7.5.1 Information Security
A. Purpose
To provide the requirements and guidelines for information security practices at the University and the means by which the University will protect the confidentiality, availability and integrity of data relating to all stakeholders involved with patient care, research, administration and education at the University.
B. Persons Affected
All individuals (e.g., employees, faculty, students, alumni, agents, consultants, contractors, volunteers, vendors, temps, etc.) with access to University of Texas at Tyler (the "University") Information Resources (IR) and all information that is created, acquired, transmitted, stored, printed or processed by a computer system, or device connected to the network or telecommunications hardware.
C. Definitions
Information Resources (IR): any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistants (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus, and additionally, the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
Data Owner: the manager or agent responsible for the business function that is supported by the IR or the individual upon whom responsibility rests for carrying out the program that uses the resources. The Owner is responsible for establishing the controls that provide the security and authorizing access to the IR. The Owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared. Note: In the context of Information Security Policy and Standards, Owner is a role that has security responsibilities assigned to it by Texas Administrative Code (TAC) 202.72. It does not imply legal ownership of IR. All University IR are legally owned by The University of Texas System or the member Institution.
Custodian: an individual, department, Institution, or third-party service provider responsible for supporting and implementing Information Resources Owner defined controls to IR. Custodians include Information Security Administrators, institutional information technology/systems departments, vendors, and any third-party acting as an agent of or otherwise on behalf of the University.
User: an individual, automated application, or process that is authorized by the Owner to access the resource, in accordance with Federal and State law, University policy, and the Owner's procedures and rules and who has the responsibility to (1) use the resource only for the purpose specified by the Owner, (2) comply with controls established by the Owner, and (3) prevent the unauthorized disclosure of Confidential Data. The User is any person who has been authorized by the Owner of the information to read, enter, or update that information. The User is the single most effective control for providing adequate security.
Information Technology (IT): The University department responsible for computers, networking and data management.
D. Policy
All University Information Resources security programs will be responsive and adaptable to changing technologies affecting University IR. Security controls are outlined in UTS 165, section 5, Information Security Standards and are posted in the UT System Policy Library. The following list of standards is mandatory across the University.
UTS165 Standard 1. Information Resources Security Responsibilities and Accountability
UTS165 Standard 2. Acceptable Use of Information Resources
UTS165 Standard 3. Information Security Programs
UTS165 Standard 4. Access Management
UTS165 Standard 5. Administrative/Special Access Accounts
UTS165 Standard 6. Backup and Disaster Recovery
UTS165 Standard 7. Change Management
UTS165 Standard 8. Malware Prevention
UTS165 Standard 9. Data Classification
UTS165 Standard 10. Risk Management
UTS165 Standard 11. Safeguarding Data
UTS165 Standard 12. Security Incident Management
UTS165 Standard 13. Use and Protection of Social Security Numbers
UTS165 Standard 14. Information Services (IS) Privacy
UTS165 Standard 15. Passwords
UTS165 Standard 16. Data Center Security
UTS165 Standard 17. Security Monitoring
UTS165 Standard 18. Security Training
UTS165 Standard 19. Server and Device Configuration and Management
UTS165 Standard 20. Software Licensing
UTS165 Standard 21. System Development and Deployment
UTS165 Standard 22. Vendor and Third-Party Controls and Compliance
UTS165 Standard 23. Security Control Exceptions
UTS165 Standard 24. Disciplinary Actions
Enforcement
Any event that results in theft, loss, unauthorized use, unauthorized disclosure, unauthorized modification, unauthorized destruction, or degraded or denied services of IR constitutes a breach of security and confidentiality. Violations may include, but are not limited to, any act that:
- Exposes the University to actual or potential monetary loss through the compromise of IR security.
- Involves the disclosure of sensitive or confidential information or the unauthorized use of University data or resources.
- Involves the use of University IR for personal gain, unethical, harmful, or illicit purposes.
HR IHOPs regarding discipline and dismissal of employees elaborate on the appropriate steps that the University will use in sanctioning those that violate this policy.
E. References
Texas Administrative Code Title 1, Part 10, Chapter 202, Information Security standards
UTS165 Information Resources Use and Security Policy
Health Information Portability and Accountability Act (HIPAA)
F. Review Responsibilities and Dates
The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.
APPROVED: 09/2021
AMENDED: 05/2023