17.01

Responsibility for the Use of Information Resources IS

POLICY OVERVIEW

The University of Texas Health Science Center at Houston (UTHSC-H) aspires to be the model health sciences university for the 21st century. The UTHSC-H supports innovative information technology in achieving this goal. Toward this effort, faculty, students and staff must realize that regardless of the funding source, information resources are owned by UTHSC-H and are governed by university rules, which arise from local, state, and federal regulations.

Under the provisions of the Information Resources Management Act, Section 2054.001 et. seq., Government Code, university information resources are strategic assets of the State of Texas that must be managed as valuable state resources. The UTHSC-H protects its information resources in accordance with the State of Texas Department of Information Resources' (DIR) Information Security and Risk Management Policy Standards and Guideline, published in the Texas Administrative Code (TAC) Title 1, part 10, Chapter 201, Rule 201.13(b). 1 TAC Section 201.13(b)(3)(c) states that access to state information resources must be strictly controlled.

This policy establishes the fundamental rules for all UTHSC-H information resources and their use. These policies apply to employees, students, vendors, contractors, visiting faculty, business partners, affiliate hospitals, clinics and guests. All information resources attached to the UTHSC-H network and all information resources that process UTHSC-H information fall under the authority and responsibility of the IRMs and must meet the minimum security requirements of UTHSC-H and appropriate federal and state regulations and policies. The security requirements and practices at UTHSC-H are outlined in HOOP Chapter 17.

For purposes of this policy, information and data subject to the Public Information Act 17.07 Handling Records Requests are referred to as "public information". Public information pertains to open records identified in the official UTHSC-H Records Retention Schedule approved by the Texas State Library and the State Auditor's Office.

Information Classifications:

Confidential information is information that is exempted from disclosure requirements under the provisions of the Texas Public Information Act or other applicable state or federal laws published in the Texas Administrative Code (TAC) Title 1, part 10, Chapter 201, Rule 201.13(b). 1 TAC Section 201.13(b)(3)(c). Confidential information includes, but is not limited to: some employee information (e.g., social security numbers, family members, criminal history checks, medical information, benefit elections, performance evaluations). Student information, such as test items as well as student, employee and patient medical records are confidential. Roles and responsibilities for the protection of confidential information are outlined in this policy.

Sensitive information is information maintained by state agencies that require special precautions, as determined by agency standards and risk management decisions, to assure its accuracy and integrity by utilizing integrity, verification and access controls to protect it from unauthorized modification or deletions. Roles and responsibilities for the protection of sensitive information are outlined in this policy.

Vital information is any information necessary to the resumption or continuation of state agency operations in an emergency or disaster. It is information necessary to the re-creation of the legal and financial status of the agency; or necessary to the protection and fulfillment of obligations to the people of the State as published in the State Records Management Laws, State Agency Bulletin Number Four, Current through the 75th Legislature, Regular Session, 1997. Vital records are protected in accordance with record management guidelines and can also be protected using the same guidelines as those protecting confidential and sensitive information. Roles and responsibilities for the protection of vital information are outlined in this policy.

Permanent information is identified in the record retention schedule. A permanent record possesses enduring legal, fiscal, or administrative value and must be preserved permanently by the agency. Permanent records are protected in accordance with record management guidelines and can also be protected using the same guidelines as those protecting confidential and sensitive information. Roles and responsibilities for the protection of permanent information are outlined in this policy.

PROCEDURE

Roles and Responsibilities:

1. Information Resource Managers (IRMs)
2. IT Security Team
3. IT Infrastructure Owners
4. Information Owners (Owners)
5. Stewards
6. Users
7. Auditing and Advisory Services

Any individual or department may have multiple roles and responsibilities. For example, information technology service providers may be IT Infrastructure Owners, Stewards and Security Administrators.

The UTHSC-H president has delegated the responsibility to oversee the UTHSC-H information security and risk management program to information resource managers (IRMs).

1. Information Resource Managers (IRMs):

There are two distinct Information Resource Managers at UTHSC-H who work collaboratively.

• The director of academic computing is the IRM for academic information resources
• The Chief Administrative Information Officer is the IRM for administrative computing resources

IRM Responsibilities:

• Promulgate the security policies and procedures that the university is required to follow. (Note: The IRM's are aided by the IT Security Team.)

2. IT Security Team:

• Appointed by the IRMs. Team consists of IRMs, IT Security Manager, and IT Infrastructure Owners

IT Security Team Responsibilities:

• Develop, oversee the implementation of and monitor the IT Security Program.
• Assess the level of security on networks and information resources to determine if the security implemented is adequate to protect the overall UTHSC-H information infrastructure.
• Make recommendations to information owners for correction of security deficiencies. All stewards of UTHSC-H information resources must comply with recommendations of the IT security team.
• Establish and administer a review process to address extenuating circumstances.
• Establish and administer a plan to address policy and procedure violations.
• Work in consultation with the appropriate IT staff and information owners to determine in which specific zones UTHSC-H information resources must be placed and assist in security solution implementations.
• Be allowed administrator access to all UTHSC-H computers upon request.
• Have final authority over security solutions and implementation decisions.

To contact the IT Security Team contact its@uth.tmc.edu

3. IT Infrastructure Owners:

IT Infrastructure Owners:

• provide the data processing and telecommunications hardware, software and computer network equipment to support the operations of the university

IT Infrastructure Owner Responsibilities:

• ensure availability of IT infrastructure
• ensure confidential and sensitive information is protected during transmission
• ensure a disaster recovery plan is in place for the IT infrastructure

Examples of IT Infrastructure Owners:

The office of Academic Computing and Information Services and Medical School Network Operations.

4. Information Owners (Owners):

Information Owners:

• create, alter, transmit and/or store information that is used to carry out a program(s) under their direction.

Owner Responsibilities:

• assume the role of data and information owner or delegate the role; accountability can not be delegated
• formally assign stewardship of the information resources, approve access to responsible stewards and ensure stewards are given appropriate authority to implement security controls and procedures
• assess the value of information resources
• classify data and information as defined above or in the Records Retention Schedule.
• retain and destroy records in accordance with 17.06 Records Management Program.a
• ensure that the information resources are secured according to security policies and procedures promulgated by IRMs, specified in HOOP Chapter 17 and the IT Security Program.
• identify and protect vital records in accordance with record management guidelines. See Records Retention Schedules.
• ensure public information is carefully protected from deterioration, alteration, mutilation, loss, or unlawful removal; and ensure public information is repaired, renovated or rebound as necessary to maintain it properly
• determine what class of users need access to data and information on a "minimum necessary" basis
• assure that stewards have a disaster recovery plan for information resources

Examples of Owners:

The Chief Operating Officer delegates the responsibility for ensuring that the UTHSC-H is in compliance with all relevant legislation to department heads. These positions are typically one organizational level below the positions of president, executive vice president, vice president, dean, or executive director of Harris County Psychiatric Center, and rarely more than two levels below.

"Department head" applies to UTHSC-H associate and assistant deans, department chairs, module conveners, and others who serve in positions that function in the same manner as department heads, such as division chiefs and program directors, anyone with financial and administrative responsibility and accountability for their departments, such as process owners, principal investigators and directors.

5. Stewards:

Stewards of information resources:

• provide technical facilities and support services to IT, owners and users of information
• maintain the responsibility for implementing controls for the data or information based on assignment by the Owner and in accordance with the IT Security Program.
• typically maintain physical possession of information resources

Steward Responsibilities:

• assist owners in information classification in accordance with the Records Retention Schedule.
• assist owners in the destruction of records in accordance with 17.06 Records Management Program.a
• assist owners in disaster recovery planning for information resources. See IT Security Program.
• assist owners in evaluating the cost-effectiveness of security controls
• identify positions that require special trust. A position of special trust is one in which the incumbent can view confidential information, can alter sensitive information, or is depended upon for the continuity of information resources that are determined to be essential
• implement the controls specified by the information owner in accordance with the IT Security Program.
• implement security controls on the department's server operating system level, network operating system level, PC level and applications software level in accordance with the IT Security Program.
• confirm that controls are in place to ensure the accuracy and completeness of information

Examples of Stewards:

Stewards include such individuals as school and departmental Local Area Network managers and webmasters, the office of academic computing, information services, and system administrators network analysts, and IT support personnel for departmental systems.

6. Users:

Users of information resources are individuals who use the information that is processed by an automated information system.

User Responsibilities:

• know and comply with published university policies and procedures
• manage UTHSC-H information resources responsibly
• protect confidential and sensitive information in its entirety, regardless of the method of access
• realize they are accountable for their actions relating to information resource security
• for user responsibilities see: Information Resources Security Manual, 17.02 Telecommunications Usage, 17.05 Email and Internet Usage, 17.06 Records Management Program.

Examples of Users:

Employees, students, vendors, contractors, visiting faculty, business partners, affiliate hospitals, clinics, and guest users of UTHSC-H information resources and patients.

7. Auditing and Advisory Services

• Auditing and Advisory Services assess the control environment of the IT environment and report to Executive Management. Failure on the part of the university to comply with federal and state security policies may result in further review and penalties from federal agencies, the Office of the State Auditor, disapproval by the DIR, and further action as deemed necessary by the DIR to ensure compliance.

a UTSystem Policy 165 Information Resources Use and Security Policy.

Created 06/00; Updated 11/04

| HOOP Home Page | Chapter 17 Table of Contents |

Report broken links, etc.