17.01

Responsibility for the Use of Information Resources

POLICY OVERVIEW

Information resources are owned by The University of Texas Health Science Center at Houston (“university”) and are governed by university rules, which arise from local, state, and federal regulations, regardless of the funding source.

Under the provisions of Texas state law, university information resources are strategic assets of the State of Texas that must be managed as valuable state resources. The university protects its information resources in accordance with the State of Texas Department of Information Resources' (“DIR”) Information Security and Risk Management Policy Standards and Guidelines. Access to state information resources must be strictly controlled.

This policy establishes the fundamental rules for all university information resources and their use. These policies apply to anyone who uses information technology resources, including employees, students, vendors, contractors, visiting faculty, business partners, affiliate hospitals, clinics and guests. All information resources attached to the university network and all information resources that process university information fall under the authority and responsibility of the Chief Information Officer (“CIO”) and must meet the minimum security requirements of the university and appropriate federal and state regulations and policies. The security requirements and practices of the university are outlined in the Handbook of Operating Procedures (“HOOP”).

For purposes of this policy, information and data subject to the Texas Public Information Act as defined in HOOP Policy 17.07 Handling Requests for Public Information are referred to as "public information."

Information Classifications:

Note: These classifications are not mutually exclusive.

Confidential information is information that is exempted from disclosure requirements under the provisions of the Texas Public Information Act or other applicable state or federal laws. Confidential information includes, but is not limited to:

• Some employee information (e.g., social security numbers, family members, criminal history checks, medical information, benefit elections, performance evaluations).
• Student information, such as test items as well as student, employee and patient medical records are confidential.
• Roles and responsibilities for the protection of confidential information are outlined in this policy.

Sensitive information is information maintained by state agencies that require special precautions, as determined by agency standards and risk management decisions, to assure its accuracy and integrity by utilizing integrity, verification and access controls to protect it from unauthorized modification or deletions. Roles and responsibilities for the protection of sensitive information are outlined in this policy.

Vital information is any information necessary to the resumption or continuation of state agency operations in an emergency or disaster. It is information necessary to the re-creation of the legal and financial status of the agency, or necessary to the protection and fulfillment of obligations to the people of the State. Vital records are protected in accordance with record management guidelines and can also be protected using the same guidelines as those protecting confidential and sensitive information. Roles and responsibilities for the protection of vital information are outlined in this policy.

Permanent information is identified in the record retention schedule. A permanent record possesses enduring legal, fiscal, or administrative value and must be preserved permanently by the agency. Permanent records are protected in accordance with record management guidelines and can also be protected using the same guidelines as those protecting confidential and sensitive information. Roles and responsibilities for the protection of permanent information are outlined in this policy.

POLICY CONTACT

For questions regarding this policy, contact Information Technology.

PROCEDURE

Roles and Responsibilities:

1. Office of the Chief Information Officer
2. Information Security and Disaster Recovery Planning
3. IT Infrastructure Owners
4. Information Owners (“System Owners”)
5. Stewards
6. Users
7. Auditing and Advisory Services
8. Office of Institutional Compliance

Any individual or department may have multiple roles and responsibilities. For example, information technology service providers may be IT Infrastructure Owners, Stewards and Security Administrators.

The President has delegated the responsibility to oversee the university’s information security and risk management program to the CIO.

1. Office of the Chief Information Officer ("CIO"):

• The CIO is the information resource manager for the university.  The CIO is assisted by the IT Risk Management & Compliance manager.

   CIO Responsibilities:

• Promulgate the security policies and procedures the university is required to follow.

2. Information Security and Disaster Recovery Planning:

• Information Security and Disaster Recovery Planning is a department led by the university’s Chief Information Security Officer (“CISO”) who reports directly to the CIO.
• The CISO and the department are assisted by the IT Security Core Team and the departmental Information Security Administrators ("ISAs").

Information Security and Disaster Recovery Planning Responsibilities:

• Develop, oversee the implementation of, and monitor the Information Security Program.
• Assess the level of security on networks and information resources to determine if the security implemented is adequate to protect the overall university information infrastructure.
• Make recommendations to information owners for correction of security deficiencies. All stewards of university information resources must comply with recommendations of the Information Security team.
• Establish and administer a review process to address extenuating circumstances.
• Establish and administer a plan to address policy and procedure violations.
• Work in consultation with the appropriate IT staff and information owners to determine in which specific zones university information resources must be placed and assist in security solution implementations.
• Be allowed administrator access to all university computers upon request.
• Have final authority over security solutions and implementation decisions.

To contact Information Security and Disaster Recovery Planning you may send an email to it_riskmanagement@uth.tmc.edu

3. IT Infrastructure Owners:

• The IT Infrastructure Owners own and operate hardware and associated software to provide computing services, storage and connectivity to the campus, including:
• Datacenter operations
• Servers
• Storage systems
• Campus network
• Internet
• Wide Area Ethernet Network (Clinics and Business Partners connections)
• Fire Alarm system
• Security Camera systems for UTPD
• Telephone system
• Information Security and Disaster Recovery Planning
• Firewalls
• Intrusion detection/protection

IT Infrastructure Owners include the following:

• Central Information Technology
• Data Center Operations & Services
• Network & Communications
• Information Technology Security and Disaster Recovery Planning
• Medical School
• School of Public Health
• School of Health Information Sciences
• The University of Texas Harris County Psychiatric Center

4. Information Owners (System Owners):

Information Owners:

• An information owner is the head of the department that depends on the information contained in the system to fulfill his/her departmental responsibilities.
• Owners create, alter, transmit and/or store information that is used to carry out a program(s) under their direction.

Owner Responsibilities:

• Assume the role of data and information owner or delegate the role (accountability cannot be delegated).
• Formally assign stewardship of the information resources, approve access for responsible stewards and ensure stewards are given appropriate authority to implement security controls and procedures.
• Assess the value of information resources.
• Classify data and information as defined above or in the Records Retention Schedule.
• Retain and destroy records in accordance with HOOP Policy 17.06 Records Management Program.
• Ensure the information resources are secured according to security policies and procedures promulgated by the CIO, specified in the HOOP and the Information Security Program.
• Identify and protect vital records in accordance with record management guidelines. See Records Retention Schedules.
• Ensure public information is carefully protected from deterioration, alteration, mutilation, loss, or unlawful removal; and ensure public information is repaired, renovated or rebound as necessary to maintain it properly.
• Determine what class of users need access to data and information on a "minimum necessary" basis.
• Assure that stewards have a disaster recovery plan for information resources.
• Assure that department has a business continuity plan.

Examples of Owners:

The Executive Vice President, Chief Operating and Financial Officer delegates the responsibility for ensuring that the university is in compliance with all relevant legislation to department heads. These positions are typically one organizational level below the positions of President, Executive Vice President, Vice President, Dean, or Executive Director of The University of Texas Harris County Psychiatric Center, and rarely more than two levels below.

"Department head" applies to associate and assistant deans, department chairs, module conveners, and others who serve in positions that function in the same manner as department heads, such as division chiefs and program directors, anyone with financial and administrative responsibility and accountability for their departments, such as process owners, principal investigators and directors.

5. Stewards:

Stewards of information resources:

• Typically maintain physical possession of information resources.
• Provide technical facilities and support services to IT, owners and users of information.
• Maintain the responsibility for implementing controls for the data or information based on assignment by the Owner and in accordance with the Information Security Program.

Steward Responsibilities:

• Assist owners in information classification in accordance with the Records Retention Schedule.
• Assist owners in the destruction of records in accordance with HOOP Policy 17.06 Records Management Program.
• Assist owners in disaster recovery planning for information resources. See Information Security Program.
• Assist owners in evaluating the cost-effectiveness of security controls.
• Identify positions that require special trust. A position of special trust is one in which the incumbent can view confidential information, can alter sensitive information, or is depended upon for the continuity of information resources that are determined to be essential.
• Implement the controls specified by the information owner in accordance with the Information Security Program.
• Implement security controls on the department's server operating system level, network operating system level, PC level and applications software level in accordance with the Information Security Program.
• Confirm that controls are in place to ensure the accuracy and completeness of information.

Examples of Stewards:

Stewards include the IT infrastructure owners and school or departmental support personnel who have physical or logical control over hardware, software or services.  This includes system administrators.

6. Users:

Users of information resources are individuals who use the information that is processed by an automated information system.

User Responsibilities:

• Know and comply with published university policies and procedures.
• Use university information resources responsibly.
• Protect confidential and sensitive information in its entirety, regardless of the method of access.
• Be accountable for their actions relating to information resource security.
• For user responsibilities see: Information Resources Security Manual, HOOP Policy 17.02 Telecommunications Usage, HOOP Policy 17.05 Email and Internet Usage, and HOOP Policy 17.06 Records Management Program.

Examples of Users:

Employees, students, vendors, contractors, visiting faculty, business partners, affiliate hospitals, clinics, guest users of university information resources, and patients.

7. Auditing and Advisory Services

• Auditing and Advisory Services assesses the control environment of the IT environment and reports to Executive Management. Failure on the part of the university to comply with federal and state security policies may result in further review and penalties from federal agencies, the Office of the State Auditor, disapproval by the DIR, and further action as deemed necessary by the DIR to ensure compliance.

8. Office of Institutional Compliance

• The Office of Institutional Compliance ("Institutional Compliance") and the Office of the CIO and its direct reports perform an annual Information Services Risk Assessment in which areas of high risk are identified.
• A summary of the Information Services Risk Assessment is submitted to the Executive Compliance Committee (“ECC”) for review.  The ECC may select one or more high risk areas for which a Risk Mitigation Plan will be required.
• The Office of the CIO ensures the Risk Mitigation Plan(s) required by the ECC are completed and monitored, with findings reported to Institutional Compliance for submission to the ECC.

Created 06/00; Updated 11/04, 10/08, 02/09

| HOOP Home Page | Chapter 17 Table of Contents |

Report broken links, etc.