|
|||
 |
|||
|
Dept Home Page > Security Awareness
Security Awareness
The Key to Information Protection
Information Resources Security Policy
UTHSCH's information resources belong to the people of the State of Texas. These strategic and vital resources require protection commensurate with their value. Measures are taken to protect these resources against accidental or unauthorized disclosure, modification or destruction as well as to assure the security, reliability, integrity and availability of information.
It is the policy of UTHSCH to protect all data and information resources in accordance with the Texas Department of Information Resources (DIR) Information Security and Risk Management Policy, Standards, and Guidelines published in the Texas administrative Code, 1 TAC2Ol.13(b).
Security is Everybody's Business!
The policy applies to all employees, students and contracted personnel. All individuals are accountable for their actions relating to the protection and use of information resources. Those who understand and adhere to policies are the most effective line of defense in ensuring the security of information resources.
Roles and Responsibilities
For the purpose of information resources security and risk management, certain roles and responsibilities are defined.
"Users" utilize the information that is processed by an automated information system and they must:
|
"Custodians" provide technical expertise, data processing and other services to owners and users. They provide physical and procedural safeguards for information resources within their facilities; make provisions for the timely detection, reporting and analysis of unauthorized attempts to gain access to information resources; assist owners in evaluating the cost-effectiveness of controls; and implement the controls specified by the owner. AN managers and security administrators are custodians.
"Information Resources Managers" oversee the university information security and risk management program which ensures the protection of the university's automated information resources and provides for disaster recovery. The director of the Office of Academic Computing is the IRM for academic information resources. The assistant vice president for Information Services is the IRM for the administrative computing facilities.
"Owners" carry out programs that use information resources. They identify confidential or sensitive information; ensure security of information resources under their control; approve access and formally assign custody; specify data security control requirements and convey them to users and custodians; determine the value of information resources; and ensure compliance with applicable controls and university policies. The registrar, who owns student information, and the director of payroll and benefits, who owns employee information are examples of owners.
"Department Heads" own information resources under their control. They identify positions under their supervision that require special trust. They also train and manage staff in ways that assure the security of information resources.
Each department should have a security coordinator who is responsible for requesting access to automated information and deleting access for transferred or terminated employees. Individual security access should be audited when changes in job responsibilities occur in the department.
Auditors review information security policies and procedures for compliance with state security policies. They evaluate the effectiveness of security controls for new and existing information systems.
Security Violations
Individuals using information resources owned or managed by the university are expected to know and comply with published university policies and procedures.
Failure on the part of any individual to comply may result in disciplinary action including suspension without pay or termination of employment or contract.
A person may be subject to civil or criminal sanctions when a violation occurs.
It is the responsibility of all personnel to report any suspected or confirmed security violations to appropriate management.
Additional Policy Statements
There are many issues associated with information resources, not all of which are addressed by the Information Resources Security Policy. These issues are addressed by the following policy statements as outlined in the Handbook of Operating Procedures (HOOP).
- Access to university information resources must be secured. The integrity of data, its source, its destination, and processes applied to it must be assured. Changes to data and its usage must be made only in authorized and acceptable ways.
- University owned or managed information resources must be used only for official state purposes. Obtain more information about ethical use of state resources from the Office of Legal Affairs and Risk Management.
- Passwords to information resources including, but not limited to, network systems and mainframe applications are confidential and property of the state. It is illegal to share assigned user ids or passwords with anyone without the consent of the owner.
- Information that is confidential or sensitive must be protected from unauthorized access or modification. This policy remains in force even upon termination of employment or contract. Talk to your supervisor if you are uncertain about the confidentiality or sensitivity of information you use.
- Risks to information resources must be managed at all levels. Data essential to critical state functions must be protected from loss, contamination, or destruction. Be sure to review the Security Tips in this brochure for ways you can protect your important data!
- Proprietary software may not be copied in violation of a licensing agreement. Refer to HOOP Section 1.15 for more information about software copyright law.
- All individuals are responsible for managing information resources and are accountable for their actions relating to information resources security. Employees who request authorization to use mainframe computer applications sign a security contract acknowledging comprehension and acceptance of personal accountability.
Information Security Begins with You!
Under the provisions of the Information Resources Management Act, University information resources are strategic assets of the State of Texas that must be managed as valuable state resources. Understand the importance of the information you use and protect it accordingly.
Security Tips
Use the following security tips to make information resource protection part of your daily routine.
Wear your UT identification badge.
Acknowledge visitors in your area and keep unauthorized people away from your computer especially when confidential or sensitive information is in view.
Keep office keys in a safe place.
Do not share confidential or sensitive information with unauthorized people or with a person whose identity you cannot verify.
Use a shredder or proper recycling receptacles when discarding confidential or sensitive hard copies.
Never write down your password or share it with anyone.
Use passwords that contain both letters and numbers. Do not use passwords that others could easily identify such as your name or the names of family members or pets. Be creative!
Never leave your computer unattended with an active password. Use a password protected screen saver or sign off!
Change your password at least every 90 days. Change it immediately if you think someone else knows it.
Scan files or software from home, public bulletin boards, friends or co-workers for viruses before use.
Store vital information on a network drive. Ask your LAN manager how often the network is backed up.
Back up files or software stored on your hard drive. Keep duplicates in a safe place.
Information Resources
Information resources include all computer and telecommunications hardware, software, and networks owned, leased or operated by the University and the information stored therein.
Information Classification
Information requiring special protective precautions must be classified as confidential and/or sensitive:
Confidential information is exempt from disclosure under the provisions of the Texas Public Information Act or other applicable state or federal law, regulations, or court order. The controlling factor for confidential information is prevention of dissemination.
Sensitive information requires special precautions to protect it from unauthorized modification or deletion. Sensitive information may be either public or confidential. It is information that requires a higher than normal assurance of accuracy and completeness. The controlling factor for sensitive information is assuring and maintaining integrity.
Special Trust
A position of special trust is one in which the individual can view confidential information, alter sensitive information or is depended upon for the continuity of information resources that are determined to be essential. A person is also considered to be in a position of special trust if (s)he can act independently of controls and supervision to impact the confidentiality, integrity or availability of vital information.
Security Awareness Education
Individuals in positions of special trust must be educated on security awareness as mandated by the Texas Department of Information Resources (DIR). Security awareness ensures that individuals understand security policies and use practical methods for protecting important information. Client Support Services can provide information regarding security awareness. Contact the Help Desk at 713-500-4848 for more information.
Department
of Neurobiology and Anatomy | The
University of Texas Health Science Center at Houston
|
