Administrative Plicies and Prcedures Infrmatin Security Prgram Prcedural Handbk fr Line Managers and Supervisrs (ISPHB02) Date Issued: Nvember 17, 2016 Last Revisin:
University f HustnClear Lake Administrative Plicies and Prcedures Infrmatin Security Prgram Prcedural Handbk fr Line Managers and Supervisrs (ISPHB02) Table f Cntents I. Purpse and Scpe... 1 II. Applicability... 1 III. Prcedures... 2 A. Persnnel Management... 2 01. Applicant Screening... 2 02. Staff Security Awareness Training... 3 03. Interactin with Infrmatin Owners and Designees... 4 04. Separatin f Duties... 4 05. Terminatin f Emplyment r Emplyee Reassignment... 5 B. Vendr Management... 6 IV. Revisin Lg... 7 V. Plicy Review Respnsibility... 7 VI. Apprval... 7 Table f Cntents Page i
University f HustnClear Lake Administrative Plicies and Prcedures Infrmatin Security Prgram Prcedural Handbk fr Line Managers and Supervisrs (ISPHB02) I. Purpse and Scpe Every individual wh is member f the University f HustnClear Lake s (UHCL) faculty and staff, r is cntracted t prvide infrmatinrelated services, is respnsible fr prtecting the infrmatin created by r entrusted t UHCL t the best f his r her ability. Line managers and supervisrs play a key rle in securing UHCL infrmatin resurces against unauthrized disclsure, tampering, theft, and destructin. Besides being users f infrmatin themselves, they establish departmental and wrk grup prcedures t ensure that: Their teams are staffed with prperly vetted individuals, The principle f least privilege and separatin f duties are ingrained int their business prcedures and practices, Access privileges are regularly reviewed t ensure that they remain apprpriate, and Access privileges n lnger needed are remved. The dcuments in this Prcedural Handbk series have been develped t prvide a cmprehensive set f generic business prcedures that can be used either as is r can be tailred by each business area t handle prcedural variatins driven by specific vendr prducts. This specific handbk prvides prcedural guidance fr perfrming infrmatin securityrelated tasks that are relevant t individuals in a supervisry rle. II. Applicability Anyne wh serves the University in a supervisry rle shuld becme familiar with the cntents f this dcument. This dcument assumes that the reader has read and understands the definitins, rles and plicies cntained in the fllwing dcuments: Infrmatin Security Prgram Descriptin, Rles and Prgram Plicies (ISPOL01), and Acceptable Use Plicy fr UHCL Infrmatin and Systems (ISPOL02). All UHCL emplyees and cntractrs als shuld be familiar with the dcument entitled Prcedural Handbk fr Emplyees and Cntractrs (ISPHB01). II. Applicability Page 1 f 7
University f HustnClear Lake Administrative Plicies and Prcedures Infrmatin Security Prgram Prcedural Handbk fr Line Managers and Supervisrs (ISPHB02) III. Prcedures A. Persnnel Management T prevent hiring f applicants wh d nt meet emplyment eligibility criteria with respect t previus criminal activities r unethical cnduct, data prcessing managers are t direct all applicants fr emplyment t Human Resurces if the specific jb title requires a backgrund investigatin. 01. Applicant Screening Backgrund investigatins are required fr the fllwing psitins: Technlgy related psitins: Data Prcessing Management Psitins Systems Prgrammers Data Base Administratrs Cmputer Operatrs Technical Supprt Persnnel Prgrammers/Analysts Psitins that invlve expsure t: Infrmatin that UHCL legally is bligated t prtect, such as infrmatin prtected by FERPA, HIPAA, GLBA, and ther federal, state and lcal privacy laws, Infrmatin that UHCL cntractually is bligated t prtect, such as infrmatin prtected by the University s agreement with the Payment Card Industry (PCI) cnsrtium, and Nnpublic Infrmatin that is assciated with the University s strategic directin and financial status. Other psitins defined as requiring backgrund checks in jb descriptins submitted by Administrative and Academic department managers t the University s Human Resurces department. III. Prcedures A. Persnnel Management 01. Applicant Screening Page 2 f 7
University f HustnClear Lake Administrative Plicies and Prcedures Infrmatin Security Prgram Prcedural Handbk fr Line Managers and Supervisrs (ISPHB02) It is the respnsibility f the apprpriate line manager r supervisr t ensure that each persn being hired, appinted r prmted cmplies with the requirement fr a backgrund investigatin. A prspective hiree, appintee, r prmtee wh fails t cperate in fllwing this prcedure must be cnsidered unqualified. An applicant s references shuld be checked fr at least the past seven years. Other applicant data, such as datefbirth, citizenship, hme residence, schl credentials, and curt and financial recrds, must be verified befre a jb ffer is made. A phtgraph must be taken as part f the persnnel recrd. Emplyees must sign agreements t cver: Ownership and ryalty arrangements n businessrelated inventins by emplyees. Unauthrized disclsure and/r use f the University s cmmercial and inhuse develped prprietary sftware and the University s infrmatin resurces by individuals during emplyment and after they leave the rganizatin. 02. Staff Security Awareness Training Line managers and supervisrs are expected t be strng advcates fr the University s Infrmatin Security Prgram, and must ensure every emplyee and cntractr n his r her staff understands: UHCL s interest in infrmatin security and the reasns fr it. The University s infrmatin security plicies and prcedures applicable t his r her jb functin, His r her direct respnsibilities in ensuring the security and integrity f UHCL infrmatin resurces, Vilatins f these plicies and prcedures culd be serius enugh t lead t terminatin f emplyment. III. Prcedures A. Persnnel Management 02. Staff Security Awareness Training Page 3 f 7
University f HustnClear Lake Administrative Plicies and Prcedures Infrmatin Security Prgram Prcedural Handbk fr Line Managers and Supervisrs (ISPHB02) 03. Interactin with Infrmatin Owners and Designees Line managers and supervisrs must wrk with the Infrmatin Owner(s) and/r Designee(s) assciated with the infrmatin that the department uses t understand the value f the infrmatin, the risk psed t the University if the infrmatin is expsed t unauthrized individuals, tampered with, r destryed and the measures that need t be taken t prtect the infrmatin at an apprpriate level. Line managers and supervisrs are required t keep staff members infrmed f the infrmatin security requirements assciated with the infrmatin that they prcess. 04. Separatin f Duties The University and all f its departments must enfrce separatin f duties and apprpriate checks and balances in their daily peratins t ensure that infrmatin is prtected against intentinal and accidental actins that put ur infrmatin at risk. This invlves the fllwing: Operatinal and system develpment functins must be perfrmed by different individuals frm thse wh perfrm mnitring functins. Applicatin sftware that is develped inhuse may nt be mved t the prductin systems by members f the applicatin s develpment team. Rather, the applicatin sftware must be mved by a change manager, i.e., an individual nt n the develpment team wh is assigned t mve sftware frm develpment t prductin. That change manager culd be a develper frm anther prject team. In cases f a prductin emergency, a develper culd mve updated sftware t the prductin envirnment with the apprval f the University s Infrmatin Security Officer. Hwever, the sftware must g thrugh the regular change management prcess as sn as the situatin stabilizes. There shuld be crss training f peratins staff t prvide depth and backup, and t reduce individual dependence. Applicatin develpers must nt be able t update r execute sftware in the prductin envirnment except in emergency situatins apprved by the University s Infrmatin Security Officer. Server managers shuld nt be able t make changes t prductin applicatin r system sftware libraries, t execute any jbs r prgrams that have nt been scheduled thrugh established prcedures, r t execute (utside f standard prductin prcessing) data r sftwaremdifying system utilities withut prper authrizatin and dual cntrl. III. Prcedures A. Persnnel Management 04. Separatin f Duties Page 4 f 7
University f HustnClear Lake Administrative Plicies and Prcedures Infrmatin Security Prgram Prcedural Handbk fr Line Managers and Supervisrs (ISPHB02) Individuals whse jb functin invlves the entry f financial and ther frms f sensitive data int the University s systems shuld nt prepare surce dcuments fr input r audit his r her wn datarelated activities. 05. Terminatin f Emplyment r Emplyee Reassignment When an emplyee r cntractr n lnger serves in the same jb functin, either thrugh reassignment r terminatin, it is the respnsibility f the emplyee s r cntractr s manager r supervisr t ensure that he r she n lnger can access any UHCL infrmatin resurces assciated with his r her prir psitin. Line managers and supervisrs must ensure that all identities and access privileges, bth access t physical facilities and lgical access t UHCL systems and infrmatin, fr any emplyee wh is leaving the University are revked befre he r she leaves the premises. Department heads shuld develp a frmal emplyee exit interview prcess. Nte UHCL wuld like t maintain a stable wrk frce with a minimum level f staff lsses. Facts and pinins stated during an exit interview may be f material value tward that bjective. Departments shuld maintain a terminatin checklist t ensure that n access capabilities remain fr the terminated emplyee. It is the respnsibility f the line manager r supervisr t advise the departing emplyee that he r she cannt cntinue t use University f HustnClear Lake data prcessing facilities, data, r equipment. All UHCL prperty, including cmputer and cmmunicatins equipment, keys, identificatin cards, prgrams, data, and dcumentatin, must be returned t the terminating emplyee s manager r supervisr wh is respnsible fr ensuring that each item is frwarded t its apprpriate destinatin. A prperty issuance and return recrd shuld be created that includes issuance and return dates, and the authrized issuer s signature fr each item specified. Typically, the recrd will include keys, identificatin cards, badges, passwrds, etc. In special instances, cmputer and cmmunicatins equipment als may have been issued t emplyees fr use in ffsite lcatins. Situatins requiring the immediate revcatin f access r prcessing authrizatin must be reslved directly with the University s Infrmatin Security Officer. III. Prcedures A. Persnnel Management 05. Terminatin f Emplyment r Emplyee Reassignment Page 5 f 7
University f HustnClear Lake Administrative Plicies and Prcedures Infrmatin Security Prgram Prcedural Handbk fr Line Managers and Supervisrs (ISPHB02) B. Vendr Management The University s infrmatin security plicies apply nt nly t UHCL emplyees and cntractrs inhuse, but als t individuals wh prvide cntracted services t the University externally. Thus, line managers, supervisrs, and the individuals wh negtiate cntracts with the vendrs must ensure that the cntract terms are cnsistent with the University s plicies and prcedures and are vetted by the University f Hustn s General Cunsel. This requires that line managers and supervisrs wh lead prjects that use thirdparty services, either n r ffcampus, perfrm the fllwing: When assembling cntract terms, the line manager r supervisr must invlve the University s Infrmatin Security Officer early in the prject t ensure that the cntract terms meet r exceed UHCL s plicy requirements. The University s Infrmatin Security will wrk with the University f Hustn System s Chief Infrmatin Security Officer and the Office f the General Cunsel t ensure that the cntract terms effectively prtect UHCL s interests. Fr cntractrs wh will be wrking nsite with University supplied cmputers, the primary fcus must be the vendr s persnnel practices which must be cnsistent with thse specified fr UHCL emplyees. Fr cases in which UHCL infrmatin resurces will be hsted at an ffcampus vendr site, the cntract must specify: The sensitivity f the infrmatin invlved, UHCL s infrmatin security expectatins fr the vendr s perating envirnment, any third parties invlved in prcessing the data, and any data transmissins amng UHCL and any f the external parties invlved, Hw data will be handled and/r destryed if r when the agreement is terminated, A mechanism fr assuring cmpliance. Nte It is strngly recmmended that the vendr s practices are subject t annual audits against universally accepted standard framewrks, such as ISO 27001, SSAE16, COBIT, and that UHCL is prvided with the executive summary t ensure that each vendr is in cmpliance. III. Prcedures B. Vendr Management Page 6 f 7
University f HustnClear Lake Administrative Plicies and Prcedures Infrmatin Security Prgram Prcedural Handbk fr Line Managers and Supervisrs (ISPHB02) IV. Revisin Lg Revisin Number Apprval Date Descriptin f Changes 1 07/12/2016 Initial versin 2 12/11/2017 a) Updated f all dcument links t be cnsistent with UHCL s new website b) Updated name f UHCL President V. Prcedural Handbk Review Respnsibility Respnsible Parties: Assciate VP fr Infrmatin Resurces Infrmatin Resurce Manager Infrmatin Security Officer Review Perid: Annually n r befre April 30 VI. Apprval Glen Hustn Assciate VP fr Infrmatin Resurces Ira K. Blake President VI. Apprval Page 7 f 7