OUHSC Information Technology Department

Home  |  Online Help  |  Policies  |  Forms  |  Tier Ones
Policies organized by user community:

Information Technology Policies

In support of efforts to protect key University information assets, manage risk, and ensure regulatory compliance, Information Technology is overseeing development of information system security policies, standards, and procedures.

Acceptable Use of Information Systems Policy : Acceptable use must be ethical, reflect academic honesty, and show responsible use in the consumption of shared resources.

Access to Sensitive Data Policy: Access to Sensitive Data requires prior authorization. Processes must be in place for the authorization, establishment, review, modification and removal of access to Sensitive Data.

Active Directory Policy: All University owned or operated computers that are compatible with MS Active Directory (AD) and connected to the University network must join Active Directory.

Activity (Log) Review Policy: For all information system resources which contain or access data classified as “Sensitive” per the data classification standard, processes must be in place to ensure the access and activity is recorded and reviewed (audited).

Antivirus Policy: All computers must have an approved, functioning, and up to date antivirus software. Antivirus software must be set to auto update virus definitions daily. Antivirus software for campus and home use is available for download.

Business Associate Contracts Policy: The University may permit a business associate to create, receive, maintain, or transmit sensitive data on the behalf of the University only if it obtains satisfactory assurances the business associate will appropriately safeguard the information.

Business Unit Security Roles and Responsibilities Policy: It is essential that University Business Units be aware of information security risks and their roles and responsibilities for mitigating these risks.

Compliance Sanctions Policy: The University will impose appropriate sanctions for non-compliance with its information system policies, procedures, and standards.

Computer Logoff/Lock Policy: When leaving a computer, server, personal digital assistant, or other computing device unattended, workforce members must manually logoff or lock the device to prevent unauthorized access to University systems or information.

All computing devices that contain or access sensitive information must be secured with either a password-protected screen saver or automatic logoff that will take effect after no more than 15 minutes of inactivity.

Desktop Computer Security Policies

Digital Copyright Policy: The copying, storing, and/or providing transport of digital material in a manner which violates the copyright associated with the digital material on or through the use of any university Information System Resources is strictly prohibited.

Electronic Data Disposal Policy : All University information systems and electronic media must be disposed of properly when no longer needed or before reuse.  Disposal must meet the OU Electronic Disposal and Reuse Standard Adobe PDF File.

Facility Security Policy: The University must establish procedures to protect sensitive information system resources and data from unauthorized physical access, tampering, and theft.

HIPAA Privacy Policies

Information System and Data Classification Policy: Information Systems (IS) are assets of the University of Oklahoma Health Sciences Center and must be classified and protected according to the sensitivity and associated risks to the confidentiality, integrity, and availability of the system. IS Owners must identify all IS and follow the classification requirements in the policy.

Information_Technology_Policy_DefinitionsAdobe PDF File

Login Banner Policy: The following banner must be displayed when users connect to OUHSC computer networks:

Monitoring Computer Use Policy: While the University does not routinely monitor individual usage of its computing resources, the normal operation and maintenance of the University's computing resources require the backup and caching of data and communications, the logging of activity, the monitoring of general usage patterns, and other such activities that are necessary for providing service.

Monthly Maintenance Schedule

Monthly Maintenance Plan

Networking Standards

Password Management Policy: The University must implement a formal documented process for the appropriate creation, modification, and safeguard of information system passwords.

Password Standards: Passwords must meet complexity requirements, be kept private and changed every six months

Patches: Security patches should be installed within 48 hours of release.

Payment Card Industry Data Security Standard: The purpose is to provide the requirements for meeting the PCI DSS and the protection of University information and information system resources that store, process or transmit cardholder data.

Peer-to-Peer (P2P) File Sharing Policy: Peer-to-Peer (P2P) file sharing is permitted only if formally approved and authorized.  Use of P2P file sharing for University academic, research or clinical purposes that does not violate the law or University policy or compromise network integrity or security may be permitted with approval by administration.  A registration process for requesting use of P2P file sharing will be maintained on the OUHSC IT web site.

PeopleSoft Oracle Patching Process: Responsibilities and process for patching the OUHSC PeopleSoft Oracle environment.

Policy for Mass Campus Communications

Portable Computing Device (PCD) Security Policy : PCD includes but is not limited to laptops, notebook computers, tablet PCs, smart phones, thumb drives and external media such as CDs or DVDs.

PCDs used for University business must be encrypted to protect data from unauthorized disclosure if the device is lost or stolen.

Product Review Policy:The purpose of this policy is to establish requirements for reviewing Information Systems (IS) to identify risks and recommend appropriate
security controls to mitigate identified risks to an acceptable and reasonable level. IS will also be reviewed to determine if it is compatible with existing University technology infrastructure.

Please see the Product Review page for more information..

Resource and Data Recovery Policy: Information System Resource and Data Owners must ensure all Sensitive Information System Resources and Data are identified and covered by recovery plans and procedures to ensure business continuity and the ability to restore any loss of Sensitive Information System Resources and Data.

Risk Assessment and Control Review Policy: All information system resources must undergo a formal assessment process to properly identify risks and determine appropriate responses and controls.

All information system resources receiving, storing and/or transmitting Sensitive data must have a product review completed by Information Technology. The Product Review process will provide the requesting department with an overview of potential technology risks to Sensitive data within the OUHSC environment.

Please see the Product Review page for more information..

Risk Management Policy: The Risk Managment policy is currently under revision. Please contact Information Security if you have questions about risk management.

Server Consolidation Policy : Servers or data classified as Category A or Category B Information Systems (IS) must be consolidated into the University’s designated
enterprise data centers.

State of Oklahoma Computer Use policies

Security Awareness and Training Policy: The University must implement a security awareness and training program for all faculty, staff and students.

Security Incident Reporting Policy: All suspected Information Security Incidents must be reported promptly to the appropriate university office or party. See Incident reporting procedures.

Compromised or virus infected computers must have their university network connection disabled to prevent spread of infection or illegal activities. (more information)

Security Incident Response Policy: Legal Counsel and the Vice-President of Information Technology, have the authority to initiate investigations of all incidents related to possible breaches of security or exposure of sensitive information on information technology assets. Such investigations will be conducted by Information Technology in connection with appropriate University officials. 

System Development Security Policy: All information system resources which store, receive or transmit Sensitive Data must have security reviews conducted throughout its system development life cycle (SDLC).

Telework Policy: Procedures must be in place to ensure all computing devices used to work remotely (telework) and access University’s Sensitive information system resources and data are appropriately secured. 

Third Party E-mail Policy: Do not access third party mail providers from the OUHSC campus network because this by-passes the university anti-virus systems.

Training Standard : All faculty, staff, students, and volunteers must take the online security training once a year. See the Information Security Training Education and Awareness site for additional course offerings.

Transmission of Sensitive Data Policy: Data and Resource Owners must appropriately protect Sensitive Data from unauthorized interception, modification, or access during electronic transmission.

Transportation of Media Policy: Data and Information System Resource Owners must govern the receipt, transfer and removal of electronic media which contain Sensitive Data.

Virus Response Policies: Compromised or virus infected computers must have their university network connection disabled to prevent spread of infection or illegal activities.

Vulnerability Assessment Policy: The operating system or environment for all information system resources must undergo a regular vulnerability assessment.

Workstation Use and Security Policy Procedures must be in place to ensure all University workstations are classified based on allowable capabilities and activities and secured accordingly in order to protect the confidentiality, integrity, and availability of Sensitive Data contained on or accessed through the workstations.