OUHSC Information Technology Department

Home  |  Online Help  |  Policies  |  Forms  |  Tier Ones

Information Technology Policies

In support of efforts to protect key University information assets, manage risk, and ensure regulatory compliance, Information Technology is overseeing development of information system security policies, standards, and procedures.

Acceptable Use of Information Systems Policy : Acceptable use must be ethical, reflect academic honesty, and show responsible use in the consumption of shared resources.

Access to Sensitive Data Policy: Access to Sensitive Data requires prior authorization. Processes must be in place for the authorization, establishment, review, modification and removal of access to Sensitive Data. Access to Senstive Data Standard Adobe PDF File.

Active Directory Policy: All University owned or operated computers that are compatible with MS Active Directory (AD) and connected to the University network must join Active Directory.

Activity (Log) Review Policy: For all information system resources which contain or access data classified as “Sensitive” per the data classification standard, processes must be in place to ensure the access and activity is recorded and reviewed (audited).

Antivirus Policy: All computers must have an approved, functioning, and up to date antivirus software. Antivirus software must be set to auto update virus definitions daily. Antivirus software for campus and home use is available for download.

Business Unit Security Roles and Responsibilities Policy: It is essential that University Business Units be aware of information security risks and their roles and responsibilities for mitigating these risks.

Compliance Sanctions Policy: The University will impose appropriate sanctions for non-compliance with its information system policies, procedures, and standards.

Computer Logoff/Lock Policy: When leaving a computer, server, personal digital assistant, or other computing device unattended, workforce members must manually logoff or lock the device to prevent unauthorized access to University systems or information.

All computing devices that contain or access sensitive information must be secured with either a password-protected screen saver or automatic logoff that will take effect after no more than 15 minutes of inactivity.

Digital Copyright Policy: The copying, storing, and/or providing transport of digital material in a manner which violates the copyright associated with the digital material on or through the use of any university Information System Resources is strictly prohibited.

Electronic Data Disposal Policy : All University information systems and electronic media must be disposed of properly when no longer needed or before reuse.  Disposal must meet the OU Electronic Disposal and Reuse Standard Adobe PDF File.

Facility Security Policy: The University must establish procedures to protect sensitive information system resources and data from unauthorized physical access, tampering, and theft. Facility Security Standard

HIPAA Privacy Policies

HIPAA security policies

Information System and Data Classification Policy: Information Systems (IS) are assets of the University of Oklahoma Health Sciences Center and must be classified and protected according to the sensitivity and associated risks to the confidentiality, integrity, and availability of the system. IS Owners must identify all IS and follow the classification requirements in the policy.

Information_Technology_Policy_DefinitionsAdobe PDF File

Login Banner Policy: The following banner must be displayed when users connect to OUHSC computer networks:

Monitoring Computer Use Policy: While the University does not routinely monitor individual usage of its computing resources, the normal operation and maintenance of the University's computing resources require the backup and caching of data and communications, the logging of activity, the monitoring of general usage patterns, and other such activities that are necessary for providing service.

Password Management Policy: The University must implement a formal documented process for the appropriate creation, modification, and safeguard of information system passwords.

Payment Card Industry Data Security Standard: The purpose is to provide the requirements for meeting the PCI DSS and the protection of University information and information system resources that store, process or transmit cardholder data.

Peer-to-Peer (P2P) File Sharing Policy: Peer-to-Peer (P2P) file sharing is permitted only if formally approved and authorized.  Use of P2P file sharing for University academic, research or clinical purposes that does not violate the law or University policy or compromise network integrity or security may be permitted with approval by administration.  A registration process for requesting use of P2P file sharing will be maintained on the OUHSC IT web site.

Policy for Mass Campus Communications

Portable Computing Device (PCD) Security Policy : PCD includes but is not limited to laptops, notebook computers, tablet PCs, smart phones, thumb drives and external media such as CDs or DVDs.

PCDs used for University business must be encrypted to protect data from unauthorized disclosure if the device is lost or stolen.

Product Review Policy:The purpose of this policy is to establish requirements for reviewing Information Systems (IS) to identify risks and recommend appropriate
security controls to mitigate identified risks to an acceptable and reasonable level. IS will also be reviewed to determine if it is compatible with existing University technology infrastructure.

Please see the Product Review page for more information..

Resource and Data Recovery Policy: Information System Resource and Data Owners must ensure all Sensitive Information System Resources and Data are identified and covered by recovery plans and procedures to ensure business continuity and the ability to restore any loss of Sensitive Information System Resources and Data.

Server Consolidation Policy : Servers or data classified as Category A or Category B Information Systems (IS) must be consolidated into the University’s designated
enterprise data centers.

State of Oklahoma Computer Use policies

Security Awareness and Training Policy: The University must implement a security awareness and training program for all faculty, staff and students.

Security Incident Reporting Policy: All suspected Information Security Incidents must be reported promptly to the appropriate university office or party. See Incident reporting procedures.

Compromised or virus infected computers must have their university network connection disabled to prevent spread of infection or illegal activities. (more information)

Security Incident Response Policy: Legal Counsel and the Vice-President of Information Technology, have the authority to initiate investigations of all incidents related to possible breaches of security or exposure of sensitive information on information technology assets. Such investigations will be conducted by Information Technology in connection with appropriate University officials. 

Telework Policy: Procedures must be in place to ensure all computing devices used to work remotely (telework) and access University’s Sensitive information system resources and data are appropriately secured. 

Third Party E-mail Policy: Do not access third party mail providers from the OUHSC campus network because this by-passes the university anti-virus systems.

Training Standard : All faculty, staff, students, and volunteers must take the online security training once a year. See the Information Security Training Education and Awareness site for additional course offerings.

Transmission of Sensitive Data Policy: Data and Resource Owners must appropriately protect Sensitive Data from unauthorized interception, modification, or access during electronic transmission.

Transportation of Media Policy: Data and Information System Resource Owners must govern the receipt, transfer and removal of electronic media which contain Sensitive Data.

Vulnerability Assessment Policy: The operating system or environment for all information system resources must undergo a regular vulnerability assessment.