2,654
edits
No edit summary |
No edit summary |
||
Line 28: | Line 28: | ||
Effective Date: '''04/25/07'''<br /> | Effective Date: '''04/25/07'''<br /> | ||
Revised Date: '''08/20/13'''<br /> | Revised Date: '''08/20/13'''<br /> | ||
Reviewed Date: ''' | Reviewed Date: '''01/23/13'''<br /><br /> | ||
<big>'''Computer Use and Electronic Information Security Policy'''</big> | <big>'''Computer Use and Electronic Information Security Policy'''</big> | ||
== Introduction == | == Introduction == | ||
Line 78: | Line 78: | ||
###Reason for account/relationship to UNMC | ###Reason for account/relationship to UNMC | ||
##The Assistant Vice Chancellor or designee will approve requests for these types of accounts. | ##The Assistant Vice Chancellor or designee will approve requests for these types of accounts. | ||
NOTE: | NOTE: If an individual is a volunteer, please refer to UNMC Policy No. 6053, [[Volunteer]].<br /> | ||
<br /> | <br /> | ||
Individual Personal accounts will always be utilized to access confidential information.<br /> | Individual Personal accounts will always be utilized to access confidential information.<br /> | ||
Line 88: | Line 88: | ||
Access to electronic mail, voice mail, administrative, student and patient care information systems will be obtained through the appropriate authorization process. (See [http://www.unmc.edu/its/docs/security_AccessControlforITResources.pdf ITS Security Procedure: Access Control to IT Resources]). Unauthorized access to information systems is prohibited. Users must not attempt to gain access to information or systems for which they are not granted access. <br /> | Access to electronic mail, voice mail, administrative, student and patient care information systems will be obtained through the appropriate authorization process. (See [http://www.unmc.edu/its/docs/security_AccessControlforITResources.pdf ITS Security Procedure: Access Control to IT Resources]). Unauthorized access to information systems is prohibited. Users must not attempt to gain access to information or systems for which they are not granted access. <br /> | ||
<br /> | <br /> | ||
Remote access to systems which contain confidential information will be accomplished through a strong authentication method with the appropriate approval processes. (See ITS Security Procedure: Workforce Member Remote Access). | Remote access to systems which contain confidential information will be accomplished through a strong authentication method with the appropriate approval processes. (See ITS Security Procedure: Workforce Member Remote Access). Individuals requiring remote access to UNMC’s e mail system will purchase an internet service provider and utilize the web based e mail product.<br /> | ||
<br /> | <br /> | ||
Information Technology Support Personnel will inactivate or delete IDs/password, as appropriate, of individuals who no longer have a relationship with UNMC. | Information Technology Support Personnel will inactivate or delete IDs/password, as appropriate, of individuals who no longer have a relationship with UNMC. | ||
===Appropriate Use=== | ===Appropriate Use=== | ||
It is the responsibility of the workforce to utilize the information technology resources in an appropriate manner. | It is the responsibility of the workforce to utilize the information technology resources in an appropriate manner. Individuals with access to information systems are expected to safeguard resources and maintain appropriate levels of confidentiality in order to protect the integrity of all data and of the interests of the entity.<br /> | ||
<br /> | <br /> | ||
It is the responsibility of the workforce to protect confidential information at all times including but not limited to when stored electronically (at rest) and when the data is being transferred outside of the facility such as on a mobile device or a diskette (See [http://www.unmc.edu/its/images/security_enduserdevice.pdf ITS Security Procedure: End User Device]).<br /> | It is the responsibility of the workforce to protect confidential information at all times including but not limited to when stored electronically (at rest) and when the data is being transferred outside of the facility such as on a mobile device or a diskette (See [http://www.unmc.edu/its/images/security_enduserdevice.pdf ITS Security Procedure: End User Device]).<br /> | ||
<br /> | <br /> | ||
UNMC’s information technology resources are to be used predominately for completing UNMC work related business. | UNMC’s information technology resources are to be used predominately for completing UNMC work related business. Misuse of University information systems is prohibited. Misuse includes the following (see Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources]) | ||
#Attempting to modify or remove computer equipment, software, or peripherals without proper authorization. | #Attempting to modify or remove computer equipment, software, or peripherals without proper authorization. | ||
#Accessing without proper authorization computers, software, information or networks which the University belongs, regardless of whether the resource accessed is owned by the University or the abuse takes place from a non-University site. | #Accessing without proper authorization computers, software, information or networks which the University belongs, regardless of whether the resource accessed is owned by the University or the abuse takes place from a non-University site. | ||
Line 106: | Line 106: | ||
#Violating any software license or copyright, including copying or redistributing copyrighted software, without the written authorization of the software owner. | #Violating any software license or copyright, including copying or redistributing copyrighted software, without the written authorization of the software owner. | ||
#Using electronic communications to violate the property rights of authors and copyright owners. (Be especially aware of potential copyright infringement through the use of e-mail.) | #Using electronic communications to violate the property rights of authors and copyright owners. (Be especially aware of potential copyright infringement through the use of e-mail.) | ||
#Using electronic communications to harass or threaten users in such a way as to create an atmosphere which unreasonably interferes with the education or the employment experience. | #Using electronic communications to harass or threaten users in such a way as to create an atmosphere which unreasonably interferes with the education or the employment experience. Similarly, electronic communications shall not be used to harass or threaten other information recipients, in addition to University users. | ||
#Using electronic communications to disclose proprietary information without the explicit permission of the owner. | #Using electronic communications to disclose proprietary information without the explicit permission of the owner. | ||
#Reading other user’s information or files without permission. | #Reading other user’s information or files without permission. | ||
Line 128: | Line 128: | ||
#Social engineering incidents | #Social engineering incidents | ||
#Virus attacks which adversely affect servers or multiple workstations | #Virus attacks which adversely affect servers or multiple workstations | ||
#E-mail which includes obscene material, threats or material that could be considered | #E-mail which includes obscene material, threats or material that could be considered harassment | ||
#Discovery of unauthorized or missing hardware in your area | #Discovery of unauthorized or missing hardware in your area | ||
#Other incidents that could undermine confidence and trust in the UNMC’s information technology systems | #Other incidents that could undermine confidence and trust in the UNMC’s information technology systems | ||
ITS or other personnel must take immediate action to mitigate any threats that have the potential to pose a serious risk to campus information system resources. | ITS or other personnel must take immediate action to mitigate any threats that have the potential to pose a serious risk to campus information system resources. If the threat is deemed serious enough, the system(s) or individual posing the threat will be blocked from network access. Communication with department leadership regarding such action will take place as soon as possible. The block will be removed as soon as the threat has been repaired. (See UNMC ITS Security Procedure: Information Security Incident Reporting and Response) | ||
===Copyright=== | ===Copyright=== | ||
UNMC maintains strict compliance with the Digital Millennium Copyright Act of 1998 and applicable amendments. It should be noted that traditionally a user purchases a software “license,” which is a right to use. | UNMC maintains strict compliance with the Digital Millennium Copyright Act of 1998 and applicable amendments. It should be noted that traditionally a user purchases a software “license,” which is a right to use. Many times the licenses can only be loaded on one machine. Violating any software license or copyright is in violation of university policy. | ||
#Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources] | #Executive Memorandum No. 16, [http://nebraska.edu/docs/president/16%20Responsible%20Use%20of%20Computers%20and%20Info%20Systems.pdf Policy for Responsible Use of Information Resources] | ||
#[http://www.copyright.gov/legislation/dmca.pdf The Digital Millennium Copyright Act of 1998] | #[http://www.copyright.gov/legislation/dmca.pdf The Digital Millennium Copyright Act of 1998] | ||
Line 146: | Line 146: | ||
All policies stated herein are also applicable to all communication systems including e mail, instant messaging and voice mail. Persons using UNMC’s e mail or voice mail resources are expected to demonstrate good taste and sensitivity to others in their communications.<br /> | All policies stated herein are also applicable to all communication systems including e mail, instant messaging and voice mail. Persons using UNMC’s e mail or voice mail resources are expected to demonstrate good taste and sensitivity to others in their communications.<br /> | ||
<br /> | <br /> | ||
E-mail attachments and files transfer utilizing instant messaging capabilities represent a significant risk to the organization. | E-mail attachments and files transfer utilizing instant messaging capabilities represent a significant risk to the organization. Many computer viruses are distributed through e-mail attachments or files received via instant messaging. Users should be careful about opening e-mail attachments or accepting file transfers via instant messaging. | ||
===Controlling the Distribution of Non-Solicited Marketing E-mail=== | ===Controlling the Distribution of Non-Solicited Marketing E-mail=== | ||
Electronic mail sent externally by UNMC personnel for the primary purpose of promoting UNMC’s “commercial” products or services must comply with the [http://www.unmc.edu/its/docs/security_SpamCompliance.pdf ITS Security Procedure: Controlling the Distribution of Non-Solicited Marketing Email]. | Electronic mail sent externally by UNMC personnel for the primary purpose of promoting UNMC’s “commercial” products or services must comply with the [http://www.unmc.edu/its/docs/security_SpamCompliance.pdf ITS Security Procedure: Controlling the Distribution of Non-Solicited Marketing Email]. Examples of such products or services include publications and membership solicitations. <br /> | ||
<br /> | <br /> | ||
The Act is applicable only to e-mail that constitutes a commercial advertisement or promotion of a commercial product or service. | The Act is applicable only to e-mail that constitutes a commercial advertisement or promotion of a commercial product or service. The Act is not applicable to commercial e-mail in general, to e-mail advertising or promoting “activity” or to e-mail simply because the e-mail references or solicits funds. Further, it is not applicable to e-mail messages sent to provide information about UNMC’s undergraduate, graduate, or professional degree-granting programs. Some programs not a part of the regular campus curriculum might be considered commercial “services” depending upon the facts. Advice from the Compliance Officer should be sought about such programs. | ||
====Exemptions==== | ====Exemptions==== | ||
The Act exempts “transactional or relationships messages” from the procedural requirements when the primary purpose of the message is to achieve on of the following: | The Act exempts “transactional or relationships messages” from the procedural requirements when the primary purpose of the message is to achieve on of the following: | ||
Line 160: | Line 160: | ||
For more information, see [http://www.unmc.edu/its/docs/security_SpamCompliance.pdf ITS Security Procedure: Controlling the Distribution of Non-Solicited Marketing Email]. | For more information, see [http://www.unmc.edu/its/docs/security_SpamCompliance.pdf ITS Security Procedure: Controlling the Distribution of Non-Solicited Marketing Email]. | ||
===Campus-wide e-mail announcements=== | ===Campus-wide e-mail announcements=== | ||
Sending out mass distribution e-mails containing event and/or general announcement type information is discouraged. | Sending out mass distribution e-mails containing event and/or general announcement type information is discouraged. If you have an event to publicize or an announcement to deliver to a large group of people, the best way to do this is through UNMC Today, the campus electronic newsletter. Contact Public Relations for additional information.<br /> | ||
<br /> | <br /> | ||
However, if e-mailing to a large group is warranted, the content and size of the message must be approved by Public Relations. Delivery of the message must then be scheduled by the ITS department to minimize the demand on campus computer systems. Contact Public Relations (x9-4696) to obtain approval. | However, if e-mailing to a large group is warranted, the content and size of the message must be approved by Public Relations. Delivery of the message must then be scheduled by the ITS department to minimize the demand on campus computer systems. Contact Public Relations (x9-4696) to obtain approval. | ||
===Audits of Electronic Protected Health Information (PHI)=== | ===Audits of Electronic Protected Health Information (PHI)=== | ||
Patient information including demographic and medical data contained in, or obtained from any UNMC information system is confidential data. | Patient information including demographic and medical data contained in, or obtained from any UNMC information system is confidential data. Individual access to this data may be audited in order to ensure compliance with federal and state law and [[Policies and Procedures|UNMC Policies and Procedures]]. | ||
====Information Systems==== | ====Information Systems==== | ||
Each information custodian is responsible to: | Each information custodian is responsible to: | ||
Line 179: | Line 179: | ||
Computer crime in any form will not be tolerated. This policy applies to all UNMC employees and will be enforced without regard to past performance, position held or length of service. All persons found to have committed computer crime relevant to UNMC assets shall be subject to disciplinary action up to and including termination and investigation by external law enforcement agencies when warranted. | Computer crime in any form will not be tolerated. This policy applies to all UNMC employees and will be enforced without regard to past performance, position held or length of service. All persons found to have committed computer crime relevant to UNMC assets shall be subject to disciplinary action up to and including termination and investigation by external law enforcement agencies when warranted. | ||
===Security Administration=== | ===Security Administration=== | ||
UNMC ITS is responsible for implementing and monitoring a consistent data security program. | UNMC ITS is responsible for implementing and monitoring a consistent data security program. System administrators are responsible for operation and maintenance of information processing services. The system administrator and information custodians are responsible for implementing the security policy and standards within their applications. | ||
===Training=== | ===Training=== | ||
All members of the workforce will be trained in information security awareness. | All members of the workforce will be trained in information security awareness. Periodic reminders regarding information security awareness and current threats will be communicated to the workforce. | ||
===Web Pages=== | ===Web Pages=== | ||
UNMC web pages should consistently meet the highest standards of writing, content accuracy, image and presentation, keeping in mind that these documents create an image of UNMC to the world. UNMC shall reserve the right to monitor web pages and to remove any material that is unlawful or in violation of UNMC policies. Originators will be notified in the event that their page is removed.<br /> | UNMC web pages should consistently meet the highest standards of writing, content accuracy, image and presentation, keeping in mind that these documents create an image of UNMC to the world. UNMC shall reserve the right to monitor web pages and to remove any material that is unlawful or in violation of UNMC policies. Originators will be notified in the event that their page is removed.<br /> | ||
Line 193: | Line 193: | ||
#Link to University of Nebraska Appropriate Use/Copyright Violations | #Link to University of Nebraska Appropriate Use/Copyright Violations | ||
===Faxing=== | ===Faxing=== | ||
Members of the workforce will have a need to transmit confidential information by facsimile rather than by a slower method, such as mail. | Members of the workforce will have a need to transmit confidential information by facsimile rather than by a slower method, such as mail. It is easy to misdirect faxes to unauthorized recipients, faxes could be intercepted or lost in transmission. Thus, the potential for breach of confidentiality exists every time someone utilizes faxing. Therefore, all faxing must be done in accordance with the faxing policy (See UNMC Policy No. 6065, [[Fax Transmissions|Facsimile Transmissions]]). | ||
===Demonstration of Electronic Systems=== | ===Demonstration of Electronic Systems=== | ||
Demonstrations of electronic systems for non-workforce members should utilize only test data. Test data in production systems is acceptable. Production data (real patient data) should not be used. | Demonstrations of electronic systems for non-workforce members should utilize only test data. Test data in production systems is acceptable. Production data (real patient data) should not be used. | ||
Line 202: | Line 202: | ||
#Harassment and stalking in cyberspace. | #Harassment and stalking in cyberspace. | ||
#Using computers to commit crimes that could be committed without a computer such as counterfeiting, stealing, committing larceny or fraud. | #Using computers to commit crimes that could be committed without a computer such as counterfeiting, stealing, committing larceny or fraud. | ||
(Source: | (Source: Computer Crime by Ronald B. Stander, Copyright 1999, 2002, [http://www.rbs2.com www.rbs2.com])<br /> | ||
<br /> | <br /> | ||
'''Confidential information''' includes proprietary information and protected health information (PHI).<br /> | '''Confidential information''' includes proprietary information and protected health information (PHI).<br /> | ||
Line 208: | Line 208: | ||
'''Denial of service''' is an event in which a user or organization is deprived of resource services that they would normally expect to have.<br /> | '''Denial of service''' is an event in which a user or organization is deprived of resource services that they would normally expect to have.<br /> | ||
<br /> | <br /> | ||
'''Information''' is data presented in readily comprehensible form. | '''Information''' is data presented in readily comprehensible form. (Whether a specific message is informative or not depends in part on the subjective perceptions of the person who receives it.) Information may be stored or transmitted via electronic media on paper or other tangible media, or be known by individuals or groups. Information generated in the course of University operations is a valuable asset of the University and property of the University.<br /> | ||
<br /> | <br /> | ||
'''Information custodians''' are people responsible for specifying the security properties associated with the information systems their organization possesses. This includes the categories of information that users are allowed to read and update. | '''Information custodians''' are people responsible for specifying the security properties associated with the information systems their organization possesses. This includes the categories of information that users are allowed to read and update. The information custodian is also responsible for classifying data and participating in ensuring the technical and procedural mechanisms implemented are sufficient to secure the data based upon a risk analysis that considers the probability of compromise and its potential business impact.<br /> | ||
<br /> | <br /> | ||
'''Information security''' is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.<br /> | '''Information security''' is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss.<br /> | ||
Line 218: | Line 218: | ||
'''Information technology resources (system)''' include but are not limited to voice, video, data and network facilities and services.<br /> | '''Information technology resources (system)''' include but are not limited to voice, video, data and network facilities and services.<br /> | ||
<br /> | <br /> | ||
'''Information Technology Support Personnel''' are the individuals who as a function of their job | '''Information Technology Support Personnel''' are the individuals who as a function of their job provide IT support. This includes ITS support staff, departmental system administrators and IT support staff within the units.<br /> | ||
<br /> | <br /> | ||
'''Personal accounts''' allow an individual user to logon to specific applications or systems using personal or unique ID and password.<br /> | '''Personal accounts''' allow an individual user to logon to specific applications or systems using personal or unique ID and password.<br /> | ||
Line 224: | Line 224: | ||
'''Privacy''' is defined as the right of individuals to keep information about themselves from being disclosed.<br /> | '''Privacy''' is defined as the right of individuals to keep information about themselves from being disclosed.<br /> | ||
<br /> | <br /> | ||
'''Proprietary information''' refers to information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records, and student records. | '''Proprietary information''' refers to information regarding business practices, including but not limited to, financial statements, contracts, business plans, research data, employee records, and student records. (See UNMC Policy No. 6045, [[Privacy/Confidentiality|Privacy, Confidentiality and Information Security]] for more detailed information.)<br /> | ||
<br /> | <br /> | ||
'''Protected Health Information (PHI)'''is individually identifiable health information. | '''Protected Health Information (PHI)'''is individually identifiable health information. Health information means any information, whether oral or recorded in any medium, that: | ||
#is created or received by UNMC; and | #is created or received by UNMC; and | ||
#Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. | #Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. | ||
Line 233: | Line 233: | ||
'''Shared accounts''' (i.e., generic or general accounts) allow multiple users to logon to the information technology resources using the same ID and password.<br /> | '''Shared accounts''' (i.e., generic or general accounts) allow multiple users to logon to the information technology resources using the same ID and password.<br /> | ||
<br /> | <br /> | ||
'''Shared file''' is a collection of electronic PHI maintain on personal or departmental computers. | '''Shared file''' is a collection of electronic PHI maintain on personal or departmental computers. This would include spreadsheets, databases, correspondence, quality improvement and research data files.<br /> | ||
<br /> | <br /> | ||
'''Social engineering''' describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.<br /> | '''Social engineering''' describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.<br /> | ||
<br /> | <br /> | ||
'''Strong authentication method''' is a layer of security which requires a token or biometric authentication. | '''Strong authentication method''' is a layer of security which requires a token or biometric authentication. This represents two factor authentication involving something you know (i.e. user id) and something you have (i.e., Secured card).<br /> | ||
<br /> | <br /> | ||
'''System administrators''' are the people responsible for configuring, administering, and maintaining hardware and operating systems.<br /> | '''System administrators''' are the people responsible for configuring, administering, and maintaining hardware and operating systems.<br /> |