Virginia Commonwealth University School of Medicine Information Security Standard



Similar documents
Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard

Encryption Security Standard

Virginia Commonwealth University Information Security Standard

Information Security Policy

Montclair State University. HIPAA Security Policy

HIPAA Security Alert

DRAFT IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Asset Management Policy #2430

PHI- Protected Health Information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Other terms are defined in the Providence Privacy and Security Glossary

Information Security Policy

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

State HIPAA Security Policy State of Connecticut

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

R345, Information Technology Resource Security 1

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Information Resources Security Guidelines

How To Write A Health Care Security Rule For A University

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

PCI Data Security and Classification Standards Summary

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

Table of Contents INTRODUCTION AND PURPOSE 1

How To Protect Data At Northeast Alabama Community College

All Users of DCRI Computing Equipment and Network Resources

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

How To Protect Research Data From Being Compromised

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

Information Security Policy Manual

HIPAA Security COMPLIANCE Checklist For Employers

Data Management Policies. Sage ERP Online

BERKELEY COLLEGE DATA SECURITY POLICY

Newcastle University Information Security Procedures Version 3

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

ARTICLE 10. INFORMATION TECHNOLOGY

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CITY UNIVERSITY OF HONG KONG. Information Classification and

FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Information Systems Security Policy

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Information Security Program

How To Protect Decd Information From Harm

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Network & Information Security Policy

Supplier Information Security Addendum for GE Restricted Data

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

Information Technology Branch Access Control Technical Standard

COUNCIL POLICY NO. C-13

Authorized. User Agreement

This policy applies to all DRC employees, contractors, volunteers, interns and other agents of the state.

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

IDENTITY THEFT PREVENTION PROGRAM TRAINING MODULE February 2009

Information Security Policy

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

Ferris State University

School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy

Network Security Policy

DRAFT IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Communications and Operations Management Policy #2450

Pierce County Policy on Computer Use and Information Systems

VMware vcloud Air HIPAA Matrix

Federal Bureau of Prisons. Privacy Impact Assessment for the HR Automation System. Issued by: Sonya D. Thompson Deputy Assistant Director/CIO

Information Security Program Management Standard

HIPAA Audit Risk Assessment - Risk Factors

APPROPRIATE USE OF INFORMATION TECHNOLOGY SYSTEMS INFRASTRUCTURE RESOURCES

HIPAA: Bigger and More Annoying

Information Technology Services Guidelines

State Of Florida's Real Estate Law

Covered Areas: Those EVMS departments that have activities with Covered Accounts.

Information Security Policy

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Policies and Compliance Guide

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

County Identity Theft Prevention Program

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Estate Agents Authority

HIPAA Security Series

8.03 Health Insurance Portability and Accountability Act (HIPAA)

Information Security Policies. Version 6.1

STATE OF HAWAI I INFORMATION PRIVACY AND SECURITY COUNCIL

DHHS Information Technology (IT) Access Control Standard

ARTICLE 14 INFORMATION PRIVACY AND SECURITY PROVISIONS

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

AUBURN WATER SYSTEM. Identity Theft Prevention Program. Effective October 20, 2008

Supplier IT Security Guide

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Transcription:

Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval Date: July 1, 2010 Effective Date: July 1, 2010 Compliance Date: January 1, 2011 Authority: VCU School of Medicine Information Security Manager Review Frequency: Annually, or as needed Revision History: Version Date Revision Issuance 1.0 December 9, 2009 Draft approved by IT Audit Resolution Committee 1.1 June 14, 2010 Modifications related to changes in data classification guidelines 1.2 June 29, 2010 Modifications related to ITARC member comments Data Handling and Storage Page 1

I. PURPOSE The Data Handling and Storage Standard documents the handling, storage and disposal of sensitive data within the VCU School of Medicine. II. III. POLICY Organizational sensitive data consists of data that are vital to the organization. These data are owned by the VCU and / or VCUHS, and it is up to the individuals who are authorized to access the data to ensure the confidentiality, integrity and security of these organizational data. This document denotes the standards in the handling and storage of such data. DEFINITIONS Authorized User An individual who has been granted access to specific data in order to perform his / her assigned duties in the VCU School of Medicine. Users include, but are not limited to faculty and staff members, trainees, students, vendors, volunteers, contractors, or other affiliates of VCU or VCUHS. Confidential and Protected Data Confidential and Protected data are considered the most sensitive, and must be protected with the highest security standards. These data are protected specifically by federal or state law and regulations (e.g. HIPAA, FERPA.) Loss of confidential and protected data can result in long term loss of funding, ranking and reputation for the school, as well as possible legal actions against the University, School, or the data owner. Confidential and protected data are a subset of sensitive data; therefore, all confidential and protected data are also classified as sensitive. Examples include student or employee SSN, date of birth, Electronic Protected Health Information (EPHI), and student grades. Refer to the "School of Medicine Data Classification Guidelines" for authoritative definitions. Data Owner The Data Owner is the VCU or VCUHS employee responsible for the policy and practice decisions regarding data, and is responsible for evaluating and classifying sensitivity of the data; defining protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs; communicating data protection requirements to the System Owner; defining requirements for access to the data. External Account Email or other user accounts that do not belong to VCU or VCUHS. These accounts are either managed individually or collectively by organizations that are not a part of, but may be associated or affiliated with VCU or VCUHS. IT System - An IT System is a combination of people, hardware (computer workstation, mobile device, removable storage media, server), software, Data Handling and Storage Page 2

communication devices, network and data resources that processes (can be storing, retrieving, transforming information) data and information for a specific purpose. Local Storage Device An electronic storage device that is native or can be directly connected to an individual s laptop, desktop, or other computing device. A local storage device can include, but are not limited to hard disks, USB Flash drives, CD / DVDs, audio players, and portable hard drives. Network Storage Device An electronic storage device that is not native or directly connected to an individual s desktop, laptop or other computing device. Rather, the network storage device is a storage device hosted and managed in a data center which has appropriate physical access protection, monitoring, and access management controls to ensure that only authorized users can access data. Non-sensitive Business Data - Non-sensitive business data are non-personal data that are not necessarily proprietary to an institution. The protection of these data are neither regulated nor controlled by law or contractual obligations, as the protection of the data is at the discretion of the data owner. If lost or illegitimately modified, these data will generate no negative impacts to individual business units or the institution as a whole. Refer to the "School of Medicine Data Classification Guidelines" for authoritative definitions. Offsite Storage - The process of storing copies of vital records in a facility that is physically remote from the primary site. To qualify as an offsite, the facility should be geographically separated and distinct from the primary site and offer physical access protection, monitoring, and access management controls to ensure that only authorized users can access data. Principle of Least Privilege This principle requires that each user in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. Sensitive Data Data that are proprietary to an institution, where if lost or illegitimately modified, can cause negative impact to the individual units or the institution as a whole. Examples include employee performance evaluations, faculty salary or contract information, and proprietary research data. System Owner A VCU or VCUHS employee who is responsible to authorize or deny access to IT system to system users. The system owners are directly responsible for the physical and logical security of the computer workstations that are under their control. IV. RESPONSIBILITIES Data Handling and Storage Page 3

A. Data owners must determine the classification of their data and communicate data protection requirements to the System Owner to ensure that their data is protected in a manner appropriate to its classification. B. Data Owners are responsible for the integrity of the data and therefore have responsibility to review lists of users with access to their data and to approve any major changes or modifications. C. The authorized users of sensitive data are responsible for assuring that their use of data is in compliance with this standard. D. The authorized users of sensitive data are directly responsible for maintaining the confidentiality, integrity and security of the sensitive data they access. Any unauthorized access, use or disclosure of sensitive data is strictly prohibited. E. The authorized users must seek permission from the data owner before making any copies of sensitive data. F. The authorized users of sensitive data are responsible to complete annual security awareness training on data protection and certify their understanding of sensitive data protection on an annual basis. G. All authorized users are responsible to report to the data owner any suspected unauthorized access, misuse, tampering, or deletion of sensitive data immediately following the discovery. It is the responsibility of the data owner to report these cases to the VCU or VCUHS information security office. I. The VCU School of Medicine Technology Services and departmental IT support units are responsible for making sensitive data available, upon request with appropriate authorization, to employees who are authorized to access this data. J. The VCU School of Medicine Information Security Manager is responsible for reviewing and auditing this standard annually. V. DATA HANDLING A. Sensitive data must only be accessed by authorized users. B. Authorization request for access to sensitive data must be submitted to and approved by the data owner or a designee. C. Authorized users who are granted access to sensitive data must only use this sensitive data for delegated VCU or VCUHS related tasks. Any unauthorized use of sensitive data is strictly prohibited. D. Authorized users must only request access to sensitive data that is absolutely Data Handling and Storage Page 4

needed for the purpose of their jobs. Permissions granted on sensitive data must follow the principle of least privilege. E. It is the responsibility of the authorized user s supervisor or designee to immediately notify the designated technology support unit when an authorized user is terminated or no longer needs access to sensitive data. The technology support unit is responsible to disable the user s access to the sensitive data within 3 business days of the initial notification. F. Any transmission of confidential and protected data that belongs to the VCU School of Medicine to external accounts must be approved by the data owner. The external account holder must complete and sign a data sharing agreement with VCU or VCUHS. G. Authorized users of confidential and protected data must not transmit confidential and protected data in an unencrypted form via electronic mail. Transmission of confidential and protected data via electronic mail to any external entities must be encrypted. Transmission of confidential and protected data to external accounts must by approved by the VCU or VCUHS information security officer or a designee. Please see appendix A for the exception form and contact information. H. Access of confidential and protected data from mobile devices such as cell phones and personal digital assistants must follow the VCU School of Medicine Handheld Mobile Device Security Standard. VI. DATA STORAGE A. All confidential and protected data must be stored only on centrally managed network storage devices. Confidential and protected data cannot be stored on any local storage device under any circumstances. B. Sensitive data must not be stored on any local storage devices. Any exceptions to this requirement must be disclosed to and approved by the VCU or VCUHS Information Security Officer or a designee. The exception requests must be submitted using the form included in Appendix A. C. Non-sensitive business data can be stored on local storage devices. However, at a minimum, these non-sensitive business data should be periodically copied to centrally managed network storage devices for backup purposes. The frequency of backup should be determined by the data owner. This standard is not applicable to personal data and personal data is not required to be backed up. D. If an exception is granted, sensitive data stored on local storage devices must be encrypted with an industry approved and standard encryption algorithm. The Data Handling and Storage Page 5

encryption algorithm must be reviewed on a periodic basis to ensure adequate protection. E. Proprietary clinical and research equipment or instruments that are unable to reasonably output data to the centrally managed network storage devices must have a periodic backup mechanism that copies the output data onto a centrally managed network storage device. The frequency of backup should be determined by the data owner. F. Any approved computer or storage device that contains sensitive information must undergo a risk assessment, and is subject to periodic reviews of the security configuration by designated VCU School of Medicine information security professionals. G. Storage areas for sensitive data, whether electronic or paper-based, must be physically secured with a locking mechanism, and access to these areas must be restricted to only the personnel who are authorized to access the data. H. Storage of sensitive data on any personally owned devices i.e. devices not owned by VCU or VCUHS, is strictly prohibited. I. Backups of data must be handled with the same security precautions as the data itself. J. Any data deemed sensitive must have managed and off-site storage backups that are geographically separated from the primary site where the data is stored or accessed. VII. DATA DISPOSAL A. Inactive or unneeded records that are deemed sensitive must be disposed of securely. Electronic storage devices containing these data or thought to have contained such data must be securely wiped or destroyed in compliance with the DOD 5220.22-M standards, where no data recovery will be possible from the storage media. Paper records containing sensitive data must be shredded and placed in secure disposal bins. B. Historical or inactive data that are deemed sensitive and are no longer in use can also be archived in a secure location. This location must contain a proper locking mechanism that prevents unauthorized access to the area. Furthermore, access to the archival area must be restricted to authorized personnel only, and an access log must be kept for these areas at all times. C. All storage devices containing unencrypted sensitive data must be removed when offsite repair is required for any computing devices that contain sensitive data. Data Handling and Storage Page 6

D. Backups of sensitive data that are no longer needed must also be securely destroyed according to the DOD 5220.22-M standards. VIII. EXCEPTIONS Exception requests to this standard must be filed with, and submitted to, VCU School of Medicine Information Security Manager. Any exception request should use the exception request form attached in appendix A. IX. REPORTING LOSS AND THEFT OF EQUIPMENT OR DATA In the event a computer workstation is lost or stolen, the theft or loss must be reported immediately to the VCU police at 828-1196. In the event that sensitive data is suspected lost or stolen, the theft or loss must be reported immediately to the VCU information security office at 828 1105 or VCUHS information security office at 628 1144. X. COMPLIANCE Compliance with this Data Handling and Storage standard is the responsibility of all personnel who have access to School of Medicine data. This standard establishes standards for these personnel s actions in recognition of the fact that these personnel are provided unique system and data access, and that non-compliance to this agreement will be enforced through sanctions commensurate with the level of infraction. Administrative actions due to failure to follow this standard may range from a verbal or written report, temporary revocation of system and data access, termination of employment, to legal proceedings against the personnel depending on the severity of the violation. All personnel who have access to School of Medicine data are expected to read, understand and agree to the responsibilities defined in this standard and any published revisions of this standard. XI. REFERENCES A. VCU Information Security Standard section 6: Data Protection B. VCU Affiliated Covered Entity ACE-0014: Device and Media Controls C. NIST Special Publication 800-122 Data Handling and Storage Page 7

Appendix A. VCU SOM Information Security Standards Exception Request Form Requestor: Unit Name: Authoritative Unit Head: Contact phone: Requirement to which an exception is requested (Section, Item #) Date: 1. Provide the business or technical justification for exception: 2. Describe the scope, including quantification and requested duration (not to exceed 1 year): 3. Describe all associated risks, including the sensitivity and criticality of hardware or data involved in exception: 4. Identify the compensating controls to mitigate the risks: 5. Identify any unmitigated risks: 6. When will compliance with policy be achieved? By submitting this form, the Authoritative Unit Head acknowledges that he or she has evaluated the business issues associated with this request and accepts any and all associated risks as being reasonable under the circumstances. Authoritative Unit Head Signature: Date: SOM Information Security Manager Use Only Approval: Approved Denied VCU/VCUHS Approval Required Comments: Signature: Date: Data Handling and Storage Page 8

VCU / VCUHS Information Security Officer (ISO) Use Only Approval: Comments: Approved Denied Signature: Date: VCU / VCUHS Chief Information Officer (CIO) Use Only Approval: Comments: Approved Denied Signature: Date: VCU / VCUHS Chief Information Officer (CIO) Use Only (Used for Appeal) Approval: Comments: Approved Denied Signature: Date: Completed exception forms must be submitted to SOM Information Security Manager by e- mail, somsecurity@vcu.edu Contact information: SOM Information Security Manager: 827-9907 Phone VCU Information Security Officer: 828 1015 Phone VCUHS Information Security Officer: 628 1144 Phone Data Handling and Storage Page 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information