Administrative Policies and Procedures POLICY FOR USE AND ACCESS TO ENTERPRISE DATA CENTER FACILITIES



Similar documents
Planning and Administering Windows Server 2008 Servers

M6430a Planning and Administering Windows Server 2008 Servers

Managing and Maintaining Windows Server 2008 Servers (6430) Course length: 5 days

Department of Information Technology Data Center Disaster Recovery Audit Report Final Report. September 2006

Planning and Administering Windows Server 2008 Servers

Creating the Conceptual Design by Gathering and Analyzing Business and Technical Requirements

a Disaster Recovery Plan

Virginia Commonwealth University School of Medicine Information Security Standard

Planning and Administering Windows Server 2008 Servers

OpenStack Private Cloud Hosting in an Tier 3 Data Centre. G-Cloud Lot 1 IaaS

Course Syllabus. Planning and Administering Windows Server 2008 Servers. Key Data. Audience. At Course Completion. Prerequisites. Recommended Courses

This white paper describes the three reasons why backup is a strategic element of your IT plan and why it is critical to your business that you plan

Server Virtualization with Windows Server Hyper-V and System Center

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

Outline. MCSA: Server Virtualization

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

Introduction to Virtualization. Paul A. Strassmann George Mason University October 29, 2008, 7:20 to 10:00 PM

MaximumOnTM. Bringing High Availability to a New Level. Introducing the Comm100 Live Chat Patent Pending MaximumOn TM Technology

Security Controls What Works. Southside Virginia Community College: Security Awareness

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Blackboard Managed Hosting SM Disaster Recovery Planning Document

Main Reference : Hall, James A Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications

The Difference Between Disaster Recovery and Business Continuance

UCS Level 2 Report Issued to

DICTATION & TRANSCRIPTION. INFO@DOLBEY.com

Server Virtualization with Windows Server Hyper-V and System Center

How To Write A Health Care Security Rule For A University

Server Virtualization with Windows Server Hyper-V and System Center

Disaster Recovery Checklist Disaster Recovery Plan for <System One>

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Tailored Technologies LLC

Course Outline: 6433 _ Planning and Implementing Windows Server 2008 Clustering

INFORMATION TECHNOLOGY POLICY

Domain 1 The Process of Auditing Information Systems

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

933 COMPUTER NETWORK/SERVER SECURITY POLICY

HIPAA RISK ASSESSMENT

FUNCTIONAL AREA 12. Network Administration (NET)

Subject: County of Los Angeles Data Center Space Requirement

Zero Data Loss Solutions for Data Center Consolidation. White Paper

MS Upgrading Your Skills to MCSA Window Server 20102

Retention & Destruction

COMMODITIZING THE DATACENTER. Exploring the Impacts of the Shift to Virtualization and Cloud Computing

Business Continuity Planning for Schools, Departments & Support Units

Increasing Data Center Resilience While Lowering PUE

Office of Inspector General

MS 20417B: Upgrading Your Skills to MCSA Windows Server 2012

Aljex Software, Inc. Business Continuity & Disaster Recovery Plan. Last Updated: June 16, 2009

TSM Backup Service. Standard Service Level Agreement

System Administration and Server Management Service Level Agreement (SLA)

University of Wisconsin-Madison Policy and Procedure

John Essner, CISO Office of Information Technology State of New Jersey

The remedies set forth in this SLA are your sole and exclusive remedies for any failure of the service.

Vendor Management. Outsourcing Technology Services

LEARNING SOLUTIONS website milner.com/learning phone

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Building your Server for High Availability and Disaster Recovery. Witt Mathot Danny Krouk

DISASTER RECOVERY PLANNING GUIDE

Server-Virtualisierung mit Windows Server Hyper-V und System Center MOC 20409

STATE OF NEVADA Department of Administration Division of Human Resource Management CLASS SPECIFICATION

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

The course covers Windows server 2008, Windows Server 2008 R2 and Windows Server 2008 R2 sp1.

Data Center Knowledge, Vision Control

All Clouds Are Not Created Equal THE NEED FOR HIGH AVAILABILITY AND UPTIME

10215A Implementing and Managing Microsoft Server Virtualization

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

BT Internet Connect Global - Annex to the General Service Schedule

Server Virtualization with Windows Server Hyper-V and System Center

Computer Use Policy Approved by the Ohio Wesleyan University Faculty: March 24, 2014

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Department of the Interior

20409B: Server Virtualization with Windows Server Hyper-V and System Center

Service Level Agreement and Management By: Harris Kern s Enterprise Computing Institute

StruxureWare TM Data Center Expert

How can I deploy a comprehensive business continuity and disaster recovery solution in under 24 hours without incurring any capital costs?

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Business Continuity Planning Principles and Best Practices Tom Hinkel and Zach Duke

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

Managed Services. Business Intelligence Solutions

Creating A Highly Available Database Solution

Cisco Disaster Recovery: Best Practices White Paper

How To Ensure The C.E.A.S.A

Mazzone & Associates, Inc.

Information Security Program

Implementing and Managing Microsoft Server Virtualization

Utica College. Information Security Plan

Transcription:

Administrative Policies and Procedures POLICY FOR USE AND ACCESS TO ENTERPRISE DATA CENTER FACILITIES Department: Information Technology Services Policy Number: Effective Date: Revision Date: June 11, 2008 POLICY: UW Medicine data centers house servers supporting computing systems which provide patient care and administration services, and are a critical resource. Data centers provide both physical and network infrastructure as well as security protections for critical systems. Accreditation agencies also require strong data center protections, including strong access controls. Data centers resources are likely to be limited in one or more areas, such as cooling, power, or weight. Therefore, all servers placed into and access to enterprise data centers will be reviewed, prioritized, and approved in advance according to their level of critical impact (mission critical) to the medical center(s) by UW Medicine IT Services (ITS). Any changes in access to or the hardware of approved systems must also be reviewed and approved by ITS. Access to data centers will be granted only to those with a clear need as approved by ITS, in accordance with the procedures defined below. Individuals granted access must agree to electronic or paper access controls and video surveillance, as required by UW Medicine and its accreditation agencies. This policy applies only to enterprise data centers. DEFINITIONS: Enterprise data centers support major enterprise information systems critical to the mission of UW Medicine. For reliability, enterprise data centers have redundant power, cooling, and networking, and are designed for resistance to earthquakes. Systems in enterprise data centers are designed and installed to be managed and monitored on a 24/7 basis remotely. Physical access to enterprise data centers are restricted and monitored, and networks are protected against intrusions. Procedures governing these facilities are designed to meet financial audit, HIPAA and other regulations. Primary data centers handle the most critical of enterprise systems and are in close proximity to patient care facilities to minimize disruptions from communications failures. Secondary data centers service less critical enterprise systems. Enterprise data centers are listed in Appendix 1. Local data centers support departmental and some smaller enterprise systems and are managed by the facility and/or ITS. These data centers vary in quality and are smaller in capacity and size. Local data centers may lack redundancy for power, cooling, or networking, and may not control access or protect networks. If systems in these facilities contain patient information, they must meet appropriate regulatory requirements, including compliance to appropriate security policies. Local data centers include NW078 in UWMC and BEH39 at HMC. System Criticality refers to the level of importance of the system for the continued operation of UW Medicine, its hospitals, patient care activities, and/or the School of Medicine. Criticality levels range from 1 (most critical) to 5 (least critical).

Level 1 Information systems or supporting systems critical to the normal operations of UW Medicine s Immediate Critical Patient Care activities, where a downtime of 0-4 hours is highly disruptive. Level 1 systems must be fully redundant in at least two physically separated enterprise data centers, and a single system must be able to operate independently in a single data center. Emergency manual procedures for a level 1 system are difficult to implement. Examples: Critical to Patient Care - ORCA PROD, PACS, Lab, Critical Support Systems - DNS servers (network name resolution), and Active Directory (access/authentication) systems. Level 2 Information systems or supporting systems that are Essential to Patient Care or provide Essential Support to UW Medicine activities where a downtime of up to 24 hours would be operationally feasible and for which good manual down time procedures beyond that are difficult to implement without directly impacting critical patient care activities. Level 2 systems should be redundant. Examples: Essential to Patient Care - Hospital Capacity, Docusys, Registration demographics, Essential Support Public Safety, Safety Monitoring, communications support. Level 3 Information systems or supporting systems that are Important to UW Medicine s business where a downtime of up to 72 hours would be disruptive to normal operations. Level 3 systems are not required to be redundant. Examples: EPIC patient scheduling, Email system, system and infrastructure monitoring systems, certain Research systems. Level 4 Information systems or supporting systems where a downtime of 3 days or more can be tolerated before resumption of Normal Operations. Test and Development systems that are designed to function in a fail-over capacity also fall into this level. Examples: Patient billing, PMM, Rosebud. Level 5 Information systems used only for Research, Isolated Development or Test, and Departmental Scheduling or other purposes where the restoration of the system is not required for normal operations. Examples: Sum Total, ORCA Dev, ORCA Test, Spacelabs Test, Research PROCEDURE The detailed procedure for managing the placement of hardware into an enterprise data center is in an accompanying document. Items covered in the procedure include review by UW Medicine Oversight and ITS Project Intake committees. Individuals or departments requesting data center resources must submit a request to one or more medical center review committee(s) and if approved forwarded for consideration at project intake or IT Services Oversight Committee (ITSOC). Review shall include, but not limited to the following: The power and cooling requirements of the system hardware. PHI data stored on or access required by the system. Access to existing shared/critical systems (i.e., HL7, shared data bases, web servers, etc.) The network requirements of the system. The backup and storage requirements of the system. Projected growth over the expected lifetime of the system and its impact on hardware. System design for fault tolerance, redundancy, and emergency operations. The nature of the software, including its criticality to patient care, support for emergency operations, HIPAA, etc. Available data center resources. Funding to support data center costs of the hardware. 2

Systems not supporting active applications must be removed from enterprise data centers. Data centers should not be used to hold retired systems because of limited resrouces. Should data center facilities become limited, priorities and considerations for the placement of hardware will include, but are not limited to: An emergency situation requiring hardware maintenance and/or replacement. An operational replacement of hardware where the replacement s characteristics for power, cooling, and weight are equal to or less than that it replaces. This may not be allowed if both the existing and replacement hardware must be available concurrently. Level of the project under Washington Department of Information Systems (DIS) and the Information Systems Board (ISB) which have been previously reviewed by ITS and UW Medicine. Criticality of the system for patient care and/or administration. Priority of the project as dictated by UW Medicine. Once approved by oversight committees, installation of computing systems must be performed and/or approved by UW Medicine ITServices Data Center and Security/Infrastructure staff. To insure the integrity of the data centers, required reviews include: Proper documentation of hardware, and network configurations, and applications. Approved security practices. Identification of responsible parties. Physical placement of servers. Physical hookup of power and network. System monitoring Racks, UPS, cooling and other requirements specific to the data center. In accordance with UW Medicine SEC10 and other relevant security policies, individuals or departments who violate the use and/or access to data centers may be subject to one or more of the following: Shutdown of systems until breach is resolved. Termination of access to the data center. Removal of systems that fail to comply with the policy. Termination of employment for individuals violating the policy. CROSS REFERENCES ITS Project Intake Procedure ITS Data Centers Policies and Procedures ITS Security Review Policy and Procedures (http://security.uwmedicine.org/policies) ITS Basic Data Center Policies ITS Server Placement Request Form ATTACHMENTS Enterprise Data Centers 3

REVISIONS Chief Information Officer: Date: VP Medical Affairs Chief Operating Officer: Date: 4

Enterprise Data Centers (as of April, 2008) 1) UWMC Surgery Pavilion (SP1004) [primary data center] in use 2) HMC NJB Building [primary data center] opening early 2009 3) UW Technologies 4545 Building [secondary data center] in use 4) Sabey, Tukwila [secondary data center] in use 5) UW Towers [secondary data center] planned late 2009 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information