ROWAN UNIVERSITY POLICY


Title: Mobile Computing and Removable Media Policy
Subject: Information Security 
Policy No: ISO: 2013:03
Applies: University-wide 
Issuing Authority: Vice President for Information Resources and Chief Information Officer
Responsible Officer: Director of Information Security  
Date Adopted: 07/01/2013
Last Revision: 08/08/2018
Last Review: 08/08/2018


I.    PURPOSE

To establish the requirements for the physical and technical protection and access control of Mobile Computing Devices and Removable Media that connect to the University's information systems.

II.   ACCOUNTABILITY

Under the direction of the Vice President for Information Resources and Chief Information Officer, the University's Director of Information Security shall implement and ensure compliance with this policy

III.  APPLICABILITY

This policy shall apply to all members of the ROWAN community. This includes faculty, staff, non- employees, students, attending physicians, contractors, covered entities, and agents of ROWAN.

IV.  DEFINITIONS

  1. Authorized User – a person authorized to access information resources specific to their role and responsibilities, and who has conveyed upon them the expectation of "Least Privilege."
  2. Business Unit – the term applies to multiple levels of the university, such as a college, a revenue-generating unit or a functional unit (e.g., Compliance, Human Resources, IRT, Legal, Risk and Claims Management). It may also be comprised of several departments.
  3. Confidential Information – the most sensitive information, which requires the strongest, safeguards to reduce the risk of unauthorized access or loss. Unauthorized disclosure or access may 1) subject ROWAN to legal risk, 2) adversely affect its reputation, 3) jeopardize its mission, and 4) present liabilities to individuals (for example, HIPAA/HITECH penalties).
  4. Encryption – a method of converting information or data into a cipher or code to prevent unauthorized access. Requires a passcode or other form of confirming identity to decrypt and access the information or data.
  5. EPHI - Electronic Patient Health Information
  6. FERPA – Family Educational Rights and Privacy Act. FERPA is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA applies to the records of individuals from the point of first registration until death of the individual.
  7. Information Owner - information owners are the business unit managers, senior management, or their designees who have planning and management or legal responsibility for the information generated within their functional areas. They must ensure that the level of protection assigned to their information is relative to its classification and sensitivity. For information regulated by HIPAA, FERPA, or GLBA, the information owner is expected to exercise due care when defining its level of protection.
  8. Information Risk – the potential that a given threat will exploit vulnerabilities of an information asset, thereby causing loss or harm to the information asset. It is measured in terms of a combination of the probability of an event and its impact to the University if the confidentiality, integrity, or availability of an asset is compromised. A risk can be financial, operational, regulatory, and/or reputational in nature.
  9. Least Privilege – giving every user, task, and process the minimal set of privileges and access required to fulfill their role or function. This includes access to information systems and facilities.
  10. Mobile Computing Device – including, but not limited to, laptops, tablets (iPad, Windows, etc.) smartphones (Android, iPhone, etc.), and mobile broadband cards (also known as AirCards® and connect cards).
  11. Private Information – sensitive information that is restricted to authorized personnel and requires safeguards, but which does not require the same level of safeguards as confidential information. Unauthorized disclosure or access may present legal and reputational risks to the University.
  12. Removable Media – including, but not limited to CDs, DVDs, storage tapes, flash devices (e.g., CompactFlash and SD cards, USB flash drives), and portable hard drives.
  13. Treatment, Payment, and Health Care Operations (TPO) – The core health care activities of "Treatment," "Payment," and "Health Care Operations" are defined in the Privacy Rule at 45 CFR 164.501.
    1. "Treatment" generally means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
    2. "Payment" encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care 
    3. "Health care operations" are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities, which are limited to the activities listed in the definition of "health care operations" at 45 CFR 164.501, include:
      1. Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination;
      2. Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities;
      3. Underwriting and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims;
      4. Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs; < Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and
      5. Business management and general administrative activities, including those related to implementing and complying with the Privacy Rule and other Administrative Simplification Rules, customer service, resolution of internal grievances, sale or transfer of assets, creating de- identified health information or a limited data set, and fundraising for the benefit of the covered entity.

V.    REFERENCES

 Federal Information Security Management Act (FISMA) {+}http://csrc.nist.gov/drivers/documents/FISMA-final.pdf+

VI.   POLICY

  1. All members of the University community have a responsibility to protect the Confidentiality, Integrity, and Availability of University information collected, processed, transmitted, stored, or transmitted on mobile computing devices and removable media.
    1. "Confidentiality" – the expectation that only authorized individuals, processes, and systems will have access to ROWAN's information.
    2. "Integrity" – the expectation that ROWAN's information will be protected from intentional, unauthorized, or accidental changes.
    3. "Availability" – the expectation that information is accessible by ROWAN when needed.
  2. Because the use of such devices and media presents an information security risk to the University, each business unit must establish departmental procedures governing their use, including whether the use of personal devices and media are permitted for the conduct of sound University business.
  3. If a business unit approves the use of mobile computing devices and removable media (whether University- owned or personal) to facilitate the execution of its business processes and functions, they must be secured according to the University's security standards and requirements.
  4. Requirements:
    1. Each business unit must document and communicate to their members whether the business unit permits the use of mobile computing and removable media (whether University-owned or personal) for University business. If the business unit allows the use of such devices and media, they must develop, document, and communicate procedures for their use.
    2. Procedures must:
      1. Reflect the value and importance of the information the business generates, processes, and handles.
      2. Stipulate the business unit's record retention and e-discovery requirements, if any.
      3. Stipulate the business unit's and University's security expectations and requirements.
      4. Reflect the expectations of third parties and partners for which the business unit acts as information custodian.
      5. Communicate that University information stored or transmitted on personally owned devices and media remain the property of the University.
    3. Business units must periodically conduct policy and procedures training and awareness for their members.
    4. All mobile computing devices and removable media used for University business must be secured against unauthorized access, loss, or theft. This is regardless of whether it is owned or leased by the University or a personally owned device or media. Contractual partners who keep ROWAN confidential information on their mobile computing devices or media must also adhere to these requirements. 
    5. The security of mobile computing devices and removable media used for University business must be managed by IRT and, at minimum, must be password protected. Devices containing sensitive information, such as ePHI, must also be encrypted. Departments should evaluate their need for additional safeguards based on their specific security and business requirements.
    6. Technical controls must comply with the University's security standards as defined by IRT and the Information Security Office.
    7. Shipments of devices or media containing Confidential or Private or other sensitive information must be done using a courier that can track shipments and provide proof of receipt. Lost or stolen shipments must be reported to the Information Owner and the Information Security Office
  5. Responsibilities:
    1. All members of the University community must protect the Confidentiality, Integrity, and Availability of University information on mobile computing devices and removable media, whether they are personally owned or owned or leased by the University.
    2. Business units must establish procedures governing the use of mobile computing and removable media by their members and periodically conduct training and awareness for its members.
    3. IRT must define the technical standards that meet the information security requirements of the University, its departments, and its regulatory bodies.

 VII.  INCIDENT REPORTING

  1. Loss or theft of a Mobile Computing Device and Removable Media must be reported immediately. The following steps must be taken:

    1. Immediately report the loss or theft to the IRT Service Desk.
    2. Report loss, theft, or unauthorized access to your manager.
    3. The Compliance Office must be notified if the information contains sensitive ePHI.
    4. All incidents must be reported to the Information Security Office regardless of whether there is sensitive information involved or not.

VIII. NON-COMPLIANCE SANCTIONS

  1. Violations of this policy may subject the violator to disciplinary actions, up to or including termination of employment or dismissal from a school, and may subject the violator to penalties stipulated in applicable state and federal statutes. Sanctions shall be applied consistently to all violators regardless of job titles or level in the organization. 


 By Direction of the CIO:

 __________________________________
Mira Lalovic-Hand,
VP and Chief Information Officer