Differences

This shows you the differences between two versions of the page.

--- policy [2018/12/17 21:35] – created Matt Mitchell
+++ policy [2020/02/06 22:29] (current) – removed Matt Mitchell
@@ Line 1: / Line 1: @@
-===== Minimum Required Data Privacy Policy List from CDE =====
-  - Privacy and Security Policies and Procedures User/SEHD  Server/OIT
-      - APS-6005 [[https://www.cu.edu/ope/aps/6005|https://www.cu.edu/ope/aps/6005]]
-      - University HIPAA Policy [[http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx|http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx]]
-  - Identification of a Privacy and Security Board and Officer  Server/OIT
-      - University HIPAA Policy [[http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx|http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx]]
-  - Management Oversight of Privacy and Security Programs Server/OIT
-      - University HIPAA Policy [[http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx|http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx]]
-  - Sanctions for Violations of Policies and Procedures User/SEHD Server/OIT
-      - University HIPAA Policy [[http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx|http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx]]
-      - APS-6005 [[https://www.cu.edu/ope/aps/6005|https://www.cu.edu/ope/aps/6005]]
-  - Reporting Potential Problems in Privacy and Security User/SEHD Server/OIT
-      - APS-6005 [[https://www.cu.edu/ope/aps/6005|https://www.cu.edu/ope/aps/6005]]
-      - University HIPAA Policy [[http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx|http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx]]
-  - Incident Response and Incident Response Mitigation User/SEHD Server/OIT-same as #5
-      - University HIPAA Policy [[http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx|http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx]]
-      - See attached Incident Response Process Flow Diagram for unit/department responsibility.
-  - Privacy and Security Training User/SEHD
-  - Access Control, Minimum Necessary Access and Verification for Access to Data User/SEHD  Database  Server/OIT
-      - APS-6005 [[https://www.cu.edu/ope/aps/6005|https://www.cu.edu/ope/aps/6005]]
-      - University HIPAA Policy [[http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx|http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx]]
-      - APS-6001 [[https://www.cu.edu/ope/aps/6001|https://www.cu.edu/ope/aps/6001]]
-  - Password Management User/SEHD Database  Server/OIT – complying with university policy
-      - University Password Policy [[http://www.ucdenver.edu/faculty_staff/employees/policies/Policies Library/Admin/fp5-13.pdf|http://www.ucdenver.edu/faculty_staff/employees/policies/Policies%20Library/Admin/fp5-13.pdf]]
-  - Transmitting Sensitive Information Securely including Faxing and Email User/SEHD—duplicative with #1
-      - Email and Webmail Stay Secure [[https://www1.ucdenver.edu/offices/office-of-information-technology/software/how-do-i-use/email-and-webmail|https://www1.ucdenver.edu/offices/office-of-information-technology/software/how-do-i-use/email-and-webmail]]
-      - HIPAA Policy 7.1 Safeguards [[https://www1.ucdenver.edu/docs/default-source/offices-oit-documents/it-related-policies/hipaa-7-1-safeguards.pdf?sfvrsn=48bb7b8_6|https://www1.ucdenver.edu/docs/default-source/offices-oit-documents/it-related-policies/hipaa-7-1-safeguards.pdf?sfvrsn=48bb7b8_6]]
-  - Log-in Monitoring Database  Server/OIT
-      - Needs to be implemented and documented
-      - OIT has an internal standard for logging, monitoring and auditing that applies to all servers managed by CU Denver OIT.
-      - HIPAA Policy 9.3 Auditing [[http://www.ucdenver.edu/research/Research Administration Documents/9.3 Auditing.pdf|http://www.ucdenver.edu/research/Research%20Administration%20Documents/9.3%20Auditing.pdf]]
-  - Workstation Security Configuration User/SEHD, Server/OIT  -- duplicative with #1
-      - APS-6005 [[https://www.cu.edu/ope/aps/6005|https://www.cu.edu/ope/aps/6005]]
-      - University HIPAA Policy [[http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx|http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx]]
-  - Device and Media Control Database  Server/OIT – duplicative with #1
-      - APS-6005 [[https://www.cu.edu/ope/aps/6005|https://www.cu.edu/ope/aps/6005]]
-      - University HIPAA Policy [[http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx|http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx]]
-  - Securing Materials with Data User/SEHD-duplicative with #1
-      - Security and Compliance Hard Drive Disposal [[https://www1.ucdenver.edu/docs/default-source/offices-oit-documents/it-related-policies/hipaa-7-1-safeguards.pdf?sfvrsn=48bb7b8_6|https://www1.ucdenver.edu/docs/default-source/offices-oit-documents/it-related-policies/hipaa-7-1-safeguards.pdf?sfvrsn=48bb7b8_6]]
-  - Encryption Database  Server/OIT
-      - Encrypt Your Laptop Guidance [[https://www1.ucdenver.edu/offices/office-of-information-technology/software/secure-campus/encryption|https://www1.ucdenver.edu/offices/office-of-information-technology/software/secure-campus/encryption]]
-      - Guide to Secure Devices [[https://www1.ucdenver.edu/offices/office-of-information-technology/software/secure-campus/guide-to-secure-devices|https://www1.ucdenver.edu/offices/office-of-information-technology/software/secure-campus/guide-to-secure-devices]]
-      - APS-6005 [[https://www.cu.edu/ope/aps/6005|https://www.cu.edu/ope/aps/6005]]
-      - University HIPAA Policy [[http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx|http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx]]
-  - Authorizations for Personal Health Information, if applicable User/SEHD –NA
-      - University HIPAA Policy [[http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx|http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx]]
-  - Permitted Uses and Disclosures of PHI, if applicable User/SEHD—NA
-      - University HIPAA Policy [[http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx|http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx]]
-  - HIPAA Status, if applicable Server/OIT
-      - UC Denver’s File servers are HIPAA compliant.
-      - Units/Departments can request assistance from the RAC team on the security of data usage. [[https://www1.ucdenver.edu/offices/office-of-information-technology/services/security-and-compliance|https://www1.ucdenver.edu/offices/office-of-information-technology/services/security-and-compliance]]
-  - Business Associate Status, if applicable
-      - NA
-  - Designating Sensitive Information User/SEHD – may be duplicative
-      - University Data Classifications and Impact [[https://www.cu.edu/ois/data-classifications-impact|https://www.cu.edu/ois/data-classifications-impact]]
-  - Risk Assessments and Management User/SEHD – duplicative
-      - University HIPAA Policy [[http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx|http://www.ucdenver.edu/research/ORC/HIPAA/Pages/Policy.aspx]]
-  - Change Control Procedures User/SEHD – user access/retiring users
-      - OIT is also working on a process flow diagram to guide units/departments on their role in this process and how the OIT CAB process fits into the process.
-  - Audit and Evaluation Procedures User/SEHD  Server/OIT – designated liaison and form for auditors
-      - Units/Departments can request assistance from the RAC team on the security of data usage, but we are not auditors, nor do we have a specific form.
-Sample Local Education Agency Policy Links: [[http://www.cde.state.co.us/dataprivacyandsecurity/sampleitpolicies|http://www.cde.state.co.us/dataprivacyandsecurity/sampleitpolicies]]