KUMC Computer Security Policy
An academic health center creates, processes and manages sensitive materials each day. The data and systems created and managed are proprietary, and as such must be secure from inappropriate use and intrusions. The purpose of this policy is to establish security requirements for all computer systems and data and provide an accountability framework for users.
Resources Covered By This Policy
- Central computer network via campus or remote access
- All software programs and systems
- All data maintained in active or archived files
Individuals and Groups Covered By This Policy
This policy applies to all KU Medical Center faculty, staff, and students; employees of the University of Kansas Physicians, Inc. as well as vendors, contractors, or any others who have access to KUMC systems or data.
The Director of Information Security, in conjunction with the Chief Information Officer, has the authority and responsibility to establish information security policies, guidelines, and standards.
All users of systems owned or managed by the University, whether or not connected to the KUMC network, are expected to follow this policy.
Requirements for University Devices or Devices Connecting to the KUMC Network
- Access to data centers housing information systems and wiring closets housing networking infrastructure will be restricted to authorized personnel only and will require authorization through the use of issued badges, identity cards, keys, etc.
- Visitors to these restricted areas must be authorized and escorted at all times. Logs of visitor access will be maintained and reviewed.
- Building wiring will be concealed and access portals locked.
- Obsolete computer equipment will be disposed of according to the Computer Equipment Disposal and Media Sanitization Policy.
- All network equipment and software will be installed and maintained by Information Resources. Users may not install hubs, wireless access points, terminal services, or other equipment that extends the network nor may they access, alter, remove, connect to, or otherwise tamper with any equipment managed by Information Resources.
- Programs that interfere with proper network operation or that create substantial interference or risk will not be allowed.
- All network access points will be protected by a firewall and intrusion prevention systems that monitor and control communications. Traffic matching specific reconnaissance, intrusion or virus patterns will be prevented from entering or exiting the network. All boundary protection systems will be managed and monitored by Information Resources staff.
- Information flow between information systems (particularly between systems of different sensitivity classifications) will be restricted through the use of access control lists, filtering or other mechanisms, as needed.
- Remote access to networked systems and devices will be permitted only as specified in the Remote Access Security Policy.
Servers and Applications
- All server-based systems must be administered by a qualified information technology professional and meet the security guidelines established for each sensitivity classification level.
- Servers will be setup and maintained in accordance with security baselines developed by Information Security. Where possible, adherence to these baselines will be automatically enforced. Contact Information Security at 8-3333 for the current baselines.
- All servers must be certified by Information Security before being placed into use.
- All servers will be located within one of the University's secured data centers and registered with Information Resources.
- Sensitive information must not reside on Internet-facing servers (must be located in the private network.)
- All servers and applications accessed over the network must use only encrypted authentication mechanisms unless otherwise authorized by Information Security
- Servers and applications will be configured to notify appropriate personnel in the even that inappropriate, unusual and/or suspicious activity is noted.
- All workstations, regardless of operating system, must be configured with the standard University settings and applications, (e.g.., McAfee anti-malware, LANDesk remote support software, etc.)
- Workstations will be setup and maintained in accordance with security baselines developed by Information Security. Where possible, these baselines will be automatically enforced. Contact Information Security at 8-3333 for the current baselines.
- Workstations will receive regular security patch updates in accordance with the University's Vulnerability Management policy.
- CompuTrace theft-tracking software and McAfee Endpoint Encryption software will be active on mobile workstations, where possible.
- Workstations containing or accessing sensitive information, including protected health information, should be located out of public view and must be protected by password-protected screensavers.
- Backups will be performed according to schedules determined by type, sensitivity, importance, and value.
- Encryption will be applied based on type, sensitivity, importance and value.
- The record retention schedule will govern the storage of data.
- Sensitive information, including but not limited to protected health information (PHI) and social security numbers (PII), will be safeguarded in compliance with KUMC's Sensitive Information in Electronic and Paper-Based Format operational protocol.
- Sensitive data transmitted into or out of the KUMC network via the public Internet must be encrypted. Encryption may be accomplished through VPN, SSL, SSH, SFTP or other secure methods approved by the Director of Information Security. Encryption is not needed for data transmitted via dedicated line when the offsite location is protected by a firewall.
- With the exception of public-facing informational systems, access to systems and data will require authentication with individual and unique logins and passwords.
- Users must have only the minimal access to systems and data that are required to perform their roles.
- Data owners must authorize access to their respective systems.
- Passwords for all user accounts will adhere to the standard outlined in the Password Security policy.
- Access for users who change roles will have their access reviewed and updated, as required.
- Access will be immediately terminated when a user separates from the Medical Center. Inactive accounts will be disabled or deleted after review.
- All users will complete Computer Security Awareness Training within 30 days of the start of their relationship with the University and on an annual basis thereafter. Completion of the training will include documented acceptance of University technology-related policies.
Requests for exceptions to this Policy may be granted for systems where these requirements may compromise the availability or usability of an application or computer system and where other security measures (e.g., network filtering, firewall, etc.) are in place to mitigate risk. Any requests must be submitted in writing to the Director of Information Security for approval. The KUMC Information Security Exception Form is available for this purpose.
Exceptions will be permitted only on receipt of written approval from Information Security. Information Security will retain documentation of currently permitted exceptions and will review them on an annual basis.
For information on this policy, please contact:
Associate Vice Chancellor for Information Resources
Chief Information Officer
University of Kansas Medical Center
3901 Rainbow Blvd.
Kansas City, Kansas 66160
Director of Information Security
Department of Information Resources
University of Kansas Medical Center
1020 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
Information resources: computer systems, equipment, software and data.
Network: Computers and associated devices connected to the Medical Center's central communications line; includes all addresses within 169.147 (kumc.edu).
System: Computer that provides services to multiple users or other computers.
User: Anyone who accesses the University's network, computer systems or data.
2014-07-17: Updated contact information.
2014-02-28: Reviewed and move into KU Policy Library.
2013-04-18: Reviewed with no changes.
2012-04-27: Reviewed with no changes.
2011-03-13: Revised to include references to Vulnerability Management and Media Sanitization policies.