contents INTRODUCTION AND PURPOSE 1

Authorized. User Agreement

Central Agency for Information Technology

Policy Title: HIPAA Access Control

NHSmail mobile configuration guide Apple iphone

Statement of Policy. Reason for Policy

SECURITY RISK ASSESSMENT SUMMARY

Certified Secure Computer User

Introduction. PCI DSS Overview

HELPFUL TIPS: MOBILE DEVICE SECURITY

IT Security Standard: Computing Devices

Mobile Devices Security Policy

SAFEGUARDING PRIVACY IN A MOBILE WORKPLACE

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

R345, Information Technology Resource Security 1

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Cyber Self Assessment

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

ICT OPERATING SYSTEM SECURITY CONTROLS POLICY

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Technical Standards for Information Security Measures for the Central Government Computer Systems

PCI Data Security and Classification Standards Summary

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Information Technology Branch Access Control Technical Standard

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

CITY UNIVERSITY OF HONG KONG. Information Classification and

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Overview of the HIPAA Security Rule

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Identity Theft Prevention Program Compliance Model

Mobile Devices Policy

HIPAA Security Series

Information Security It s Everyone s Responsibility

Terms of use of information and communication technologies at the University of Burgundy

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Transcription:

Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Handheld Mobile Device Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval Date: July 1, 2010 Effective Date: July 1, 2010 Compliance Date: January 1, 2011 Authority: VCU School of Medicine Information Security Manager Review Frequency: Annually, or as needed Revision History: Version Date Revision Issuance 1.0 December 3, 2010 Draft approved by IT Audit Resolution Committee 1.1 June 14, 2010 Modifications related to changes in data classification guidelines 1.2 June 29, 2010 Modifications related to ITARC members feedback Handheld Mobile Device Security Page 1

I. PURPOSE The Mobile Device Security Standard addresses the security and configuration of handheld mobile devices used for business related purposes in the VCU School of Medicine, regardless of ownership. II. III. POLICY Various handheld mobile devices can currently be used to access and store business information through electronic mail and network or local file storage. The information accessed on these devices may be sensitive in nature, and the confidentiality, integrity and security for the sensitive data must be ensured in order to comply with any legal, regulatory and administrative requirements. This document states the minimum security standards with regard to the use of handheld mobile devices for business purposes in the VCU School of Medicine. DEFINITIONS Authorized User An individual who has been granted access to specific data in order to perform his / her assigned duties in the VCU School of Medicine. Confidential and Protected Data Confidential and Protected data are considered the most sensitive, and must be protected with the highest security standards. These data are protected specifically by federal or state law and regulations (e.g. HIPAA, FERPA.) Loss of confidential and protected data can result in long term loss of funding, ranking and reputation for the school, as well as possible legal actions against the University, School, or the data owner. Confidential and protected data are a subset of sensitive data; therefore, all confidential and protected data are also classified as sensitive. Examples include student or employee SSN, date of birth, Electronic Protected Health Information (EPHI), and student grades. Refer to the "School of Medicine Data Classification Guidelines" for authoritative definitions. Data Owner The Data Owner is the VCU or VCUHS employee responsible for the policy and practice decisions regarding data, and is responsible for evaluating and classifying sensitivity of the data; defining protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs; communicating data protection requirements to the System Owner; defining requirements for access to the data. Direct Wireless Electronic Transmission Direct wireless electronic transmission refers to the wireless peer to peer transmission of data from one device to another device without the use of a third party server or other network communication devices. Examples of such transmission include Handheld Mobile Device Security Page 2

Bluetooth file transmission, WiFi ad-hoc connection, and infrared based file transmission. Handheld Mobile Device Any portable electronic device that fits in its user s palm, and can be used to conduct business computing tasks and store business information. Such devices include but are not limited to, cell phones, PDAs, and other business-oriented handheld devices. NOTE: Laptops and USB based storage devices such as flash drives or portable hard drives are NOT considered handheld mobile devices. Non-sensitive Business Data - Non-sensitive business data are non-personal data that are not necessarily proprietary to an institution. The protection of these data are neither regulated nor controlled by law or contractual obligations, as the protection of the data is at the discretion of the data owner. If lost or illegitimately modified, these data will generate no negative impacts to individual business units or the institution as a whole. Refer to the "School of Medicine Data Classification Guidelines" for authoritative definitions. Plug-ins for the web Any software component that provides additional features to a web browser, which in turn allows the web browser to display additional types of content. Some examples of plug-ins are Flash player, Java, and Quicktime web component. Publicly Accessible Area Physical spaces that are not located behind locked doors and can be accessed freely by any individual without any form of identification or key. Examples include reception area in a clinic, an unlocked classroom, or a hallway in an unrestricted building. Sensitive Data Data that are proprietary to an institution, where if lost or illegitimately modified, can cause negative impact to the individual units or the institution as a whole. Examples include employee performance evaluations, faculty salary or contract information, and proprietary research data. IV. RESPONSIBILITIES Every member of VCU School of Medicine faculty and staff who uses a handheld mobile device to access sensitive data is responsible for the confidentiality, integrity and security of the sensitive data stored, processed, and/or transmitted via the device, and for following the security requirements set forth in this standard. The VCU School of Medicine Information Security Manager is responsible for reviewing and auditing this standard annually. Handheld Mobile Device Security Page 3

V. ACCESS CONTROL A. Access to handheld mobile device must be protected with a password or PIN code that contains at least 4 digits. The password must be changed at least once per year. B. When not used, the handheld mobile device must be physically secured. The device must never be left unattended in a publicly accessible area. C. The handheld mobile device must be used to only access data for which they have obtained authorization. Authorization request for access to sensitive data must be submitted to and approved by the data owner or a designee. VI. DEVICE CONFIGURATION AND SECURITY MANAGEMENT The following device configuration and security recommendations apply to all handheld mobile devices used to access and/or store sensitive data: A. The latest version of the firmware and operating system should be tested and installed. Unless significant issues are discovered, the testing and installation of the latest firmware or operating system should be scheduled within 2 months of the firmware or operating system release. Updated information and availability can be obtained from the mobile device manufacturer s website. B. If not used, Wi-Fi and Bluetooth must be turned off. C. The automatic network re-join option must be disabled on devices with Wi-Fi capabilities, if sensitive data is transmitted to or stored on the device. D. All Bluetooth communications should use a unique pass-code. E. Unsecured Wi-Fi access points should be avoided. F. Auto-lock timeout must be set and must not exceed sixty minutes of inactivity. G. If applicable, all data on the handheld mobile device must be automatically erased following a maximum of ten invalid logons. H. If applicable, all unnecessary and unneeded plug-ins for the web should be disabled for handheld mobile devices that have web browsing Handheld Mobile Device Security Page 4

capabilities, in order to protect the device from malicious software infection. VII. DATA STORAGE AND TRANSMISSION A. Unless encrypted with an industry standard and accepted encryption algorithm, sensitive data must not be physically stored on the handheld mobile device, or any removable storage devices attached to the handheld mobile device (e.g. SD cards, MMC cards, MiniSD, MicroSD, or CF cards). B. Any electronic mail and text messages containing confidential and protected data that are downloaded and stored locally on the device must be deleted immediately following the initial review. C. Direct wireless electronic transmission of sensitive data between handheld mobile devices must be avoided due to high risk of communication interception. VIII. REPORTING LOSS AND THEFT OF EQUIPMENT OR DATA In the event a handheld mobile device with locally stored sensitive data is lost or stolen, the theft or loss must be reported immediately to the VCU police at 828-1196. IX. DISPOSAL OF DEVICE A. Any residual settings, data and applications on handheld mobile devices must be removed prior to disposal. Usually, the removal of residual data and applications can be achieved through a hard reset or an equivalent operation that allows the device to be reset to its factory defaults. B. Sensitive data cannot be stored on a storage card without proper encryption. Prior to the disposal of the device, all attached storage cards that contain sensitive data must be physically removed and/or wiped or destroyed in compliance with the DOD 5220.22-M standards, where no data recovery will be possible from the storage media. X. EXCEPTIONS Exception requests to this standard must be filed with, and submitted to, VCU School of Medicine Information Security Manager. Any exception request should use the exception request form attached in appendix A. XI. COMPLIANCE Compliance with this Mobile Device Security standard is the responsibility of Handheld Mobile Device Security Page 5

all personnel who utilize handheld mobile device to access sensitive VCU School of Medicine data. This establishes standards for these personnel s actions in recognition of the fact that these personnel are provided unique system and data access, and that non-compliance to this standard will be enforced through sanctions commensurate with the level of infraction. Administrative actions due to failure to follow this standard may range from a verbal or written report, temporary revocation of system and data access, termination of employment, to legal proceedings against the personnel depending on the severity of the violation. All personnel who have access to School of Medicine data are expected to read, understand and agree to the responsibilities defined in this standard and any published revisions of this standard. XII. REFERENCES A. VCU Information Security Standard section 6: Data protection B. VCU Affiliated Covered Entity ACE-0014: Device and Media Controls C. NIST Special Publication 800-122 D. NIST Special Publication 800-124 E. NIST Special Publication 800-53 F. Center for Internet Security: Security Configuration Benchmark for Apple iphone OS 2.2.1 Handheld Mobile Device Security Page 6

Appendix A. VCU SOM Information Security Standards Exception Request Form Requestor: Unit Name: Authoritative Unit Head: Contact phone: Requirement to which an exception is requested (Section, Item #) Date: 1. Provide the business or technical justification for exception: 2. Describe the scope, including quantification and requested duration (not to exceed 1 year): 3. Describe all associated risks, including the sensitivity and criticality of hardware or data involved in exception: 4. Identify the compensating controls to mitigate the risks: 5. Identify any unmitigated risks: 6. When will compliance with policy be achieved? By submitting this form, the Authoritative Unit Head acknowledges that he or she has evaluated the business issues associated with this request and accepts any and all associated risks as being reasonable under the circumstances. Authoritative Unit Head Signature: Date: SOM Information Security Manager Use Only Approval: Approved Denied VCU/VCUHS Approval Required Comments: Signature: Date: Handheld Mobile Device Security Page 7

VCU / VCUHS Information Security Officer (ISO) Use Only Approval: Comments: Approved Denied Signature: Date: VCU / VCUHS Chief Information Officer (CIO) Use Only Approval: Comments: Approved Denied Signature: Date: VCU / VCUHS Chief Information Officer (CIO) Use Only (Used for Appeal) Approval: Comments: Approved Denied Signature: Date: Completed exception forms must be submitted to SOM Information Security Manager by e-mail, somsecurity@vcu.edu Contact information: SOM Information Security Manager: 827-9907 Phone VCU Information Security Officer: 828 1015 Phone VCUHS Information Security Officer: 628 1144 Phone Handheld Mobile Device Security Page 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information