Computer Security Policy
The University of Kansas Medical Center assures the development
and maintenance of appropriate mechanisms to protect the confidentiality,
integrity and availability of its computerized data and information
resources.
Purpose
An academic health center creates, processes and manages sensitive
materials each day. The data and systems created and managed are
proprietary, and as such must be secure from inappropriate use and
intrusions. The purpose of this policy is to establish security
requirements for all computer systems and data and provide an accountability
framework for users. Violations of this policy and its procedures
are a serious offense and appropriate disciplinary actions will
be taken.
Resources Covered
- Central computer network via campus or remote access
- All software programs and systems
- All data maintained in active or archived files
Groups Covered
- Full-time, part-time and volunteer faculty, administrative
and support staff
- Emeritus faculty
- Full-time and part-time students
- Affiliated campus corporations or non-profit groups
- Other groups and organizations relying on kumc.edu as a host
through contractual relationships.
Definitions
Information Resources - Computer systems, equipment, software and
data.
KU Medical Center - All academic and support units, and related
organizations and corporations using the central computer network.
Network - Computers and associated devices connected to the Medical
Center’s central communications line; includes all addresses
within 169.147 (kumc.edu).
System - Computer that provides services to multiple users or other
computers.
User - Anyone who accesses the Medical Center’s network, computer
systems or data.
Certified Computer – Server or workstation configured
and tested to meet specific security requirements.
Procedures
- The Security Administrator, in consultation with the Chief
Information Officer, will establish the following levels of security.
Physical
- Access to control centers will be regulated at all times.
- Building wiring will be concealed and access portals locked.
- Obsolete computer equipment will be disposed of according to the
KUMC
Electronic Equipment Disposal Policy.
Network
- All network equipment and software will be installed and maintained
by Information Resources. Users may not install hubs, wireless access
points, terminal services, or other equipment that extends the network
nor may they access, alter, remove,connect to, or otherwise tamper
with any equipment managed by Information Resources.
- Programs that interfere with proper network operation or that create
substantial interference or risk will not be allowed.
- Traffic matching specific reconnaissance, intrusion or virus patterns
will be prevented from entering or exiting the network.
- Wireless access will be permitted only for registered computers.
- Remote access to networked systems and devices will be permitted
only as specified in the Remote Access Security Policy.
Systems
- Systems will be maintained in accordance with the Server Security
Requirements.
Workstations
- McAfee anti-virus and ZenWorks remote support software will be active
on workstations connected to the network.
- Workstations will be protected from the Internet by
a firewall in accordance with the Perimeter Security Policy.
-
Security staff will enforce group policies on workstations accessing Protected Health Information (PHI) or student financial data.
- Workstations containing or accessing sensitive information, including protected health information, should be located out of public view and must be protected by password-protected screensavers.
Data
- Backups will be performed according to schedules determined
by type, sensitivity, importance, and value.
- Encryption will be applied based on type, sensitivity, importance
and value.
- The record retention schedule will govern the storage of data.
- Protected Health Information (PHI) and student financial data will be safeguarded in compliance with HIPAA and the Gramm-Leach-Bliley Act.
- Sensitive data transmitted into or out of the KUMC network via the public Internet must be encrypted. Encryption may be accomplished through VPN, SSL, SSH, SFTP or other secure methods approved by the Director of Information Security. Encryption is not needed for data transmitted via dedicated line when the offsite location is protected by a firewall.
User
- Access to systems and data will be granted on a need-to-know
or need-to-use basis using appropriate passwords and supervision.
- Access will be immediately terminated when a user separates
from the Medical Center. Inactive accounts will be disabled or
deleted after review.
- Employees will complete annual Computer Security Awareness
Training.
Exemptions
Requests for exemptions must be submitted in writing by the Department
Chair or Director to the Security Administrator with full documentation
and explanation for request.
Limitations
Appropriate measures will be taken to protect the security of the
Medical Center’s information resources. Nevertheless, the Medical
Center cannot fully guarantee the integrity, availability and/or
confidentiality of its resources from unauthorized modification,
destruction or disclosure.
Related Documents
Appropriate Use of Information Systems Policy
Computer Password Policy
Electronic Mail Policy
Perimeter Security Policy
Remote Access Security Policy
Server Security Requirements
Server Security Requirements
Any computer that provides services to multiple users or other computers
may be considered a server. Servers connected to the campus network
require special attention with regard to computer security and must
be certified by Security staff. System administrators of servers must
follow the following guidelines.
Registration
- Register server in Central Server Database. Machine name,
name server entry, operating system, physical location (building/room),
and name of contact person are required.
Location
- All servers that require 24/7 uptime, or that contain sensitive
or critical information, must be in a secure facility. For systems that are not located in the computer room, unit or department managers are responsible for assessing and mitigating risks such as threats from theft, tampering, fire and flood.
Setup and maintenance
- Secure test servers exactly as production servers when connected
to the network.
- Keep operating system patches or service packs current.
- Disable unnecessary protocols and services. The following should always
be disabled unless you have received specific approval from Information
Resources Security Administration: DNS, FTP, HTTP, HTTPS, SMTP.
- Enable intruder lockout on accounts. Install intrusion detection
software (TCP Wrappers or TripWire) on all UNIX systems.
- Scan for viruses and update virus detection software regularly.
- Enable auditing and examine logs regularly for anomalies.
- Synchronize server time with timesource.kumc.edu, an official
Network Time Protocol source.
- Customize logon banner to alert users that unauthorized
use is prohibited.
- Document baselines of listening ports and running services
and compare with current activity regularly.
- See Remote Access Policy for requirements regarding remote
access/remote control.
- Use a wipe utility to remove sensitive data from media before
reallocation or disposal.
- Register the server in the Central Server Database and keep the CSD information current.
Account management
- Allow only the system administrator or authorized designees
to manage user accounts.
- Disable anonymous logon and guest accounts.
- Change default passwords for built-in accounts immediately
after setup.
- Assign unique usernames and strong passwords. See
Password Policy for guidelines.
- Enforce the "least privilege" principle. Users should
have only the minimal access rights required to perform their
duties.
- Modify access for transferred employees in consultation with new and old supervisors.
- Delete accounts of separated/terminated employees promptly.
Separation reports are available from the Security Administrator.
- Review accounts regularly for inactivity; disable or delete
inactive accounts.
- Change administrator or root password when system administrator
separates from the University.
If you believe you need an exemption from any of these practices,
consult with Information Resources Security Administration.
Remote Access Security Policy
Remote access to networked systems and devices is permitted as follows:
Policies governing Appropriate
Use, Internet,
Electronic
Mail, and other technology-related issues apply to all users
connected to the network on campus or from a remote location.
KU Medical Center provides dial-up service for faculty, staff,
and students through KUMC On-Line. KUMC On-Line usage/support policies
are available at
http://www2.kumc.edu/remote/policies.asp.
Information Resources checks the campus telephone system and network
to detect modems located at KU Medical Center. The network also
is checked for remote-control hosts. Use of modems and/or remote
control software must be approved by the Security Administrator.
Users who use remote control applications must configure their
workstations to meet KU Medical Center’s security requirements.
VPN software is required to access computers behind the University or
Hospital firewalls.
Departments that permit vendors, support personnel, and other third-parties
access to networked resources must notify the Security Administrator.
Connection type, software, and security features will be reviewed.
Server side of the connection should not remain in active host mode
when not in use.
Contact Information
For information on this policy, please contact:
Jim Bingham
Associate Vice Chancellor for Information Resources
Chief Information Officer
University of Kansas Medical Center
3901 Rainbow Blvd.
Kansas City, Kansas 66160
(913) 588-7300
Sherry Callahan
Director, Information Security
Department of Information Resources
University of Kansas Medical Center
3901 Rainbow Blvd.
Kansas City, Kansas 66160
(913) 588-0966
Approved July 1, 2001
top of page
©
The University of Kansas Medical Center