Automated information and information resources owned or managed by The University of Texas Health Science Center at Houston are strategic and vital resources belonging to the people of Texas. These resources require protection commensurate with their value. Measures shall be taken to protect these resources against accidental or unauthorized disclosure, modification

or destruction, as well as to assure the security, reliability, integrity and availability of information.

It is the policy of the University to protect the information resources of the state of Texas. The policies stated herein are in accordance with the Handbook of Operating Procedures (HOOP) and the state of Texas Department of Information Resources' (DIR) Information Security and Risk Management Policy Standards and Guidelines published in the Texas Administrative Code 1 TAC 201.13(b), and authorized by the Information Resources Management Act (Vernon's Ann. Civ.St. Article 4413(32j)).

Information resources include, but are not limited to, all university owned or managed

• data processing and telecommunications hardware, software and computer media
• equipment control and data acquisition information technology
• security access codes and
• automated information that is created, acquired, transmitted, stored, printed, and/or processed by a computer system

Information resources are classified as confidential or vital, neither or both. Confidential information maintained by state agencies is exempt from disclosure under the provisions of the Texas Public Information Act or other applicable state or federal laws. Vital information requires a greater than normal assurance of accuracy and completeness because it is available to the public upon request.

All individuals are required to protect confidential and vital information in its entirety, regardless of the method of access.

This policy applies to all agencies of the state government and to all faculty, staff, students and contracted personnel (herein referred to as individuals). All individuals are accountable for their actions relating to the protection and use of information resources belonging to the university and the state of Texas.

To support this policy, certain authorities and responsibilities have been assigned within the university to oversee its information resources. Their roles and responsibilities are defined in the HOOP and summarized in this manual.

Individuals using information resources owned or managed by the university are expected to know and comply with published university policies and procedures documented at HOOP Chapter 17.

An individual may be subject to civil or criminal legal sanctions when a violation occurs. It is the responsibility of all personnel to report any suspected or confirmed violations of this policy to appropriate management.

University personnel are potentially the most effective lines of defense in ensuring the security of information resources. By adhering to the policies listed herein, individuals will provide a level of protection that valuable information resources require.

The UTHSC-H president has delegated the responsibility to oversee the UTHSC-H information security and risk management program to information resource managers (IRMs).

• The director of academic computing is the IRM for academic information resources
• The chief administrative information officer is the IRM for administrative computing resources

IRM responsibilities:

• promulgate the security policies and procedures that the university is required to follow. (Note: The IRM's are aided by the IT Security Team)

• Appointed by the IRMs. Team consists of IRMs, IT Security Manager and IT Infrastructure Owners.

IT Security Team responsibilities:

• Develop, oversee the implementation of and monitor the IT Security Program.
• Assess the level of security on networks and information resources to determine if the security implemented is adequate to protect the overall UTHSC-H information infrastructure.
• Make recommendations to information owners for correction of security deficiencies. All stewards of UTHSC-H information resources must comply with recommendations of the IT security team.
• Establish and administer a review process to address extenuating circumstances.
• Establish and administer a plan to address policy and procedure violations.
• Work in consultation with the appropriate IT staff and information owners to determine in which specific zones UTHSC-H information resources must be placed and assist in security solution implementations.
• Be allowed administrator access to all UTHSC-H computers upon request.
• Have final authority over security solutions and implementation decisions.

To contact the IT Security Team contact its@uth.tmc.edu

• provide the data processing and telecommunications hardware, software and computer network equipment to support the operations of the university
• examples are office of academic computing and administration and finance information services and medical school network operations

IT infrastructure owner responsibilities:

• ensure availability of IT infrastructure
• ensure confidential and sensitive information is protected during transmission
• ensure a disaster recovery plan is in place for the IT infrastructure

• create, alter, transmit and/or store information that is used to carry out a program(s) under their direction.

Owner Responsibilities:

• assume the role of information owner or delegate the role; accountability can not be delegated
• formally assign stewardship of the information resources, approve access to responsible stewards and ensure stewards are given appropriate authority to implement security controls and procedures
• assess the value of information resources
• classify data and information as defined in the Records Retention Schedule.
• ensure that the information resources are secured according to security policies and procedures promulgated by IRMs, specified in HOOP Chapter 17 and the IT Security Program.
• identify and protect vital records in accordance with record management guidelines. See Records Retention Schedules.
• ensure public information is carefully protected from deterioration, alteration, mutilation, loss, or unlawful removal; and ensure public information is repaired, renovated or rebound as necessary to maintain it properly
• determine what class of users need access to data and information on a "minimum necessary" basis
• assure that stewards have a disaster recovery plan for information resources

Examples of Owners:

The EVPA&F and Chief Operating Officer delegates the responsibility for ensuring that the UTHSC-H is in compliance with all relevant legislation to department heads. These positions are typically one organizational level below the positions of president, executive vice president, vice president, dean, or executive director of Harris County Psychiatric Center, and rarely more than two levels below.

"Department head" applies to UT-Houston associate and assistant deans, department chairs, module conveners, and others who serve in positions that function in the same manner as department heads, such as division chiefs and program directors, anyone with financial and administrative responsibility and accountability for their departments, such as process owners, principal investigators and directors.

• provide technical facilities and support services to IT, owners and users of information
• maintain the responsibility for implementing controls for the data or information based on assignment by the Owner and in accordance with the IT Security Program.
• typically maintain physical possession of information resources

Steward Responsibilities:

• assist owners in information classification in accordance with the Records Retention Schedule
• assist owners in disaster recovery planning for information resources. See IT Security Program
• assist owners in evaluating the cost-effectiveness of security controls
• identify positions that require special trust. A position of special trust is one in which the incumbent can view confidential information, can alter sensitive information, or is depended upon for the continuity of information resources that are determined to be essential
• implement the controls specified by the information owner in accordance with the IT Security Program.
• implement security controls on the department's server operating system level, network operating system level, PC level and applications software level in accordance with the IT Security Program
• confirm that controls are in place to ensure the accuracy and completeness of information
• Examples of Stewards:

Stewards include such individuals as school and departmental Local Area Network managers and webmasters, the office of academic computing, administration and finance information services, and system administrators, network analysts and IT support personnel for departmental systems.

• individuals who use the information that is processed by an automated information system
• Examples are employees, faculty, students, contract personnel, guest users of UTHSC-H information resources and patients are examples

User responsibilities:

• Know and comply with published university policies and procedures
• Manage UTHSC-H information resources responsibly
• Protect confidential and vital information in its entirety, regardless of the method of access
• Realize users are accountable for their actions relating to information resource security
• for user responsibilities see: 17.02 Telecommunications Usage, 17.05 Email and Internet Usage, 17.08 Records Management Program.

Examples of Users:

• Auditing and Advisory Services assesses the control environment of the IT environment and reports to Executive Management. Failure on the part of the university to comply with state security policies may result in further review by the Office of the State Auditor, disapproval by the DIR, and further action as deemed necessary by the DIR to ensure compliance.

Policies directed at the improvement of information resources security must rest upon three broad supports for effective implementation.

• The university user population is an informed community, knowledgeable about sound security procedures and the risks and liabilities attached to security violations through various publications and educational efforts.
• The user community pledges to abide by established policies and procedures relevant to information resources security.
• University security administrators maintain reasonable criteria for authorizing user access to information resources and obtain written verification from appropriate data owners before providing access.

The policies stated herein define accountability and responsibility toward information resources security. These policies apply to all individuals.

Individuals may not access university information resources, applications, or data without prior written authorization or approval. Individuals may not authorize an activity that supersedes the limits of their assigned authority. The rule of least possible privilege will apply generally to all university users. That is, if a user only requires readership of a file, he or she will not be granted greater (e.g., update) authority. This precaution protects information and user alike.

E-mail and Internet must be used only for legitimate state business; however, brief and occasional Internet browsing and e-mail messages of a personal nature may be sent and received subject to the permissible use and prohibited use sections of the information security policies set out in 17.05 Email and Internet Usage and in this manual.

University computer resources may not be used to develop programs or documents for outside use unless approved in writing by university management. All computer software programs, applications, documentation, source code, and object code are the property of the state if developed by state individuals in the course and scope of their employment or with the use of state equipment, materials or other resources, by contract personnel acting under a contract with the state, unless the contract specifically states otherwise, or with state funds.

When off-site terminals (whether university or privately owned) are used to access university information resources, their operation must comply with university policies and be for university business purposes only.

Passwords authenticate a user's identity and establish accountability. An individual is required by law to maintain the privacy of his or her password(s) and access code(s) and is accountable for the unauthorized use or negligent disclosure of all access means under his or her control.

The following actions constitute violations under this provision and are specifically prohibited:

• user-ids assigned to individuals should not be shared
• user-ids assigned to groups should not be shared with any personnel outside of the group assigned access to the user-id
• revealing passwords or access codes either verbally or in writing, and
• negligent disclosure of passwords or access codes

Individuals who request authorization to use university information resources sign the Information Resources User Acknowledgement Form acknowledging comprehension and acceptance of personal accountability. By signing this contract, individuals agree to only use the user-id or password for the purpose intended, not to share or disclose a password, and to report any suspected or confirmed violations to appropriate management.

Confidential information maintained by state agencies is exempt from disclosure under the provisions of the Texas Public Information Act or other applicable state or federal laws. Such information could include computer-processed reports, technical and business information, information systems and software development, and products and software licenses disclosed on a confidential basis to the university. Student and medical records are confidential

Vital information may be either public or confidential and requires a higher than normal assurance of accuracy and completeness. It requires special precautions such as error checking, verification procedures and access control to ensure integrity and protect it from unauthorized modification or deletion. Information concerning agency operations or finances is

considered vital.

The information resource steward identifies individuals with special trust. A position of special trust is one in which the individual can view confidential information, alter sensitive information or is depended upon for the continuity of information resources that are determined to be essential.

An individual is also considered to be in a position of special trust if they may act independently of controls and supervision and impact the confidentiality, integrity, or availability of vital information. Individuals with user-ids are considered to be in a position of special trust and must use their access for internal university business only, or as in the case of computer generated reports which may be regarded as confidential by applicable federal and state laws and university policy.

The university makes every effort to protect its computer resources, applications, and data against loss, destruction, and unauthorized access. Individual are prohibited from intentionally or knowingly altering, damaging, or destroying any university computer resources causing them to malfunction or interrupt their operation.

Computers able to access the mainframe or local or wide area networks should not be left unattended while logged on. Printed reports containing confidential information should be stored in a secure area.

Personal computers (PCs) lack many of the controls found in larger processing environments such as backup procedures, access restrictions, and audit trails. Departments should establish a regular schedule for making backup copies of all data files and ensure that backup copies of all software and data files are stored in a safe location. Heat, magnetic fields, or improper handling easily destroys compact discs, floppy disks, data cartridges and tapes.

To ensure the protection of critical data, it should be stored on a network drive. For example, all networks within General Administration are backed up on a daily basis. Individual are personally responsible for making backup copies of data on a PC's hard drive. To protect against viruses, run PC virus detection programs regularly and do not download software from public access sites.

Security awareness and training of individuals is one of the most effective means of reducing vulnerability to errors and fraud and must be continually emphasized and reinforced at all levels of management. New employees are advised of information resources security policies during new employee orientation administered by Peopleworks.

Students are advised of information resources security policies during orientation. All contract personnel who use university information resources in any capacity are required to sign a Security Acknowledgement Agreement.

Non-disclosure agreements are required from individuals in order to obtain access to university information resources. These agreements document that faculty, staff, students and contractors accept responsibility for using state-owned assets and are accountable for their actions relating to information resources security.

• All individuals who use university information resources acknowledge that their duties will bring them into contact with information or information resources that are of value to the state and that require protection.
• All individuals are required to uphold the university’s policies and procedures to safeguard the information and associated resources that may be entrusted to them, or that they may come into contact with.
• All individuals agree to use university information resources in accordance with university policies and procedures, and federal and state laws.
• All individuals are required to agree to report violations of policies or procedures to their supervisor, their Information Security Administrator, or other person designated by the process owner.
• Copies of non-disclosure agreements are maintained in employee or contract files, and the agreements should be updated at least annually. A discussion of the terms of the agreement will be conducted with new employees upon hiring, and with terminating employees.

Software or related documentation licensed to the university may not be copied unless explicitly authorized in writing by the software developer. Copying software that is licensed to the university onto a personal home computer to do university work is not permitted unless expressly authorized in the license agreement. In cases involving multiple use of a single product (e.g., in

networks), individuals shall use the software only in accordance with the license agreement.

Any action or order that would result in the violation of a copyright, trade secret, or license agreement is prohibited. Exercise extreme caution when copying, reproducing, selling, or using copyrighted or proprietary software programs and associated documentation to avoid such violation.

An individual who willfully and knowingly infringes a software copyright and, in doing so exposes the university to the possibility of legal action, should not assume that the state of Texas would provide his or her legal defense. Refer to section 1.15 of the HOOP for more information on software copyright law.

The Texas Public Information Act "requires that all records of the executive and legislative branches of state and local government be made available for public examination unless the records fall within one of the exceptions listed in the statute". Applicable exceptions that allow governmental agencies to close records to the public are as follows.

• Information made confidential by law.
• Private information in personnel files may be withheld from disclosure when such disclosure would constitute an unwarranted invasion of privacy. Generally, records containing a public employee's name, age, education, experience, certificates, awards, position, salary, and prior employment are public. However, portions of professional public school employees' college transcripts must be deleted, such as grades.
• Certain records concerning regulation of financial institutions and securities if the records identify a specific regulated entity.
• Student records are excepted from disclosure except to the student, spouse, parents or certain school personnel.
• Working papers of the state auditors are excepted from disclosure. Audits by internal auditors are to be released except for those portions containing student and personnel records.
• Home addresses of current and former government employees and officials are subject to public access unless the employee or official claims confidentiality. Peace officers do not need to claim confidentiality, as other government employees must, their home addresses and telephone numbers are automatically excepted.
• The names of applicants for chief executive officer of institutions of higher education are excepted.
• Patient medical records are subject to statutes other than the Texas Public Information Act and are therefore held confidential to the extent that the law specifies. No release of such records is permitted without the prior review and authorization of the Office of Legal Affairs and Risk Management.

The following sections of the Texas Penal Code apply.

An individual commits an offense if the individual

• knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.
• intentionally or knowingly gives a password, identifying code, personal identification number, debit card number, bank account number, or other confidential information about a computer security system to another individual without the effective consent of the individual employing the computer security system to restrict the access to a computer, computer network, computer system, or data.
• An offense under this section is a Class A misdemeanor unless the actor's intent is to obtain a benefit or defraud or harm another, in which event the offense is:
• a state jail felony if the value of the benefit or the amount of the loss or harm is less than $20,000; or
• a felony of the third degree if the value of the benefit or the amount of loss or harm is $20,000 or more.

An individual who is subject to prosecution under this section and any other section of this code may be prosecuted under either or both sections.