Questions about whether a particular use is required by law should be directed to the local Information Security Officer who will consult with the Office of General Counsel with respect to the interpretation of law.
(e) All Institutions shall assign a unique identifier for each applicant, student, employee, insured dependent, research subject, patient, alumnus, donor, contractor, and other individuals, as applicable, at the earliest possible point of contact between the individual and the Institution for use in lieu of a social security number.
All Owners and Custodians of University owned, leased, or controlled Information Resources must provide the Institutional ISO with direct access to detailed security status Information including, but not restricted to the following: firewall rules, IPS/IDS rules, security configurations and patch status; and sufficient access rights to Servers and devices to independently and effectively execute Institutional ISO monitoring duties. Software is to be used in accordance with the applicable licensing agreement. The Information Resources Manager shall approve the purchase or deployment of new Decentralized IT Information Systems or services (e.g., electronic mail/web/file servers, file/system backup, storage, etc.) that duplicate applications or services provided by Centralized IT. System recognizes that Vendors and other contractors serve an important function in the development and/or support of services, hardware, and software and, in some cases, the operation of computer networks, Servers, and/or applications.
Unauthorized or unlicensed use of software is prohibited and subjects the User to disciplinary action. The Owner of the duplicative Information System and the IRM must document and justify exceptions based on business need, weighed against Risk of unauthorized access or loss of Data. The Institutional ISO shall develop institutional Policies, Standards, and/or Procedures that address the following: (a) providing methods for appropriately restricting privileges of authorized Users to all production systems, applications, Data, and University-owned devices. This standard applies to contracts entered into by U. System or an Institution that involves third-party access to or creation of Information Resources or University Data by a third-party. Contracts of any kind, including purchase orders, memoranda of understanding (MOU), letters of agreement, or any other type of legally binding agreement, that involve current or future third-party access to or creation of Information Resources and/or Data must include terms determined by the Office of General Counsel as sufficient to ensure that Vendors and any subcontractors or other third-parties that maintain, create, or access University Data as the result of the contract comply with all applicable Federal and State security and privacy laws, this UTS 165, and any applicable U. System and University Policies or Standards, and must contain terms that ensure that all University Data affected by the contract is maintained in accordance with those standards at all times, including post-termination of the contract.
Any unauthorized or unlicensed use is deemed to be without the consent of U. User access to applications is granted on a need-to-access basis; (b) maintaining separate production and development environments to ensure the security and reliability of the production system; (c) performing a security assessment prior to the purchase of any new information security services that receive, maintain, and/or share Confidential Data; (d) including vulnerability assessments and code scans to the Information Systems development cycle; and (e) performing a vulnerability assessment and including a static or dynamic code scan of all new web applications prior to moving them to production. The Institutional ISO must review and approve security requirements, specifications, and, if applicable, third-party Risk assessments for any new computer hardware, software, applications, or services that are Mission Critical or that receive, maintain, and/or share Confidential Data. Contracts for purchase or development of automated systems must address security, backup, and privacy requirements, and should include right-to-audit and other provisions to provide appropriate assurances that applications and Data will be adequately protected. 22.2 The Data Owner, Institutional procurement officers and staff, and the ISO are jointly and separately responsible for ensuring that all contracts are reviewed to determine whether the contract involves third-party access to, outsourcing, maintenance, or creation of University Data; and that all such access, outsourcing, or maintenance fully complies with this Standard at all times. § 164.501 , must include a Health Insurance Portability and Accountability Act (HIPAA) business associate agreement in a form approved by Institutional counsel or OGC.
22.3 Any contract involving third-party access to, creation, or maintenance of Protected Health Information (PHI) as defined in 45 C. 22.4 Any contract involving third-party-provided credit card services must require that the Contractor provides assurances that all subcontractors who provide credit card services pursuant to the contract will comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) in the provision of the services. Prior to access, maintenance, or creation of University Data by a Vendor or any other third-party, the Institution must ensure that an assessment is or has been performed that is designed to ensure that: (a) the Vendor has sufficient technological, administrative, and physical safeguards to ensure the confidentiality, security, and Integrity of the Data at rest and during any transmission or transfer; and (b) any subcontractor or other third-party that will access, maintain, or create Data pursuant to the contract will also ensure the confidentiality, security, and Integrity of such Data while it is at rest and during any transmission or transfer.
Timing of assessments shall be: 10.3 Information Resources Custodians. Accordingly, the requirements of this Standard apply to all or part of a social security number contained in any medium, including paper records, that are collected, maintained, used, or disclosed by any Institution except UTIMCO.
(c) Employees may not seek out or use social security numbers relating to others for their own interest or advantage. System Information Resources and Data, Strong Passwords must be used to control access to Information Resources.
(d) All Institutions shall eliminate the public display of social security numbers. All Passwords must be constructed, implemented, and maintained according to the requirements of the U. System Identity Management Federation Member Operating Practices (MOP) and applicable Policies, Standards, and/or Procedures governing Password management. All Information Resources must be physically protected based on Risk. All Institutions shall adopt safeguards to ensure appropriate granting, controlling, and monitoring of physical access. In addition to the controls required in Standard 16.2, Data Centers managed by Institutional Central IT organizations and the U. System Shared Data Centers must incorporate procedures for each of the following: (a) reviewing physical access at least monthly, or more often if warranted by Risk; (b) designating staff who will have authorized access during an emergency; (c) monitoring the exterior and interior of the facility 24/7 by trained staff; (d) maintaining appropriate environmental controls such as alarms that monitor heat and humidity, fire suppression and detection systems supported by an independent energy source, and uninterruptable power systems capable of supporting all Computing Devices in the event of a primary power system failure; and (e) protecting any Shared or Central IT managed Data Center built after the effective date of this Standard by implementing and maintaining the following: 16.4 Decentralized IT Managed Data Centers. The Institutional ISO shall ensure that security training is delivered and tracked.
(a) the Information System must use the social security number only as a Data element or alternate key to a database and not as a primary key to a database; (b) the Information System must not display social security numbers visually (such as on monitors, printed forms, system outputs) unless required or permitted by law or permitted by this Standard; (c) name and directory systems must be capable of being indexed or keyed on the unique identifier, once it is assigned, and not on the social security number; and (d) for those databases that require social security numbers, the databases may automatically cross-reference between the social security number and other Information through the use of conversion tables within the Information System or other technical mechanisms. Users who are University employees, including student employees, or who are otherwise serving as an agent or are working on behalf of the University have no expectation of privacy regarding any University Data they create, send, receive, or store on University-owned computers, Servers, or other Information Resources owned by, or held on behalf of, the University. Institutional Policies, Standards, and/or Procedures must incorporate processes for: (a) ensuring User identity when issuing or resetting a Password; (b) establishing and enforcing Password strength; (c) changing Passwords; (d) managing security tokens when applicable; (e) securing unattended Computing Devices from unauthorized access by implementing mechanisms to prevent password guessing (e.g., lockout after multiple login attempts) and to block access to idle sessions (e.g., a password-protected locking screen saver, session time-outs); and (f) ensuring that Passwords are only accessed by or visible to the authenticating User, device, or system. Users must not share Passwords or similar Information, or devices used for identification and authorization purposes. Physical access safeguards must incorporate Procedures for: (a) protecting facilities in proportion to the criticality or importance of their function and the confidentiality of any Information Resources affected; (b) managing access cards, badges, and/or keys; (c) granting, changing, and/or removing physical access to facilities to reflect changes in an individual’s role or employment status; and (d) controlling visitor and Vendor physical access with Procedures that incorporate the following: 16.3 Central IT Managed Data Centers and U. In addition to the controls required in Standard 16.2, the ISO shall develop Institutional Standards and safeguards to protect Decentralized IT Data Centers based on Risk. (a) that network traffic and use of Information Resources is monitored as authorized by applicable law and only for purposes of fulfilling a System or Institutional mission related duty; (b) Server and network logs are reviewed manually or through automated processes on a scheduled basis based on Risk and regulation to ensure that Information Resources containing Confidential Data are not being inappropriately accessed; (c) vulnerability assessments are performed annually, at minimum, to identify software and configuration weaknesses within information systems maintained in both Centralized and Decentralized IT; (d) an annual, professionally administered and reported external network penetration test is performed; and (e) that results of log reviews, vulnerability assessments, penetration tests, and IT audits are available to the ISO and that required remediation is implemented. Initial and recurring training: (a) should, at minimum, identify User responsibilities, common threats, regulatory and Institutional requirements regarding the acceptable use and security of Information Resources, proper handling of Confidential Data, and incident notification; and (b) is to be administered in accordance with the following schedule, or more frequently as determined by an Institution.
The University may access and monitor its Information Resources for any purpose consistent with the University’s duties and/or mission without notice. 18.2 In addition to initial training, Owners and Custodians should receive periodic training addressing the responsibilities associated with their roles.