Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval Date: July 1, 2010 Effective Date: July 1, 2010 Compliance Date: January 1, 2011 Authority: VCU School of Medicine Information Security Manager Review Frequency: Annually, or as needed Revision History: Version Date Revision Issuance 1.0 December 9, 2009 Draft approved by IT Audit Resolution Committee 1.1 June 14, 2010 Modifications related to changes in data classification guidelines 1.2 June 29, 2010 Modifications related to ITARC member comments Data Handling and Storage Page 1
I. PURPOSE The Data Handling and Storage Standard documents the handling, storage and disposal of sensitive data within the VCU School of Medicine. II. III. POLICY Organizational sensitive data consists of data that are vital to the organization. These data are owned by the VCU and / or VCUHS, and it is up to the individuals who are authorized to access the data to ensure the confidentiality, integrity and security of these organizational data. This document denotes the standards in the handling and storage of such data. DEFINITIONS Authorized User An individual who has been granted access to specific data in order to perform his / her assigned duties in the VCU School of Medicine. Users include, but are not limited to faculty and staff members, trainees, students, vendors, volunteers, contractors, or other affiliates of VCU or VCUHS. Confidential and Protected Data Confidential and Protected data are considered the most sensitive, and must be protected with the highest security standards. These data are protected specifically by federal or state law and regulations (e.g. HIPAA, FERPA.) Loss of confidential and protected data can result in long term loss of funding, ranking and reputation for the school, as well as possible legal actions against the University, School, or the data owner. Confidential and protected data are a subset of sensitive data; therefore, all confidential and protected data are also classified as sensitive. Examples include student or employee SSN, date of birth, Electronic Protected Health Information (EPHI), and student grades. Refer to the "School of Medicine Data Classification Guidelines" for authoritative definitions. Data Owner The Data Owner is the VCU or VCUHS employee responsible for the policy and practice decisions regarding data, and is responsible for evaluating and classifying sensitivity of the data; defining protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs; communicating data protection requirements to the System Owner; defining requirements for access to the data. External Account Email or other user accounts that do not belong to VCU or VCUHS. These accounts are either managed individually or collectively by organizations that are not a part of, but may be associated or affiliated with VCU or VCUHS. IT System - An IT System is a combination of people, hardware (computer workstation, mobile device, removable storage media, server), software, Data Handling and Storage Page 2
communication devices, network and data resources that processes (can be storing, retrieving, transforming information) data and information for a specific purpose. Local Storage Device An electronic storage device that is native or can be directly connected to an individual s laptop, desktop, or other computing device. A local storage device can include, but are not limited to hard disks, USB Flash drives, CD / DVDs, audio players, and portable hard drives. Network Storage Device An electronic storage device that is not native or directly connected to an individual s desktop, laptop or other computing device. Rather, the network storage device is a storage device hosted and managed in a data center which has appropriate physical access protection, monitoring, and access management controls to ensure that only authorized users can access data. Non-sensitive Business Data - Non-sensitive business data are non-personal data that are not necessarily proprietary to an institution. The protection of these data are neither regulated nor controlled by law or contractual obligations, as the protection of the data is at the discretion of the data owner. If lost or illegitimately modified, these data will generate no negative impacts to individual business units or the institution as a whole. Refer to the "School of Medicine Data Classification Guidelines" for authoritative definitions. Offsite Storage - The process of storing copies of vital records in a facility that is physically remote from the primary site. To qualify as an offsite, the facility should be geographically separated and distinct from the primary site and offer physical access protection, monitoring, and access management controls to ensure that only authorized users can access data. Principle of Least Privilege This principle requires that each user in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. Sensitive Data Data that are proprietary to an institution, where if lost or illegitimately modified, can cause negative impact to the individual units or the institution as a whole. Examples include employee performance evaluations, faculty salary or contract information, and proprietary research data. System Owner A VCU or VCUHS employee who is responsible to authorize or deny access to IT system to system users. The system owners are directly responsible for the physical and logical security of the computer workstations that are under their control. IV. RESPONSIBILITIES Data Handling and Storage Page 3
A. Data owners must determine the classification of their data and communicate data protection requirements to the System Owner to ensure that their data is protected in a manner appropriate to its classification. B. Data Owners are responsible for the integrity of the data and therefore have responsibility to review lists of users with access to their data and to approve any major changes or modifications. C. The authorized users of sensitive data are responsible for assuring that their use of data is in compliance with this standard. D. The authorized users of sensitive data are directly responsible for maintaining the confidentiality, integrity and security of the sensitive data they access. Any unauthorized access, use or disclosure of sensitive data is strictly prohibited. E. The authorized users must seek permission from the data owner before making any copies of sensitive data. F. The authorized users of sensitive data are responsible to complete annual security awareness training on data protection and certify their understanding of sensitive data protection on an annual basis. G. All authorized users are responsible to report to the data owner any suspected unauthorized access, misuse, tampering, or deletion of sensitive data immediately following the discovery. It is the responsibility of the data owner to report these cases to the VCU or VCUHS information security office. I. The VCU School of Medicine Technology Services and departmental IT support units are responsible for making sensitive data available, upon request with appropriate authorization, to employees who are authorized to access this data. J. The VCU School of Medicine Information Security Manager is responsible for reviewing and auditing this standard annually. V. DATA HANDLING A. Sensitive data must only be accessed by authorized users. B. Authorization request for access to sensitive data must be submitted to and approved by the data owner or a designee. C. Authorized users who are granted access to sensitive data must only use this sensitive data for delegated VCU or VCUHS related tasks. Any unauthorized use of sensitive data is strictly prohibited. D. Authorized users must only request access to sensitive data that is absolutely Data Handling and Storage Page 4
needed for the purpose of their jobs. Permissions granted on sensitive data must follow the principle of least privilege. E. It is the responsibility of the authorized user s supervisor or designee to immediately notify the designated technology support unit when an authorized user is terminated or no longer needs access to sensitive data. The technology support unit is responsible to disable the user s access to the sensitive data within 3 business days of the initial notification. F. Any transmission of confidential and protected data that belongs to the VCU School of Medicine to external accounts must be approved by the data owner. The external account holder must complete and sign a data sharing agreement with VCU or VCUHS. G. Authorized users of confidential and protected data must not transmit confidential and protected data in an unencrypted form via electronic mail. Transmission of confidential and protected data via electronic mail to any external entities must be encrypted. Transmission of confidential and protected data to external accounts must by approved by the VCU or VCUHS information security officer or a designee. Please see appendix A for the exception form and contact information. H. Access of confidential and protected data from mobile devices such as cell phones and personal digital assistants must follow the VCU School of Medicine Handheld Mobile Device Security Standard. VI. DATA STORAGE A. All confidential and protected data must be stored only on centrally managed network storage devices. Confidential and protected data cannot be stored on any local storage device under any circumstances. B. Sensitive data must not be stored on any local storage devices. Any exceptions to this requirement must be disclosed to and approved by the VCU or VCUHS Information Security Officer or a designee. The exception requests must be submitted using the form included in Appendix A. C. Non-sensitive business data can be stored on local storage devices. However, at a minimum, these non-sensitive business data should be periodically copied to centrally managed network storage devices for backup purposes. The frequency of backup should be determined by the data owner. This standard is not applicable to personal data and personal data is not required to be backed up. D. If an exception is granted, sensitive data stored on local storage devices must be encrypted with an industry approved and standard encryption algorithm. The Data Handling and Storage Page 5
encryption algorithm must be reviewed on a periodic basis to ensure adequate protection. E. Proprietary clinical and research equipment or instruments that are unable to reasonably output data to the centrally managed network storage devices must have a periodic backup mechanism that copies the output data onto a centrally managed network storage device. The frequency of backup should be determined by the data owner. F. Any approved computer or storage device that contains sensitive information must undergo a risk assessment, and is subject to periodic reviews of the security configuration by designated VCU School of Medicine information security professionals. G. Storage areas for sensitive data, whether electronic or paper-based, must be physically secured with a locking mechanism, and access to these areas must be restricted to only the personnel who are authorized to access the data. H. Storage of sensitive data on any personally owned devices i.e. devices not owned by VCU or VCUHS, is strictly prohibited. I. Backups of data must be handled with the same security precautions as the data itself. J. Any data deemed sensitive must have managed and off-site storage backups that are geographically separated from the primary site where the data is stored or accessed. VII. DATA DISPOSAL A. Inactive or unneeded records that are deemed sensitive must be disposed of securely. Electronic storage devices containing these data or thought to have contained such data must be securely wiped or destroyed in compliance with the DOD 5220.22-M standards, where no data recovery will be possible from the storage media. Paper records containing sensitive data must be shredded and placed in secure disposal bins. B. Historical or inactive data that are deemed sensitive and are no longer in use can also be archived in a secure location. This location must contain a proper locking mechanism that prevents unauthorized access to the area. Furthermore, access to the archival area must be restricted to authorized personnel only, and an access log must be kept for these areas at all times. C. All storage devices containing unencrypted sensitive data must be removed when offsite repair is required for any computing devices that contain sensitive data. Data Handling and Storage Page 6
D. Backups of sensitive data that are no longer needed must also be securely destroyed according to the DOD 5220.22-M standards. VIII. EXCEPTIONS Exception requests to this standard must be filed with, and submitted to, VCU School of Medicine Information Security Manager. Any exception request should use the exception request form attached in appendix A. IX. REPORTING LOSS AND THEFT OF EQUIPMENT OR DATA In the event a computer workstation is lost or stolen, the theft or loss must be reported immediately to the VCU police at 828-1196. In the event that sensitive data is suspected lost or stolen, the theft or loss must be reported immediately to the VCU information security office at 828 1105 or VCUHS information security office at 628 1144. X. COMPLIANCE Compliance with this Data Handling and Storage standard is the responsibility of all personnel who have access to School of Medicine data. This standard establishes standards for these personnel s actions in recognition of the fact that these personnel are provided unique system and data access, and that non-compliance to this agreement will be enforced through sanctions commensurate with the level of infraction. Administrative actions due to failure to follow this standard may range from a verbal or written report, temporary revocation of system and data access, termination of employment, to legal proceedings against the personnel depending on the severity of the violation. All personnel who have access to School of Medicine data are expected to read, understand and agree to the responsibilities defined in this standard and any published revisions of this standard. XI. REFERENCES A. VCU Information Security Standard section 6: Data Protection B. VCU Affiliated Covered Entity ACE-0014: Device and Media Controls C. NIST Special Publication 800-122 Data Handling and Storage Page 7
Appendix A. VCU SOM Information Security Standards Exception Request Form Requestor: Unit Name: Authoritative Unit Head: Contact phone: Requirement to which an exception is requested (Section, Item #) Date: 1. Provide the business or technical justification for exception: 2. Describe the scope, including quantification and requested duration (not to exceed 1 year): 3. Describe all associated risks, including the sensitivity and criticality of hardware or data involved in exception: 4. Identify the compensating controls to mitigate the risks: 5. Identify any unmitigated risks: 6. When will compliance with policy be achieved? By submitting this form, the Authoritative Unit Head acknowledges that he or she has evaluated the business issues associated with this request and accepts any and all associated risks as being reasonable under the circumstances. Authoritative Unit Head Signature: Date: SOM Information Security Manager Use Only Approval: Approved Denied VCU/VCUHS Approval Required Comments: Signature: Date: Data Handling and Storage Page 8
VCU / VCUHS Information Security Officer (ISO) Use Only Approval: Comments: Approved Denied Signature: Date: VCU / VCUHS Chief Information Officer (CIO) Use Only Approval: Comments: Approved Denied Signature: Date: VCU / VCUHS Chief Information Officer (CIO) Use Only (Used for Appeal) Approval: Comments: Approved Denied Signature: Date: Completed exception forms must be submitted to SOM Information Security Manager by e- mail, somsecurity@vcu.edu Contact information: SOM Information Security Manager: 827-9907 Phone VCU Information Security Officer: 828 1015 Phone VCUHS Information Security Officer: 628 1144 Phone Data Handling and Storage Page 9