• Campuses
  • Abilene
  • Amarillo
  • Dallas
  • El Paso
  • Lubbock
  • Permian Basin
• Info For
  • Careers at HSC
  • Prospective Students
  • Current Students
  • Residents
  • Faculty & Staff
  • Alumni & Friends
  • Patients & Healthcare
  • Visitors & Community
  • Giving to TTUHSC
• Schools
  • Allied Health Sciences
  • Biomedical Sciences
  • Medicine
    • HSC School of Medicine
    • Foster School of Medicine
  • Nursing
  • Hunt School of Nursing
  • Pharmacy
• Contact Info
  • HSC Directory
  • HSC Contacts
  • IT Contacts
• Site Maps
  • HSC Site Map
  • IT Site Map

Quick Search

Search

IT Resources

• Information Technology
• Quick Links
  • Available Services
  • IT Solution Center
  • TechLink
  • IT Policies
  • SolveIT
  • Work Orders (STARS)
  • LCMS

IT Policies

• Policies
• TTUS Board Of Regents Policies And Procedures
• Security
  • I.T. Resource Management And Responsibilities
  • Managing Physical Security
  • Disaster Recovery
  • Security Safeguards
    • Acceptable Use
    • Account Management And User Responsibilities
    • Administrator/Special Access
    • Backup/Recovery
    • Change Management
    • Email
    • Incident Management
    • Internet And Intranet Connectivity
    • Intrusion Detection
    • Network Access
    • Network Configuration
    • Password/Authentication
    • Asset Management
    • Portable Computing
    • Privacy
    • Monitoring Of I.T. Assets
    • Security Awareness And Training
    • Server Hardening
    • Authorized Software
    • Application System Development, Acquisition, And Lifecycle
    • Vendor Access
    • Viruses And Other Malicious Code
    • Wireless Access
    • Vulnerability Assessment
• Institutional Videoconferencing Systems
• Institutional Computer Naming Convention Standards
• Hardware And Software Standards
• Technology Replacement Schedule
• I.T. Procurement Review
• Intellectual Property Rights
• Copyright
  • Copyright And Computer Software
  • Infringement Of Copyrights On Computing Software
• Web Standards
  • Student Web Publishing Standards
  • TTUHSC Web Publishing Standards
  • Web Site Visual Elements Standards
  • Change Management Procedures For Official TTUHSC Web Pages/Sites
  • Information Services Coding Standards, Security, And Audit Controls
  • E-Commerce Applications
  • Web Use And Copyright Standards
  • State Of Texas Web Publishing Standards
• Disciplinary Process
• Definitions
• Guidelines For Operating Systems Security
• Federal and State Statutes
• Notice of Disclaimer of Liability

HSC Resources

• HSC Home
• Welcome to the HSC
  • Welcome to the HSC
  • TTUHSC Strategic Plan
  • The Daily Dose
  • Fact Books
• Office of the President
• Campuses
  • Abilene
  • Amarillo
  • Dallas
  • El Paso
  • Lubbock
  • Permian Basin
• Schools
  • Allied Health Sciences
  • Biomedical Sciences
  • Medicine
    • HSC School of Medicine
    • Foster School of Medicine
  • Nursing
    • HSC School of Nursing
    • Hunt School of Nursing
  • Pharmacy
• Centers & Institutes
• Research
• Administration
  • President's Office
  • Administrative Officers
  • Communications
  • Departments
  • Office of International Affairs
  • Rural & Community Health
  • Finance & Administration
  • Information Technology
  • Policies, Manuals and State Reporting
  • Institutional Compliance
• Human Resources
  • Prospective Employees
  • New Employees
  • Current Employees
  • HR Offices
  • Job Opportunities
  • More »
• Libraries
• Accreditation
  • Office of Institutional Planning and Assessment
  • Quality Enhancement Plan
  • More »
• The Daily Dose
• Emergency Preparedness
• Compliance Hotline

Need Help?

Home Information Technology Policies

TTUHSC IT Policies

1.         SECURITY

1.1.       I.T. RESOURCE MANAGEMENT AND RESPONSIBILITIES (TAC 202.71, 202.72)

Information Security Program

Each state agency head or his or her designated representative(s) shall designate an Information Security Officer (ISO) to administer the state agency Information Security Program. The ISO shall report to executive level management. TTUHSC's Information Security Program will be reviewed annually for compliance with TAC 202 standards. Other responsibilities of the ISO include the following:

• • Document and maintain an up-to-date information security program. The information security program shall be approved by the institution of higher education head or his or her designated representative(s).
  • Develop recommended policies and establish procedures and practices, in cooperation with information owners and custodians, necessary to ensure the security of information resources assets against unauthorized or accidental modification, destruction or disclosure.
  • Monitor the effectiveness of defined controls for mission critical information.
  • Report, at least annually, to the institution of higher education head or his or her designated representative(s) the status and effectiveness of information resources security controls.
  • Issue exceptions to information security requirements or controls in this chapter. Any such exceptions shall be justified, documented, and communicated as part of the risk assessment process.
  • Work with the owners of information resources to develop strategies to meet their required responsibilities and to ensure compliance.

Defined Responsibilities

Information Owner Responsibilities – the owner or their designated representative(s) are responsible for and authorized to:

• Approve access and formally assign custody of an information resources asset
• Determine the asset's value
• Specify data control requirements and convey them to users and custodians
• Specify appropriate controls, based on a risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources and services outsourced by the institution of higher education.
• Confirm that controls are in place to ensure confidentiality, integrity, and availability of data and other assigned information resources.
• Assign custody of information resources assets and provide appropriate authority to implement security controls and procedures
• Review access lists based on documented security risk management decisions
• Approve, justify, document and be accountable for exceptions to security controls. The information owner shall coordinate exceptions to security controls with the ISO or other person(s) designated by the state institution of higher education head.
• Classify business functional information

Custodians of information resources shall:

• Implement the controls specified by the owner(s),
• Provide physical, technical, and procedural safeguards for the information resources,
• Assist information owners in evaluating the cost-effectiveness of controls and monitoring, and
• Implement monitoring techniques and procedures for detecting, reporting, and investigating incidents.

User Responsibilities - the user of the information resources is responsible for:

• Using the resources only for the designed purpose, and
• Complying with the controls specified by the owner(s).

• Information system owners, in collaboration with the Information Security Officer or designee, shall assess a risk level based on the inherent risk with a ranking of “High”, “Medium”, or “Low”.  The criteria for each level are:

High Risk	Medium Risk	Low Risk
Involve large dollar amounts, or significantly important information that would impact the operations of the HSC, or	Involve a moderate or low dollar value, or	Generally available public information, or
Contain confidential or sensitive data, or	Information that could potentially create problems for the parties involved, or	Result in a relatively small impact for the HSC
Impact a large number of people or networks	Impact a moderate portion of the Institution’s customer base

• See Policy 1.4.1 for further responsibilities.      
• A system change could cause the overall classification to move to another risk level

Managing Security Risks

A security risk analysis of information resources shall be performed and documented on the following schedule:

• Annually on information resources classified as high risk
• Biennially on information resources classified as medium or low risk

Security risk assessment results, vulnerability reports and other security analysis information shall be presented to the President of the HSC or their designated representative(s).  The President of the HSC or designated representative(s) shall make the final security risk management decisions to either accept the risks or to modify the security and controls for the information resources based on its value and sensitivity.  The President of the HSC or their designated representative(s) must approve the final security risk management plan.

1.2        MANAGING PHYSICAL SECURITY (TAC 202.73)

Access to I.T. Data Centers will be documented and controlled.  Only authorized personnel will have access to any Institutional Data Center.  An annual review of the physical security measures of the Data Centers will be conducted by the Information Security Officer.  Data Center personnel will be trained to monitor environmental controls and trained in appropriate responses to emergencies or equipment problems.  Appropriate safety procedures, as defined by the Safety Services Department and outlined in the I.T. Division’s Disaster Recovery Plan will be followed and annual tests conducted. Additionally, TTUHSC will refer to the State Office of Risk Management for applicable rules and guidelines.

1.3 DISASTER RECOVERY (TAC 202.74)

This policy sets forth the guidelines and procedures for recovering the Data Center and all related information systems providing service to the Institution. In accordance with the Texas Administrative Code Rule §202.72, Business Continuity Planning, the I.T. Division shall develop and maintain a Disaster Recovery Plan (DRP) that delineates all the roles and responsibilities for the individual Disaster Recovery Teams, along with the steps that must be taken for successful recovery operations.

At a minimum, the DRP shall be tested annually or when a major revision occurs and I.T. staff assigned to disaster recovery duties shall be trained, at least, on an annual basis.

In the even of a disaster,

• The Chief Information Officer (CIO) is the only authority for declaring a disaster for the Data Center and all related I.T. services based on the findings of the Tactical Operations Team.
• The Tactical Operations Team is responsible for the timely identification and determination of the disaster as well as the duration of the service outage.

Upon the declaration of a disaster,

• The I.T. Division and all associated Disaster Recovery Teams will invoke and comply with the procedures documented in the DRP.
• All efforts will be made to accommodate user needs while recovery services are being implemented but prioritization of recovery will be based on the criticality of the service and/or application experiencing the outage.
• The Office of Communications and Marketing is the only authority for all media communications based on information from the Chief Information Officer.
• The Chief Information Officer or designee from the Management Team is responsible for conveying all necessary information to the Office of Communications and Marketing for any updates and/or announcements to the media.

Mission Critical data shall be backed up on a scheduled basis and stored off site in a secure, environmentally safe, locked facility accessible only to authorized personnel.

TTUHSC Information Resources backup and recovery process for each system must be documented and periodically reviewed. A process must be implemented to verify the success of the electronic information backup.

Backups must be periodically tested to ensure that they are recoverable.

1.4        SECURITY SAFEGUARDS (TAC 202.75)

Download Free Adobe Reader

Adobe Acrobat Reader is required to view items marked with this icon:
Please click on the left image to download the free version.

Texas Tech University Health Sciences Center, 3601 4th Street, Lubbock, TX 79430
T: 806.743.1000
it.webmaster@ttuhsc.edu

Online Institutional Resumes

Campus Webmasters | Recommended Web Site Viewing Requirements | General Policy Information

State of Texas Web Site | Texas Homeland Security | Texas Veterans Portal | SAO Fraud Reporting
DMCA Compliance | Compliance Hotline TTUHSC Energy Conservation Report

TTUHSC Home | Texas Tech University System | Texas Tech University | Angelo State University

©2013 Texas Tech University Health Sciences Center | All Rights Reserved