|OUHSC Information Technology Department|
IT Security Policies for data owners or business administrators
Most of these policies are people or process oriented and need to be distributed, read, and followed by Data Owners or Business Unit administors.
Risk Management: OUHSC IT will implement an Information Technology Risk Management Program designed to keep risks to Information System Resources at reasonable and appropriate levels.
Risk Assessment and Control Review: All information system resources must undergo a formal assessment process to properly identify risks and determine appropriate responses and controls.
Data Classification: All data owners must classify the sensitivity of their data on a scale from A to D, where A is the most sensitive.
Information System and Data Classification Policy: Information Systems (IS) are assets of the University of Oklahoma Health Sciences Center and must be classified and protected according to the sensitivity and associated risks to the confidentiality, integrity, and availability of the system. IS Owners must identify all IS and follow the classification requirements in the policy.
Resource and Data Recovery: Information system resource and data owners must ensure all sensitive information system resources and data are identified and covered by recovery plans and procedures to ensure business continuity and the ability to restore any loss of sensitive information system resources and data.
Product Review: All information system resources viewing, storing and/or collecting Sensitive
Data must undergo a product review.
Telework Policy: Procedures must be in place to ensure all computing devices used to work remotely (telework) and access University’s sensitive information system resources and data are appropriately secured.
Transmission of Sensitive Data: Data and resource owners must appropriately protect Sensitive Data from unauthorized interception, modification, or access during electronic transmission.
Transportation of Media Policy: Data and information system resource owners must govern the receipt, transfer and removal of electronic media which contain Sensitive Data.
PHI Server Consolidation: Servers containing ePHI must be consolidated into the campus enterprise data center. The data center will provide physical and environmental protections for the security and privacy of these confidential and missioncritical information assets.
Password Management Policy:The University must implement a formal documented process for the appropriate creation, modification, and safeguard of information system passwords.
Payment Card Industry Data Security Standard (Draft): All OUHSC business units which accept credit card payments must complete page one of the Annual PCI Self-Assessment Questionnaire and submit to Information Security Services.
Access to Sensitive Data Access to Sensitive Data requires prior authorization. Processes must be in place for the authorization, establishment, review, modification and removal of access to Sensitive Data.
Business Associate Contracts: The University may permit a business associate to create, receive, maintain, or transmit sensitive data on the behalf of the University only if it obtains satisfactory assurances the business associate will appropriately safeguard the information.
Workstation Use and Security Policy Procedures must be in place to ensure all University workstations are classified based on allowable capabilities and activities and secured accordingly in order to protect the confidentiality, integrity, and availability of Sensitive Data contained on or accessed through the workstations.
At a minimum the following controls must be in place for University workstation containing or providing access to Sensitive Data:
|Copyright © 2006 The Board of Regents of the University of Oklahoma, All Rights Reserved.- Disclaimer | Copyright|