OUHSC Information Technology Department

Home  |  Online Help  |  Policies  |  Tier Ones

IT Security Policies for data owners or business administrators

Most of these policies are people or process oriented and need to be distributed, read, and followed by Data Owners or Business Unit administors.

Risk Management: OUHSC IT will implement an Information Technology Risk Management Program designed to keep risks to Information System Resources at reasonable and appropriate levels.

Risk Assessment and Control Review: All information system resources must undergo a formal assessment process to properly identify risks and determine appropriate responses and controls.

Data Classification: All data owners must classify the sensitivity of their data on a scale from A to D, where A is the most sensitive.

Information System and Data Classification Policy: Information Systems (IS) are assets of the University of Oklahoma Health Sciences Center and must be classified and protected according to the sensitivity and associated risks to the confidentiality, integrity, and availability of the system. IS Owners must identify all IS and follow the classification requirements in the policy.

Resource and Data Recovery: Information system resource and data owners must ensure all sensitive information system resources and data are identified and covered by recovery plans and procedures to ensure business continuity and the ability to restore any loss of sensitive information system resources and data.

Product Review: All information system resources viewing, storing and/or collecting Sensitive Data must undergo a product review.

System Development Security Policy: All information system resources which store, receive or transmit Sensitive Data must have security reviews conducted throughout its system development life cycle (SDLC).

Telework Policy: Procedures must be in place to ensure all computing devices used to work remotely (telework) and access University’s sensitive information system resources and data are appropriately secured. 

Transmission of Sensitive Data: Data and resource owners must appropriately protect Sensitive Data from unauthorized interception, modification, or access during electronic transmission.

Transportation of Media Policy: Data and information system resource owners must govern the receipt, transfer and removal of electronic media which contain Sensitive Data.

Facility Security: The University must establish procedures to protect Sensitive Information System Resources and data from unauthorized physical access, tampering, and theft.

PHI Server Consolidation: Servers containing ePHI must be consolidated into the campus enterprise data center. The data center will provide physical and environmental protections for the security and privacy of these confidential and missioncritical information assets.

Password Management Policy:The University must implement a formal documented process for the appropriate creation, modification, and safeguard of information system passwords.

Payment Card Industry Data Security Standard (Draft): All OUHSC business units which accept credit card payments must complete page one of the Annual PCI Self-Assessment Questionnaire and submit to Information Security Services.

Access to Sensitive Data Access to Sensitive Data requires prior authorization. Processes must be in place for the authorization, establishment, review, modification and removal of access to Sensitive Data.

Business Associate Contracts: The University may permit a business associate to create, receive, maintain, or transmit sensitive data on the behalf of the University only if it obtains satisfactory assurances the business associate will appropriately safeguard the information.

Workstation Use and Security Policy Procedures must be in place to ensure all University workstations are classified based on allowable capabilities and activities and secured accordingly in order to protect the confidentiality, integrity, and availability of Sensitive Data contained on or accessed through the workstations. 

At a minimum the following controls must be in place for University workstation containing or providing access to Sensitive Data:

  • Must require a form of unique user authentication such as: userID and password, biometrics, or an access device such as a token for authentication of access.
  • Must be part of a patch or vulnerability management system.
  • Must be physically located in such a manner to minimize the risk of unauthorized access.
  • Display screens/monitors must be positioned such that information cannot be readily viewed by unauthorized individuals.

HIPAA Privacy Policies

Information Security Policy Definitions Adobe PDF File

Service Request
Assistance with other issues related to this service can be requested using this form. Upon submission, this form creates a record in our tracking system and it will be routed to the appropriate resource for action.