| Info. Security Procedural Responsibilities | Audience | Summary Description | Format |
| Glossary of Terms Security Suppliment |
|
|
  |
| Introduction |
|
|
|
| Examples of Data Typology |
|
|
|
| Information Security - Personal Responsibilities Every Georgetown University Employee |
|
|
|
| Departmental Requirements |
|
|
|
| What You Need to Read, Know and Reference |
|
|
|
| 01 Protected Records |
Workforce |
Reasonable steps are taken to protect the ePI held by Georgetown University by complying with GU standards and Federal and State requirements. All policies, procedures, and other documentation are retained as per the Georgetown University Records Retention Policy. |
|
02 Security Office
|
Workforce |
The Security Officer is designated for the entire University, as well as individual Local Information Security Personnel for each information system within Georgetown University. These Officials are responsible for overseeing security assessment, policy and procedural development, risk monitoring, communication and training and overall security compliance activities. |
|
| 03 All Information Technology Professionals (ITPs) |
ITPs, SNAs, APAs, SPs, UISO, UNSO, LISPs, Managers |
The responsibilities of Systems and Network Administrators (SNAs) including Application Programmers and Administrators (APAs) and Technology Service Providers (TSPs) are described. |
|
| 04 Security Awareness Training |
Workforce |
Security training and awareness programs are implemented at the Georgetown University and local levels, as appropriate, including New Hire Orientation, periodic security reminders, job-specific training, etc. |
|
| 05 Risk Analysis |
ITPs, SNAs, Area Administrators, Data Stewards, and LISPs |
Risks to our information systems and media that contain ePI are analyzed to reduce the frequency and impact of security failures. |
|
| 06 Access Control |
Access Administrators, Supervisors, SNAs, LISPs, the UISO, Data Stewards, NetID Office personnel, GOCard Office personnel, Facilities, DPS, and all ITPs |
Access Administrators determine which work roles should have access to which ePI. Supervisors request ePI access for each supervisee based on that person’s work role(s), revising access when work role(s) change. Unique NetIDs are assigned to each person who accesses ePI on a system and that access is monitored. Physical access to systems and media is controlled where necessary to protect the systems and media or to permit only the ePI access that is authorized. |
|
| 07 Use of Systems and Media Containing ePI |
Workforce using ePI, anyone authorized to use an ePI System or Media |
Information systems and media are used in a manner that keeps ePI secure. System administrators are consulted before taking any action that may increase the risk to ePI that is stored or accessed through a system. |
|
| 08 System Administration |
Area Administrators, Data Stewards, SNAs, ITPs, and every user on or off campus. |
Information systems are administered in a secure manner. Manufacturer recommendations and industry practices are followed to protect each information system. Access controlled and documented. The criticality of a system to University operations is determined so that preparations can be 13 made to restore the system and its ePI contents. |
|
| 09 Teleworking |
Teleworkers are by definition the SNA of the system they are using, Supervisors, Data Stewards |
Describes security responsibilities of teleworkers, supervisors, and data stewards. This includes configuration, operating system patches, and antivirus software. |
|
| 10 Mobile Devices |
Users of mobile devices with ePI, and those issuing |
Describes security for Palms, Blackberries, hand held computers, and laptops. |
|
| 11 Incident Response |
Workforce, UISO, LISP, Data Stewards, Managers of Users, Information Service Providers, SNAs. |
Security risks and failures that threaten ePI are reported to the security responders appropriate to the threat. For security incidents that pose a high threat and high business impact, the Security Officer invokes the Security Incident Response Team to manage the incident. |
|
| 12 Contingency Plan |
Project Manager, SNA , Department Administrator or Manager, UIS and Risk Services representative |
Contingency plans for critical information systems are made in proportion to the impact of possible incidents on Georgetown University business operations. Contingency plans are tested periodically and revised as the risks to each system change. |
|
| 13 Disposal of Media Containing ePI |
Workforce and students |
Georgetown University will properly dispose of Protected Information (PI) recorded on any physical medium, including ePI, whenever that medium will no longer be under the physical control of those who are authorized to access, store, or transport it. ePI is disposed of properly through reasonable methods, making it unreadable and unrecoverable. |
|
| 14 Lost or Stolen Device or Media with ePI |
Workforce |
Outlines steps users must take to ensure the campus complies with all law and regulations regarding personal and confidential information when desktop or laptop computers and electronic storage devices are lost or stolen. It applies to media containing ePI, as well. |
|
| 15 ePI Disclosure |
Workforce |
When an ePI disclosure has occurred, the UISO convenes representatives from: UIS, General Counsel, Safety, HR, Internal Audit Management, and Risk Management; a faculty member; and the Data Steward of the compromised system. |
|
| 16 Conduct Security Review or Audit |
Workforce |
Describes process for DMCA, Subpoena, or retrieving ex-employees files. |
|
| 17 Confidential Server Authorization |
Data Stewards, SNA, LISP |
Prior to ePI server deployment, a departmental representative must register it with the UISO identifying the data steward, system administration, and security event contacts. The server and application will be reviewed by the UISO prior to authorization |
|
| 18 Sanctions |
Workforce |
Reported violations of Georgetown University security policies are reviewed, imposing appropriate sanctions that correspond to the circumstances and seriousness of the violation. |
|
| Appendix 1 Best Practices for Backup and Recovery |
|
|
|