Handbook of Operating Procedures

I. POLICY AND GENERAL STATEMENT

Except as otherwise provided by HOOP 201, HOOP 92 or any other applicable University policies, The University of Texas System (“UT System”) policies or Regents Rules pertaining to ownership of intellectual property, University Information Resources and University Data are owned by The University of Texas Health Science Center at Houston (“University”) and exist to support the mission of the University.  University Information Resources and University Data must be used, managed and protected appropriately to ensure that they are: 

• available;
• accurate and complete; and
• disclosed appropriately when required.

University Information Resources and University Data fall under the authority and responsibility of the Chief Information Officer (CIO) and are subject to federal, state, and local laws and regulations, UT System policies (including UT System Policy UTS 165), and University policies. The Senior Executive Vice President, Chief Operating and Financial Officer delegates the responsibility to department heads for ensuring that the University is in compliance with all relevant laws, regulations and policies. The Chief Information Security Officer (CISO) and the central Information Technology Department assist department heads by establishing policies, procedures and guidance for University Information Resources and University Data, published in the IT Policy and Document Repository.

University Information Resources and University Data are subject to many different threats that can reduce or eliminate data availability, compromise integrity and violate confidentiality; thus, it is imperative that they are safeguarded appropriately. Individual users’ actions can contribute to or reduce the risk of most threats. All users are responsible for their use, management and protection of University Information Resources and University Data and are accountable for their actions. All users have one or more roles to fulfill related to University Information Resources and University Data. This policy outlines such roles and describes the responsibilities of each.

Failure to comply with federal, state and local laws and regulations, UT System policies and University policies may result in fines, penalties and/or review by UT System, review by the Office of the State Auditor, review by federal agencies, or disapproval by the Texas Department of Information Resources (“DIR”) and further action as deemed necessary by the DIR to ensure compliance. 

Nothing in this policy supersedes or modifies HOOP 201, Intellectual Property, HOOP 92, Research Data Retention and Access, or any other applicable University or UT System policies or Regents Rules pertaining to the ownership of intellectual property.

II. DEFINITIONS

University Information Resources: All computer and telecommunications equipment, software, and media that is owned or controlled by the University or maintained on its behalf.

University Data: All data or information held on behalf of the University or created as a result and/or in support of University business, including paper records.

The University does not assert an ownership interest in the content of exclusively personal information or documents stored on University Information Resources as part of a User’s Incidental Use (see HOOP 180, Acceptable Use of University Information Resources).  However, such information and documents may be subject to access and/or monitoring by the University.  

User:  Any individual granted access to University Information Resources and/or University Data.

System Owner: The person responsible for the business function or project that depends on a system. If the system supports multiple business functions, the system owner is the person responsible for carrying out the overall program that the system supports. Examples of System Owners include:

• department heads, such as associate and assistant deans and department chairs;
• individuals who serve in positions that function in the same manner as department heads, such as division chiefs, program directors and lead researchers; and
• individuals with financial and/or administrative responsibility and accountability for their departments or projects, such as process owners, principal investigators and directors.

System Owners are typically one organizational level below the positions of President, Executive Vice President, Vice President, Dean, or Executive Director of The University of Texas Harris County Psychiatric Center, and rarely more than two levels below.

Custodian: Provides technical facilities and/or hardware, software or application production support services for a University Information Resource or University Data. Each Custodian is assigned by Information Technology management and/or the System Owner and should have the knowledge and experience required to adequately perform the associated responsibilities. Examples of Custodians include (1) IT Infrastructure System Owners, (2) system, database and application administrators, (3) third parties providing outsourced support, and (4) school or department support personnel who have physical or logical control over hardware, software or services.

Information Security Administrator (ISA): A Custodian that has additional, security-focused responsibilities as outlined in UT System Policy UTS 165. A Custodian is assigned to the additional role of ISA by the System Owner. A third party providing outsourced support cannot be an ISA. The ISA assists the CISO in advancing the Information Security Program as a member of the Information Security Working Group.

Project Manager: The person responsible for the entire implementation of an information technology project from concept to rollout, which includes strategic, financial and technical responsibilities, and ensuring that the project is built and implemented securely. The implementation includes all or most of the following: procurement, functional and technical specification documentation, development, testing, integration, installation and training. Consideration must also be given to any manual or automated processes the implementation will impact, including other University Information Resources. Typical examples of Project Managers include System Owners, Custodians and IT Infrastructure System Owners.

Information Technology Project: Any project that includes or relies on a University Information Resource.

IT Infrastructure System Owner: A Custodian of shared technology who is responsible for maintaining and operating hardware and associated software to provide computing services, storage and connectivity for University Information Resources. IT Infrastructure System Owners are information technology professionals who report to the University’s central Information Technology Department directly or indirectly through an established information technology department within a school. Examples of IT Infrastructure System Owners include information technology professionals reporting to the following areas:

• Information Technology Security and Disaster Recovery Planning, part of central Information Technology
• Data Center Operations & Services, part of central Information Technology
• Communications Technology (part of central Information Technology)
• Medical School Information Technology
• School of Public Health Information Technology Services
• School of Biomedical Informatics
• Harris County Psychiatric Center Management Information Systems

Chief Information Security Officer (CISO): The Senior Executive Vice President, Chief Operating and Financial Officer has designated the CISO to serve as the information security officer as required by Title 1, Rule §202.71(d) of the Texas Administrative Code with authority for the entire University. The CISO leads the Information Security and Disaster Recovery Planning department and reports directly to the Senior Executive Vice President, Chief Operating and Financial Officer, with an indirect (“dotted-line”) reporting relationship to the Chief Compliance Officer and the Chief Information Officer. The CISO and the department are assisted by the Information Technology Security Core Team and the departmental ISAs.

Chief Information Officer (CIO): The CIO is responsible for overseeing the management of University Information Resources, University Data and the IT risk management program.  Per UTS 165, the CIO is designated as the Information Resource Manager for the University, as defined by Chapter 211 of the Texas Administrative Code.

President: The President is ultimately responsible for the security of state information resources.  Per Title 1, Texas Administrative Code, 202.70, a key responsibility of the President includes garnering support from senior University officials and information owners for the provision of information security for the information systems that support the operations and assets under their direct or indirect control.

Mission Critical Information Resources: University Information Resources defined by the University to be essential to its function and that, if made unavailable, will inflict substantial harm to the University and the University’s ability to meet is instructional, research, patient care, or public service missions. 

Triage Team: The Triage Team meets regularly to review incidents of suspected non-compliance. The Triage Team is made up of the following permanent members, with others requested to attend as needed: Chief Legal Officer, Chief Human Resources Officer, Chief of Police for The University of Texas at Houston Police Department, Chief Audit Officer and Chief Compliance Officer. 

III. PROCEDURE

All Users must be aware of their role(s) and accept the associated responsibilities. Role responsibilities cannot be delegated except as provided below.

Each User, by default, is assigned the User information resource role. Users may have more than one role and are responsible for reading the role descriptions below, identifying all of their additional roles and meeting the responsibilities of each role. For example, a User who is responsible for a business function that depends on a system may also be a System Owner, a User who is responsible for the implementation of a new system may also be a Project Manager, and a User who is responsible for the technical support of a system may also be a Custodian.

The primary roles are as follows:

• User
• System Owner (Information Owner, Data Owner)
• Custodian
• Information Security Administrator
• Project Manager
• IT Infrastructure System Owner
• Chief Information Security Officer
• Chief Information Officer
• President
• Auditing & Advisory Services
• Office of Institutional Compliance (“OIC”)
• Triage Team

A. User

A User’s primary responsibilities include:

1. Use University Information Resources and University Data responsibly and for their intended purposes as established by the System Owner.
2. Comply with controls established by the System Owner and be accountable for his or her actions.
3. Know and comply with published University policies and procedures.
4. Read and sign the Information Resources User Acknowledgement Form.
5. Do not share passwords or similar information or devices used for identification and authorization purposes.
6. Protect data appropriately regardless of the method of access.
7. Determine if other roles apply to him or her and, if so, accept responsibility for the role(s) and meet the associated responsibilities.
8. Report information security incidents, including unintentional or intentional misuse, in accordance with Computer Security Incident Response Policy (ITPOL-017).
9. Complete required University Information Resource and security related training.

B. System Owner (Information Owner, Data Owner)

A System Owner’s primary responsibilities include:

1. Assume the role of System Owner or delegate the role. Accountability cannot be delegated.
2. Formally assign/acknowledge the Custodian(s) and ISA for the system, including outsourced systems.
3. Approve the level of access that each Custodian needs to perform required administration and maintenance and to implement required security controls and procedures.
4. Ensure that the system is in compliance with applicable federal, state, and local laws and regulations, UT System policies, and University policies, procedures and guidance. These include, but are not limited to: the accessibility requirements as set forth in Title 1, Chapters 206 and 213 of the Texas Administrative Code and in UT System Policy UTS 150; information security and other information resource standards in UT System Policy UTS 165; and University policies, procedures and guidance found in the IT Policy & Document Repository.
5. If the University Information Resource is a system containing electronic records subject to the Code of Federal Regulations, Title 21 part 11 (21 CFR part 11), the System Owner must demonstrate compliance with the requirements of those regulations.
6. Determine the system’s value.
7. Perform a risk assessment annually for Mission Critical Information Resources and biennially for non-Mission Critical Information Resources.  Identify and document actions required and taken to meet acceptable risk levels.  Implement mitigation strategies as needed.  Ensure that information security is addressed throughout the life cycle of the information resource.
8. Classify and secure data appropriately, taking into consideration security or operational controls required to ensure the availability, confidentiality and integrity of the system’s data. Communicate these controls to the Custodian, train the Users as needed and confirm that the controls are in place on a regular basis.
9. Document, justify, obtain approval and be accountable for exceptions to security controls. The System Owner must obtain approval for exceptions to security controls from the CISO.
10. Determine appropriate access for system users based on the minimum necessary access required to perform their assigned job responsibilities. Approve new access assignments and review all assigned access for appropriateness on a regular basis.
11. Report information security incidents, including unintentional or intentional misuse, in accordance with the Computer Security Incident Response Policy (ITPOL-017).
12. Create, maintain and train users on a departmental business continuity plan.
13. Include an adequate disaster recovery plan for the system as part of the departmental business continuity plan; see the Information Security Program. Assure that the assigned Custodian has a copy of the disaster recovery plan.
14. Retain and destroy records in accordance with HOOP Policy 181 Records Management Program. 

C. Custodian

A Custodian’s primary responsibilities include:

1. Perform required administration and maintenance of the University Information Resources and University Data.
2. Implement applicable University Information Resource and University Data policies, procedures and guidance in the IT Policy & Document Repository, including change management and security safeguards and controls.
3. Report information security incidents, including unintentional or intentional misuse, in accordance with Computer Security Incident Response Policy (ITPOL-017).
4. Assist System Owners in performing risk assessments and evaluating the cost effectiveness of controls.
5. Implement controls specified by System Owners and confirm they are in place as appropriate.
6. Implement processes that aid in detecting, reporting and investigating security incidents.
7. Assist System Owners in disaster recovery planning for the University Information Resource and University Data; see the Information Security Program.
8. Maintain a copy of the disaster recovery plan in the appropriate location(s).
9. Assist System Owners with the destruction of records in accordance with HOOP Policy 181 Records Management Program.
10. Provide information necessary to provide appropriate information security training to employees.
11. Ensure information is recoverable in accordance with risk management decisions.
12. Ensure that University Information Resources designed for use by the public are configured to enforce security policies and procedures without requiring user participation or intervention. Information resources must require the acceptance of a banner or notice prior to use.

D. Information Security Administrator

An Information Security Administrator’s primary responsibilities include:

1. Implement and comply with all applicable policies and procedures relating to assigned systems.
2. Assist System Owners in performing annual information security risk assessments for Mission Critical Information Resources.
3. Report general computing and security incidents to the CISO.
4. As a member of the ISA Work Group, assist the CISO in developing, implementing, and monitoring the Information Security Program.
5. Establish reporting guidance, metrics, and timelines for the CISO to monitor effectiveness of security strategies relating to assigned system(s).
6. Report at least annually to the CISO on the status and effectiveness of University Information Resources and University Data security controls.

E. Project Manager

A Project Manager’s primary responsibilities include:

1. Determine if existing University resources can be used to deliver the required information technology by contacting the University’s central Information Technology Department or an established information technology department in each school.
2. If the information technology project will be outsourced or hosted by a third party and will transmit, process or store University data, refer to the Information Services Provider Security & Compliance Checklist.
3. Follow the System Development Methodology (ITGD-004) guideline when implementing information technology projects.
4. Ensure that the information technology project is in compliance with applicable federal, state, and local laws and regulations, UT System policies and University policies, procedures and guidance. These include, but are not limited to: the accessibility requirements set forth in Title 1, Chapters 206 and 213 of the Texas Administrative Code and in UT System Policy UTS 150; information security and other information resource standards in UT System Policy UTS 165; and the University policies, procedures and guidance found in the IT Policy & Document Repository.
5. Identify, document, and address security requirements in all phases of development or acquisition of University Information Resources or University Data.
6. Ensure that the University Information Resource is/will be in compliance with federal, state and local laws and regulations, UT System and University policies and applicable University Information Resource policies, procedures and guidance published in the IT Policy & Document Repository.

F. IT Infrastructure System Owner

An IT Infrastructure System Owner’s primary responsibilities include:

1. Procure, support, maintain and/or operate computing services, storage and connectivity, including but not limited to:  servers, storage systems, Internet, Intranet, Wide Area Ethernet network (clinics and business partner connections), fire alarm systems, security camera systems for The University of Texas at Houston Police Department, telephone system, firewalls, and intrusion detection/protection.
2. Ensure that the system is in compliance with applicable federal, state, and local laws and regulations, UT System policies, and University policies, procedures and guidance. These include, but are not limited to: the accessibility requirements as set forth in Title 1, Chapters 206 and 213 of the Texas Administrative Code and in UT System Policy UTS 150; information security and other information resource standards in UT System Policy UTS 165; and University policies, procedures and guidance found in the IT Policy & Document Repository.
3. Perform a risk assessment annually for Mission Critical Information Resources and biennially for non-Mission Critical Information Resources.  Identify and document actions required and taken to meet acceptable risk levels.  Implement mitigation strategies as needed.  Ensure that information security is addressed throughout the life cycle of the information resource.
4. Report information security incidents, including unintentional or intentional misuse, in accordance with the Computer Security Incident Response Policy (ITPOL-017).

G. Chief Information Security Officer (CISO)

The CISO’s primary responsibilities include:

1. Develop, oversee the implementation of, and monitor a documented Information Security Program and related security policies and procedures (including monitoring the effectiveness of defined controls for Mission Critical Information Resources). This program is applicable to all University Information Resources and University Data and everyone who has a University Information Resource or University Data role at the University.
2. Obtain approval of the Information Security Program by the President or his/her designee.
3. Provide regular reports and updates to the University’s Executive Compliance Committee (ECC) and to UT System. Provide a report to the President (or his/her designee) at least annually on the status and effectiveness of information resources security controls.
4. Promote the University Information Resource and University Data security policies, procedures, standards and guidelines applicable to central and decentralized areas of the University.
5. Work with System Owners, Custodians, ISAs, IT Infrastructure System Owners, Project Managers and other information technology professionals to determine security requirements for University Information Resources and University Data and security solution implementations that protect against unauthorized or accidental modification, destruction or disclosure.
6. Have authority over security solutions and implementation decisions.
7. Review and approve security requirements for purchases of hardware, software, applications, information services or system development services.
8. Perform and document annual risk assessments to determine if University Information Resources and University Data are adequately protected, including identification of Mission Critical Information Resources.
9. Make policy and procedure changes and practice recommendations as appropriate to improve the security environment.
10. Establish and administer a process to address violations of security policies and procedures.
11. Exercise authority to issue exceptions to security policies and procedures after appropriate review. Any such exceptions shall be justified, documented and communicated as part of the risk assessment process.
12. Obtain access to any University Information Resource and University Data as needed.
13. Report certain violations to the Triage Team, UT System and/or the DIR as required.
14. Ensure information security awareness training is provided to all employees on a regular basis and to all new employees within 30 days of date of hire.
15. Establish an Information Security Working Group composed of ISAs and hold meetings at least quarterly.
16. Possess training and experience required to administer the functions described in this policy.
17. Develop and maintain an institution-wide information security plan as required by §2054.133, Texas Government Code.
18. Review the University’s inventory of information systems and related ownership and responsibilities at least annually.
19. Verify that security requirements are identified and risk mitigation plans are developed and contractually agreed and obligated prior to the purchase of information technology hardware, software, and systems development services for any high impact computer applications or computer applications that receive, maintain, and/or share confidential data.
20. Report information security incidents, including unintentional or intentional misuse, in accordance with the Computer Security Incident Response Policy (ITPOL-017) and Title 1, Texas Administrative code 202.73.
21. Participate in the UTSystem CISO Council meetings, workgroups, and related activities.

H. Chief Information Officer

The CIO’s primary responsibilities include:

1. Develop strategic information technology plans and operating and capital budgets for the University to provide reliable and secure University Information Resources and University Data. This includes applications and infrastructure supporting the administrative, academic, research and clinical functions of the University.
2. Promote the University Information Resource and University Data administrative and operational policies, procedures, standards and guidelines applicable to central and decentralized areas of the University.
3. Promote record management policies and procedures and provide appropriate systems and services for effective and efficient records management capabilities consistent with industry standards and federal, state, and local laws and regulations.
4. Promote partnerships with internal and external parties, including federal, state and local agencies, UT System, other UT institutions and other Texas Medical Center entities.
5. Serve as the University’s technical representative to the Information Technology Governance Council.
6. Perform an annual risk assessment for University Information Resources.
7. Responsible for the design, execution and effectiveness of internal controls providing reasonable assurance that operations are effective and efficient, assets are safeguarded, financial information is reliable, and applicable laws, regulations, policies and procedures are met.
8. Respond to information resource audit recommendations and risk mitigation requirements.
9. Complete continuing education requirements in role as Information Resource Manager as required by Chapter 211 of the Texas Administrative Code.
10. Complete and submit a biennial information security plan, in accordance with §2054.133, Texas Government Code.

I. President

The President is ultimately responsible for the security of University Information Resources.  The President’s responsibilities include:

1. Designate a Chief Information Security Officer who has the explicit authority and the duty to administer the information security requirements of Title 1, Texas Administrative Code, Rule 202.70 for the entire University.
2. Allocate resources for ongoing information security remediation, implementation, and compliance activities that reduce risk to a level which the President deems acceptable.
3. Ensure that senior University officials and system owners, in collaboration with the Chief Information Officer (the University’s designated Information Resource Manager) and the Chief Information Security Officer, endorse the provision of information security for the information systems that support the operations assets under their direct or indirect (e.g., cloud computing or outsourced) control.
4. Ensure that the University has trained personnel to assist the University in complying with the requirements of Title 1, Texas Administrative Code and related policies.
5. Ensure that senior University officials support the University Chief Information Security Officer in developing, at least annually, a report on the University’s information security program.
6. Approve high level risk management decisions.
7. Review and approve at least annually a University information security program.
8. Ensure that information security management processes are part of the University’s strategic planning and operational processes.

J. Auditing & Advisory Services

Auditing and Advisory Services (A&AS) assesses information resources and the control environment and reports results to management and the Audit Committee, including at least a biennial review of the information security program as required by Texas Administrative Code Chapter 202.

K. Office of Institutional Compliance (OIC)

The OIC promotes compliance with all applicable legal, regulatory and policy requirements. The OIC assists the University’s Information Technology department(s) in conducting an annual risk assessment, identifying high risk areas with the assistance of the ECC, developing risk mitigation plans and performing verification activities to ensure that the level of information resource risk to the University is within a range acceptable to the ECC.

L. Triage Team

The Chief Compliance Officer, in coordination with the Triage Team, investigates or coordinates the investigation of all reports of suspected non-compliance with federal, state or local laws or regulations, UT System policies or University policies. The Triage Team also recommends an appropriate course of action which may include counseling, disciplinary action and/or reporting to another agency as required. The Triage Team reviews the results of all investigations and recommends further action as necessary. 

IV. CONTACTS

• • IT Risk and Compliance Manager
  • 713-486-2219
  • itcompliance@uth.tmc.edu

---