Information Security Policies Guide Overview Des Moines University possesses information that is sensitive and valuable, e.g., personal health information, student information, employee information, financial data, research, and other information considered sensitive. Some information is protected by Federal and State Laws or Contractual Obligations that prohibit its unauthorized use or disclosure. The exposure of sensitive information to unauthorized individuals could cause irreparable harm to the University or members of the University community, and could also subject the University to fines or other government sanctions. Additionally, if University information were tampered with or made unavailable, it could impair the University's ability to do business. The University therefore requires all employees to diligently protect information as appropriate for its sensitivity level. The purpose of this document is to outline the University Information Security and Privacy Policies and provide a clear definition of faculty, staff, student, and contractor responsibilities related to the policies. The document is divided into the following sections: • Purpose of the DMU Information Security Policies • Scope of the DMU Information Security Policies • Responsibilities • Information Collections and Sensitivity Levels • Requirements for any computer used to conduct University business • Contractual Obligations Purpose of the DMU Information Security Policies The purpose of the Des Moines University Information Security Policies is to: 1) Protect Des Moines University (University) information and system resources. 2) Help to ensure the confidentiality, integrity, and availability of information assets. 3) Establish an information security policy management and governance structure. 4) Create awareness for personnel and other workforce personnel in making information security decisions in accordance with information security policies. 5) Help protect student, patient, alumni, and employee information from unauthorized use, disclosure, modification, or destruction. 6) Provide direction to those responsible for the design, implementation and maintenance of systems that support the University’s operations. Page 1 7) Clarify management and other workforce personnel responsibilities and duties with respect to the protection of information assets and resources. 8) Support compliance with applicable legal and regulatory requirements. 9) Establish the basis for internal and external audits, reviews and assessments. Scope of the DMU Information Security Policies • The University Information Security Policies define common security and requirements for all University personnel and systems that create, maintain, store, access, process or transmit information. • The University information security policies apply to all University personnel, including contracted workers, consultants, students and others given access to The University applications, systems, and/or information. • The policies pertain to all University systems, applications and information in all forms in all locations where the University business is performed. • The policies also apply to information resources owned by others, such as contractors of the University, entities in the private sector, in cases where University has a legal, contractual or fiduciary duty to protect the resources while in University custody. In the event of a conflict, the more restrictive measures apply. • The policies cover the University information technology systems which are comprised of various hardware, software, communication equipment and other devices designed to assist the University in the creation, receipt, storage, processing, and transmission of information. This definition includes equipment connected to any University domain or VLAN, either hardwired or wirelessly, and includes all stand-alone equipment that is deployed by the University at its office locations or at remote locales. • The policies will be communicated to all personnel who have any type of access to business information assets. Responsibilities University Community All members of the University community, including faculty, staff, students, contractors, and temporary employees are responsible for maintaining the integrity of and protecting the confidentiality of University data and information. Maintaining Integrity of Information The soundness and completeness of information on University systems must be maintained during its transmission, storage, generation, and/or handling. To maximize the integrity of data, information technology (IT) computing resource users shall adhere to the following: 1) You must notify the Information Security Officer immediately if passwords or other system access control mechanisms are lost, stolen or disclosed, or are suspected of being lost, stolen or disclosed. You must also notify the Information Security Officer immediately of any other security-related problems. DO NOT further distribute potential breach information. Page 2 2) You must scan all non-text files downloaded from the Internet with anti-virus software prior to usage to minimize the risk of corruption, modification or loss of data. 3) You are advised to use information and utilities obtained from the Internet with caution. Before using free Internet-supplied information or utilities for business decision-making purposes or as a part of a process and/or University system, corroborate and confirm the information by consulting other reliable sources. Protecting Confidential Information All members of the University community are obligated to respect and protect confidential data according to the Information Sensitivity Levels in section 4.2. The University strongly discourages storage of any confidential data on any computer or network-attached device that has not been explicitly approved by personnel within Information Technology Services. IT computing resource users must adhere to the following: 1) DO employ adequate encryption technology for Confidential information such as patient records, educational records, Social Security Numbers, identification numbers, and credit card numbers in accordance with the Work Areas and Mobile Computing Policy. 2) DO NOT operate or attempt to operate computer equipment without specific authorization. 3) DO notify my supervisor, the Information Security Officer or the Chief Compliance Officer if Confidential university information is lost or disclosed to unauthorized parties, if any unauthorized use of university systems has taken place, or if there is suspicion of such loss, disclosure or unauthorized use, or if I have reason to believe the confidentiality and security of my password has been compromised. 4) DO NOT store Confidential data in any computer unless the persons who have access to that computer have a legitimate need-to-know the information. 5) DO NOT share your password(s) with anyone, including, faculty, staff, students, family members or Information Technology personnel. 6) DO NOT save fixed passwords in web browsers or e-mail clients when using a university system. This may allow unauthorized users to access critical or sensitive information such as that contained in the Electronic Medical Records (EMR) System, Student Information System, Payroll System, or other Enterprise systems. 7) DO NOT distribute critical or sensitive university communications to external entities. Only distribute to internal entities on a need to know basis. 8) DO NOT establish Internet or other external network connections that could allow non- university users to gain access to university systems with critical or sensitive information unless prior approval has been received from the appropriate authority. 9) DO NOT post university material such as software, internal memos, or other non-public information on any publicly-accessible computer or website unless first approved by the appropriate authority. 10) DO NOT discuss information security-related incidents with individuals outside of the university, or with those inside the university who do not have a need-to-know. 11) DO NOT make unauthorized modifications to DMU network or device security settings. 12) DO NOT install unapproved software on my DMU-issued device. Employees and Contractors Page 3 1) You may only access information needed to perform your legitimate duties as a University employee or contractor and only when authorized by the appropriate Information Owner or designee. 2) You are expected to ascertain and understand the sensitivity of information to which you have access through training, other resources or by consultation with your supervisor or the Information Owner. 3) You may not in any way divulge, copy, release, sell, loan, alter or destroy any information except as authorized by the Information Owner within the scope of your professional activities. a. You must not disclose any portion of the patient’s record except to a recipient designated by the patient or to a recipient authorized by DMU who has a “need to know” in order to provide continuing care of the patient. b. You must not disclose any portion of the student’s record except to a recipient designated by the student or to a recipient authorized by DMU who has a “need to know” in order to provide continuing education of the student. c. You must not disclose any portion of the computerized systems to any unauthorized individuals. This includes, but is not limited to, the design, programming techniques, flow charts, source code, screens, and documentation created by employees,