A third-party Risk assessment is required in the following situations: (a) when purchasing services that result in exchange of University Data or hosting of University Information Systems with a Vendor or other organization; or (b) when purchasing systems or software, whether it is to be hosted on premises or at a Vendor facility, if Confidential University Data will be stored within or processed by the system or software. Information Security Risk Assessments that are to be aggregated for systemwide reporting to the U. System Executive Compliance Committee and/or the U. System Board of Regents shall be conducted using a risk management framework and process defined by U. System Office of Information Security and shall be coordinated at the Institutional level by the Institutional ISO. Decisions relating to acceptance of Risk must be documented and are to be made by: (a) the Information Resource Owner, in consultation with the Institutional Information Security Officer or designee, for resources having a residual Risk of Low or Moderate. Each Institution’s Policies, Standards, and/or Procedures must describe and require steps to protect University Data using appropriate administrative, physical, and technical controls in accordance with the Institutional Information Security Program and Data Classification Standard, and UTS165 and its associated Standards. University Data must not be stored on personally procured third-party (e.g. 11.3 Password and Encryption Protection for Computing Devices and Data. (a) For University owned, leased, or controlled devices, the Institution must use processes to ensure an ability to access encrypted Data in the event that an encryption key becomes corrupted. Security Incidents will be reported as required by State and Federal law and University Policy including the U. System Information Security Incident Reporting Requirements. Incident Management must incorporate Procedures for: (a) formally identifying, classifying, and reporting Security Incidents; (b) responding to Security Incidents; (c) assessing potential damage of Security Incidents; (d) gathering and preserving physical and electronic evidence; (e) assigning responsibility for gathering, maintaining, and reporting detailed Information regarding Security Incidents of local and U. Systemwide significance; for actions taken to remediate; and for documentation of a management action plan to prevent a recurrence; (f) notifying appropriate Institutional and U. System officials, residents of Texas, Data Owners, Federal and State agencies, and consumer reporting agencies as required by applicable State and Federal law and U. System Policy; (g) determining and adhering to timing requirements for incident disclosure and notification; and (h) determining and adhering to an appropriate medium to provide notice based on incident significance, number of individuals adversely impacted, University Policy, applicable Federal and State law and regulations, and any contractual obligations with third-party organizations. All employees must promptly report unauthorized or inappropriate disclosure of Confidential Data, in digital, paper, or any other format, to their supervisors and the Institutional Information Security Office. ISOs must report significant Security Incidents, as defined by the U. System Security Incident Reporting Requirements , to the U. Potential purpose may include: (c) Except in those instances in which an Institution is legally required to collect a social security number, an individual shall not be required to disclose all or part of his or her social security number, nor shall the individual be denied access to the services at issue if the individual refuses to disclose his or her social security number.(b) the Chief Administrative Officer, or designee, considering recommendations of the Owner and Institutional Information Security Officer, for resources having a residual Risk of High. (b) For personally owned devices, the device owner is responsible for ensuring that encrypted Data is backed up to University owned or sanctioned storage using processes prescribed by the Institution. All Institutions shall adopt Policies, Standards, and/or Procedures and implement appropriate administrative, physical, and technical safeguards necessary to adequately protect the security of Data during transport and electronic transmissions. System and participant Institutions must identify roles and responsibilities for provision of Information security controls. Institutions must discard Electronic Devices and Media containing University Data: (a) in a manner that adequately protects the confidentiality of the Data and renders it unrecoverable, such as overwriting or modifying the Electronic Media to make it unreadable or indecipherable or otherwise physically destroying the Electronic Media; and (b) in accordance with the applicable institutional records retention schedule. 12.4 Reporting to the Institutional Information Security Officer. An individual, however, may volunteer his or her social security number.
Each of the following shall be addressed: (a) identification and transmission of the least amount of Confidential Data required to achieve the intended business objective; (b) encryption of all Confidential Data transmitted over the Internet; (c) encryption of all Confidential Data transmitted between Institutions and Shared Data Centers; and (d) deletion of transmitted and received Confidential Data upon completion of the intended business objective. (a) The ISO for Common Use Infrastructures is responsible for implementation of an Information Security Program for Common Use Infrastructures, and for documenting associated roles and responsibilities. Information Resources Owners, Custodians, and any supervisor or manager who becomes aware of a Security Incident is to report the incident to the Institutional Information Security Officer. An Institution’s request that an individual provide his or her social security number for verification of the individual's identity where the social security number has already been disclosed does not constitute a disclosure for purposes of this Standard.
(b) For services provided via Common Use Infrastructures, Memorandum of Understanding (MOU) documents between U. The links include examples of Federal laws and State laws that require the collection or use of social security numbers.
(b) In addition to the notice required by the Federal Privacy Act, when the social security number is collected by means of a form completed and filed by the individual, whether the form is printed or electronic, the notice as required by Section 559.003 of the Texas Government Code must also be provided.
That section requires that the agency state on the paper form or prominently post on the Internet site in connection with the form that: with few exceptions, the individual is entitled on request to be informed about the Information that is collected about the individual; under Sections 552.021 and 552.023 of the Government Code , the individual is entitled to receive and review the Information; and under Section 559.004 of the Government Code , the individual is entitled to have the incorrect Information about the individual corrected.
Method of delivery and scheduling of such training should be determined by the ISO.
18.3 Awareness Training should, at minimum, identify common threats, proper handling of Confidential Data, behaviors that increase Risk, behaviors that reduce Risk, and incident notification. All Institutions must designate responsibility for the Institutional Network Infrastructure and specify those responsible for: (a) configuring and managing the resource in accordance with U. System and Institutional information security Policies, Standards, and Procedures by: (b) maintaining appropriate access to the Network Infrastructure in accordance with U. System and Institutional information security Policies, Standards, and Procedures; and (c) managing, testing, and installing updates to operating systems and applications for network equipment under their responsibility. To protect against malicious attack, all Servers on U. System networks will be security hardened based on Risk and must be administered according to Policies, Standards, and Procedures prescribed by the Institution, as applicable, and must incorporate Procedures for: (a) identifying and assigning appropriately trained administrators for all Mission Critical Servers, or Servers supporting Information Systems containing Confidential Data; (b) setting baseline security “hardened” configuration Standards for all Servers; and (c) managing the testing and installation of service packs, hot fixes, and security patches. All devices (e.g., routers, laptops, tablets, desktops, and handheld devices) on U. System networks must be protected against malicious attack.
Custodians of Mission Critical Information Resources must implement approved Risk mitigation strategies and adhere to Information Security Policies and Procedures to manage Risk levels for Information Resources under their care. Institutional ISOs must ensure that annual Information Security Risk assessments are performed and documented by each Owner of Mission Critical Information Resources or Information Resources containing Confidential Data. Principal Investigators must perform reviews, in collaboration with the Institutional ISO, of the implementation of required security controls (i.e. System agencies or organizations except as required by State or Federal law. Custodians must implement monitoring controls and Procedures for detecting, reporting, and investigating incidents. 13.1 All Institutions shall reduce the use and collection of social security numbers.
control objectives, controls, Policies, processes, and Procedures for Information security) for sponsored projects under their authority. (a) All Institutions shall discontinue the use of all or part of the social security number as an individual's primary identification number unless required or permitted by law.
Any unauthorized or unlicensed use is deemed to be without the consent of U. User access to applications is granted on a need-to-access basis; (b) maintaining separate production and development environments to ensure the security and reliability of the production system; (c) performing a security assessment prior to the purchase of any new information security services that receive, maintain, and/or share Confidential Data; (d) including vulnerability assessments and code scans to the Information Systems development cycle; and (e) performing a vulnerability assessment and including a static or dynamic code scan of all new web applications prior to moving them to production. The Institutional ISO must review and approve security requirements, specifications, and, if applicable, third-party Risk assessments for any new computer hardware, software, applications, or services that are Mission Critical or that receive, maintain, and/or share Confidential Data. Contracts for purchase or development of automated systems must address security, backup, and privacy requirements, and should include right-to-audit and other provisions to provide appropriate assurances that applications and Data will be adequately protected. 22.2 The Data Owner, Institutional procurement officers and staff, and the ISO are jointly and separately responsible for ensuring that all contracts are reviewed to determine whether the contract involves third-party access to, outsourcing, maintenance, or creation of University Data; and that all such access, outsourcing, or maintenance fully complies with this Standard at all times. § 164.501 , must include a Health Insurance Portability and Accountability Act (HIPAA) business associate agreement in a form approved by Institutional counsel or OGC.
22.3 Any contract involving third-party access to, creation, or maintenance of Protected Health Information (PHI) as defined in 45 C. 22.4 Any contract involving third-party-provided credit card services must require that the Contractor provides assurances that all subcontractors who provide credit card services pursuant to the contract will comply with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) in the provision of the services. Prior to access, maintenance, or creation of University Data by a Vendor or any other third-party, the Institution must ensure that an assessment is or has been performed that is designed to ensure that: (a) the Vendor has sufficient technological, administrative, and physical safeguards to ensure the confidentiality, security, and Integrity of the Data at rest and during any transmission or transfer; and (b) any subcontractor or other third-party that will access, maintain, or create Data pursuant to the contract will also ensure the confidentiality, security, and Integrity of such Data while it is at rest and during any transmission or transfer.
The Institutional Information Security Officer is the individual responsible for an Institution’s Information Security Program and shall: (a) work in partnership with the University community, constituency groups, and leadership to establish effective and secure processes and information systems and to promote information security as a core Institutional value; (b) provide information security oversight for all Centralized and Decentralized IT Information Resources; (c) develop and maintain a current and comprehensive Information Security Program, that includes Risk assessment, action plans, training plans, monitoring plans, and specific Risk mitigation strategies to be used by Owners and Custodians of Mission Critical Information Resources to manage identified Risks; (d) develop Institutional Policies, Standards, Procedures, and/or Guidelines to ensure that the protection of Information Resources is considered during the development or purchase of new computer applications or services; (e) develop or adopt a Data Classification Standard that conforms or maps to UTS165 Standard 9 – Data Classification ; (f) coordinate Risk assessments required by U. Each office so designated shall be responsible for: (a) configuring and managing network resources in accordance with this UTS 165 and all other applicable U. System and Institutional information security Policies, Standards, and Procedures; (b) segmenting the Institutional network physically or logically to reduce the scope of potential exposure of Information Resources in the event of a Security Incident; (c) separating Internet facing applications from internal applications; (d) maintaining appropriate access to the Network Infrastructure in accordance with this UTS 165 and all other applicable U. System and Institutional information security Policies, Standards, and Procedures; (e) managing, testing, and updating operating systems and applications for network equipment for which it is responsible; and (f) approving all access methods, installation of all network hardware connected to the local-area network and methods and requirements for attachment of any Non-U. These Procedures must address: (a) acceptable use of administrative/special access accounts and intended administrative purposes; (b) authorization required for use of administrative/special access accounts; (c) the need to review, remove, and/or disable administrative/special access accounts at least annually, or more often if warranted by Risk, to reflect current authorized User needs or Changes of User role or employment, or other status conferring access; and (d) the need to escrow login Passwords for each secured system for access during emergencies. The disaster recovery plan must incorporate Procedures for: (a) recovering Data and applications in the case of events that deny access to Information Resources for an extended period (e.g., natural disasters, terrorism); (b) assigning operational responsibility for recovery tasks and communicating step-by-step implementation instructions; (c) testing the disaster recovery plan and Procedures every two years at minimum; and (d) making the disaster recovery plan available to the Institutional ISO and other stakeholders. The Change Management process must incorporate Procedures for: (a) formal identification, classification, prioritization, and request of Scheduled Changes; (b) identification and deployment of Emergency Changes; (c) assessment of potential impacts of changes, including the impact on Data classification, Risk assessment, and other security requirements; (d) authorization of changes and exceptions; (e) testing changes; (f) change implementation and back-out planning; and (g) documentation and tracking of changes. All Custodians must implement and adhere to approved institutional Change Management processes to ensure secure, reliable, and stable operations. Internal communications that do not contain Confidential Information.