TTUHSC IT Policies
1. SECURITY
1.1. I.T. RESOURCE MANAGEMENT AND RESPONSIBILITIES (TAC 202.71, 202.72)
The President has designated the Institutional Information Security Officer (ISO) to review and designate ownership of information resources. The ISO will work with the owners of information resources to develop strategies to meet their required responsibilities and ensure compliance with the associated responsibilities. These responsibilities are to be defined, documented, and provided by the Information Security Officer.
Owner Responsibilities – the owner or their designated representative(s) are responsible for and authorized to:
-
Classify business functional information into the following categories:
-
Confidential information, as defined by OP 52.09, includes:
- Social Security numbers,
- Credit card information,
- Other personal financial information,
- Student records, and
- Patient health information.
-
Confidential information, as defined by OP 52.09, includes:
Additional information can be found in the Attorney General of Texas’ Public Information 2006 Handbook.
-
Restricted Personal information - includes social security numbers or other data protected under state or federal law (e.g., financial, medical, or student data).
- Mission Critical Information - includes information that is essential to HSC operations.
- Non-critical Information - includes information that is generally available to the public or has a minimum impact on HSC customers.
Additional information can be found in the Attorney General of Texas’ Public Information 2006 Handbook.
-
Restricted Personal information - includes social security numbers or other data protected under state or federal law (e.g., financial, medical, or student data).
- Mission Critical Information - includes information that is essential to HSC operations.
- Non-critical Information - includes information that is generally available to the public or has a minimum impact on HSC customers.
- Approve access and formally assign custody of an information resource asset; and provide appropriate authority to implement security controls and procedures
- Specify data control requirements, based on risk assessment, to the custodian and user of the information resource;
- Verify the controls are in place and compliance is met; and
- Review access permissions based on security risk assessment.
Custodian Responsibilities - the custodian of information resources is responsible for:
- Implementing the controls specified by the owner(s),
- Providing physical and procedural safeguards for the resource,
- Assisting owner in evaluating the cost-effectiveness of controls and monitoring, and
- Implementing the monitoring techniques and procedures for detecting, reporting, and investigating incidents.
User Responsibilities - the user of the information resources is responsible for:
- Using the resources only for the designed purpose, and
- Complying with the controls specified by the owner(s).
- Information system owners, in collaboration with the Information Security Officer or designee, shall assess a risk level based on the inherent risk with a ranking of “High”, “Medium”, or “Low”. The criteria for each level are:
|
High Risk |
Medium Risk |
Low Risk |
|
Involve large dollar amounts, or significantly important information that would impact the operations of the HSC, or |
Involve a moderate or low dollar value, or |
Generally available public information, or |
|
Contain confidential or sensitive data, or |
Information that could potentially create problems for the parties involved, or |
Result in a relatively small impact for the HSC |
|
Impact a large number of people or networks |
Impact a moderate portion of the Institution’s customer base |
|
- See Section 1.4.1 for further responsibilities.
Managing Security Risks
A security risk analysis of information resources shall be performed and documented.
Risk assessments will be conducted as follows:
- Annually on information resources classified as high risk
- Biennially on information resources classified as medium or low risk
Security risk assessment results, vulnerability reports and other security analysis information shall be presented to the President of the HSC or their designated representative(s). The President of the HSC or designated representative(s) shall make the final security risk management decisions to either accept the risks or to modify the security and controls for the information resources based on its value and sensitivity. The President of the HSC or their designated representative(s) must approve the final security risk management plan.
1.2 MANAGING PHYSICAL SECURITY (TAC 202.73)
Access to I.T. Data Centers will be documented and controlled. Only authorized personnel will have access to any Institutional Data Center. An annual review of the physical security measures of the Data Centers will be conducted by the Information Security Officer. Data Center personnel will be trained to monitor environmental controls and trained in appropriate responses to emergencies or equipment problems. Appropriate safety procedures, as defined by the Safety Services Department and outlined in the I.T. Division’s Disaster Recovery Plan, Section 30.20 - Evacuation Procedures, will be followed and annual tests conducted.
1.3 DISASTER RECOVERY (TAC 202.74(5))
This policy sets forth the guidelines and procedures for recovering the Data Center and all related information systems providing service to the Institution. In accordance with the Texas Administrative Code Rule §202.74, Business Continuity Planning, the I.T. Division shall develop and maintain a Disaster Recovery Plan (DRP) that delineates all the roles and responsibilities for the individual Disaster Recovery Teams, along with the steps that must be taken for successful recovery operations.
At a minimum, the DRP shall be tested annually or when a major revision occurs and I.T. staff assigned to disaster recovery duties shall be trained, at least, on an annual basis.
In the event of a disaster,
- The Chief Information Office (CIO) is the only authority for declaring a disaster for the Data Center and all related I.T. services based on the findings of the Initial Assessment Team.
- The Initial Assessment Team is responsible for the timely identification and determination of the disaster as well as the duration of the service outage.
Upon the declaration of a disaster,
- The I.T. Division and all associated Disaster Recovery Teams will invoke and comply with the procedures documented in the DRP.
- All efforts will be made to accommodate user needs while recovery services are being implemented but prioritization of recovery will be based on the criticality of the service and/or application experiencing the outage.
- The Office of Communications and Marketing is the only authority for all media communications based on information from the Chief Information Officer.
- The Chief Information Officer or designee from the Management Team is responsible for conveying all necessary information to the Office of Communications and Marketing for any updates and/or announcements to the media.
Mission Critical data shall be backed up on a scheduled basis and stored off site in a secure, environmentally safe, locked facility accessible only to authorized institution of higher education representatives.
TTUHSC Information Resources backup and recovery process for each system must be documented and periodically reviewed.
A process must be implemented to verify the success of the electronic information backup.
Backups must be periodically tested to ensure that they are recoverable.
1.4 SECURITY SAFEGUARDS (TAC 202.75.7)
1.4.2. Account Management And User Responsibilities
1.4.3. Administrator/Special Access
1.4.8. Internet And Intranet Connectivity
1.4.12. Password/Authentication
1.4.16. Monitoring Of I.T. Assets
1.4.17. Security Awareness And Training
1.4.20. Application System Development, Acquisition, And Lifecycle