SlideShare ist ein Scribd-Unternehmen logo

Vanderbilt IT Acceptable Use Policy

Als DOCX, PDF herunterladen
UC Santa Barbara
UC Santa Barbara

Vanderbilt IT professionals are granted elevated access to Vanderbilt's information systems which places them in a position of high trust. The Acceptable Use Policy outlines standards for IT professionals to preserve confidentiality, protect data integrity, maintain system availability, educate others on IT risks, enhance technical skills, and demonstrate understanding of the systems they support. Violations are divided into 4 levels - from negligent acts to blatant disregard - and disciplinary actions range from re-education for minor incidents to termination for serious or repeated offenses like unauthorized access or disclosure of confidential information.

Bildung
1 von 5
Vanderbilt University Page 1 of 5 v.1.1 1/29/2015 cmf Vanderbilt’s Acceptable Use Policy – Higher Standards for IT Professionals Vanderbilt IT personnel are granted elevated or privileged access to Vanderbilt University’s information and information systems. This privileged access places the Vanderbilt IT professional in a higher level of trust. To maintain this level of trust, Vanderbilt IT professionals must develop, maintain, and continually enhance their skills and abilities on behalf of those they serve. IT professionals employed by Vanderbilt University must strive to be trusted and highly skilled custodians through: A. Preserving confidentiality  Does not access regulated and/or confidential information* outside what is required as part of their work.  Does not share regulated and/or confidential information* they access or view while doing their work.  Does not share any detail at all about what they see in the context of doing their work.  Complete annual reviews of Acceptable Use Policy and confidentiality policies. B. Protecting data and information integrity  Keeps computers locked when they’re not using them to prevent others from using them.  Protects/secures the passwords they use to access this information.  Does not circumvent any Vanderbilt security measures.  Does not install or place anything on computers or the Vanderbilt network that isn’t supposed to be there – sniffers, keystroke loggers, other devices unless required to do so for work. C. Establishing and maintaining availability of information systems  Stays trained on current technologies relative to their work.  Responds to service outages in a timely fashion depending on the service level required for systems they manage.  Monitor usage and availability of systems they manage. D. Educating those around them about IT and social risks related to information systems  Does not “cyber slack” – cyber slacking sets a bad example for others and there are security risks with going to some outside services. (i.e., don’t watch movies, the final four, YouTube, or go to Facebook, etc. unless required to do so for work.)  Stays current on IT and social risks through reading and training, and disseminates that information to their department members on a bi-annual basis. E. Enhancing and maintaining technical skills  Stay trained on current technologies relative to their work.  Recommend 40 hours of work and technology related training each year.  Gain and maintain certifications for the systems and servers they manage. F. Demonstrating an understanding of the areas they serve  Exhibit an extemporaneous understanding of the desktop and server environments for which they are responsible.  Understand and document the applications their department and colleagues use on a regular basis.  Understand and document technology processes in their department.  They understand the data types and data classifications of the information processed in their department, and the risks associated with that data.
Inform ation Tec hnology Servic es Vanderbilt University Page 2 of 5 v.1.3 1/29/2015 cmf Violation Levels Level 1: Negligent Act (Carelessness) A. This level of violation occurs when a workforce member unintentionally or carelessly does something that leaves regulated and/or confidential information* susceptible to being overheard, accessed, or revealed to unauthorized individuals. B. Examples of Level 1 violations include: a. Emailing a file that includes regulated and/or confidential information* to the wrong person; b. Faxing regulated and/or confidential information* to an incorrect fax number in error; c. Gossiping about a student, faculty or staff member’s private information based upon hearsay information without the student, faculty or staff member’s authorization, when such gossip results in a complaint by that faculty or staff member or their representative to an appropriate Vanderbilt authority. d. Leaving a computer unlocked when it has access to systems with regulated and/or confidential information*. Level 2: Negligent Act (Not Following Procedure) A. This level of violation occurs when a workforce member takes an action that fails to comply with a privacy or information security procedure or policy, resulting in potential or actual breach of information privacy or security. B. Examples of Level 2 violations include: a. Releasing information to another individual about a user(s) without proper authorization, identification or verification; b. Releasing information about a user who is designated as “No Information status” to anyone not directly involved in the support of a user or otherwise required to have access to the information to do their job at Vanderbilt; c. Gossiping or sharing information about a Vanderbilt user’s confidential information with someone who is otherwise not authorized to have access to that information; d. Failure to follow defined policies or procedures that results in unintentional disclosure or incidental disclosure of highly sensitive data causing distress or harm to a person or the institution; e. Failure to account for disclosures as required by law and policy within Vanderbilt. f. Sharing ID/password with another person or using another person’s ID/password that allows access to that individual’s computer or personal information, not to restricted system/s and confidential information of others. g. Leaving medical records, or a copy of regulated and/or confidential information*, or other federal or state regulated data, or other confidential information out in the open and unattended; h. Repeated incidents of Level 1 violations.
Inform ation Tec hnology Servic es Vanderbilt University Page 3 of 5 v.1.3 1/29/2015 cmf Level 3: Deliberate Act (Curiosity or Concern) A. This level of violation occurs when a workforce member deliberately accesses, reviews, or discusses confidential information or systems, without documented authorization to do so. B. Examples of Level 3 violations include: a. Accessing another person’s confidential information: i. Accessing and reviewing the record of a user out of concern or curiosity without authorization; ii. Gossiping or sharing regulated and/or confidential information* or other federal or state regulated data obtained through your role at Vanderbilt with someone otherwise not authorized to have access to that information, without appropriate authorization to disclose that information; iii. Looking up birthdates, addresses, or other demographic or appointment information without authorization to do so. b. Security of Information Systems: i. Sharing ID/password with another person or using another person’s ID/password that allows access to restricted system/s and regulated and/or confidential information* of others. (e.g., Tier 2 information as defined in OP 10-40.33); ii. Accessing or connecting to Vanderbilt information systems (e.g., computers, servers, routers, switches) without authorization; iii. Circumventing Vanderbilt security measures without documented authorization; iv. Giving an individual access to your electronic signature; v. Attempting to gain unauthorized or inappropriate access to any system or data. c. Repeated incidents of Level 1 or Level 2 violations. Level 4: Blatant Disregard for Confidentiality (Personal Use or Malicious Intent) A. This level of violation occurs when a workforce member accesses, reviews, or discloses confidential information or fails to comply with information security safeguards that result in loss of availability, integrity, and confidentiality of systems or data for personal gain or with malicious intent. B. Examples of Level 4 violations include: a. Accessing another person’s confidential information: i. Accessing or allowing access to regulated and/or confidential information* without having a legitimate reason and disclosure or abuse of the information for personal gain or malicious intent; ii. Accessing another person’s regulated and/or confidential information* to use for personal purposes or in a personal relationship; iii. Compiling a mailing list for personal use or to be sold. b. Security of Information Systems i. Tampering with or unauthorized destruction of information; ii. Deliberate acts that adversely affect the integrity, availability, and/or confidentiality of Vanderbilt information systems (e.g., introduction of a virus to the Vanderbilt network);
Inform ation Tec hnology Servic es Vanderbilt University Page 4 of 5 v.1.3 1/29/2015 cmf c. Unauthorized or inappropriate access to any system or data for personal gain or with malicious intent. Discipline Levels Level 1 or Level 2 Violations: A. The administrator or chairman, or their designees responsible for implementing disciplinary/corrective action have enforcement discretion, taking into consideration the findings of the investigation and the specific facts and circumstances of the situation. B. Gross negligence resulting in disclosure of that information to someone else not otherwise authorized to access that information, whether it is to a Vanderbilt employee or someone outside of Vanderbilt, results in the highest level of disciplinary action, up to and including termination of employment. C. The administrator or chairman, or their designees consult with Human Resources/Employee Relations in determining the action to be taken. D. Most incidents result in progressive action steps beginning with re-education, work-flow analysis, and process improvement. Repeated violations may result in escalation of disciplinary steps, up to and including termination of employment. Level 3 or Level 4 Violations: A. The nature of some violations is serious enough to warrant specific disciplinary action as opposed to implementing progressive action steps. B. Deliberate, unauthorized access to an individual’s regulated and/or confidential information* results in Final Performance Improvement Counseling (PIC) for staff; and a minimum of a written warning for faculty, students and staff. C. Deliberate, unauthorized access to a user’s record and disclosure of that information to someone else not otherwise authorized to access that information, whether it is to a Vanderbilt employee or someone outside of Vanderbilt, results in the highest level of disciplinary action, up to and including termination of employment. D. Gaining unauthorized access to any system and compromising the integrity, availability, or confidentiality of the system or any data results in the highest level of disciplinary action, up to and including termination of employment.
Inform ation Tec hnology Servic es Vanderbilt University Page 5 of 5 v.1.3 1/29/2015 cmf * Regulated and/or confidential information includes:  Personally Identifyable Information (PII)  Protected Health Information (PHI)  Payment Card Industry (PCI) information  Family Educational Rights and Privacy Act (FERPA) information  Federal Information Security Management Act (FISMA) information  Gramm-Leach-Bliley Act (GLB) information  Other information Vanderbilt deems confidential

Empfohlen

CyberSecurity Series Malware slides
CyberSecurity Series Malware slidesCyberSecurity Series Malware slides
CyberSecurity Series Malware slidesJim Kaplan CIA CFE
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Security Plan
Security PlanSecurity Plan
Security PlanJerrell Collymore
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information systemOnline
 
MIS-CH08: Securing Information Systems
MIS-CH08: Securing Information SystemsMIS-CH08: Securing Information Systems
MIS-CH08: Securing Information SystemsSukanya Ben
 
Securing information systems
Securing information systemsSecuring information systems
Securing information systemsAmity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
Technology and Web 2.0 Across Institutions - Risk Mitigation
Technology and Web 2.0 Across Institutions - Risk MitigationTechnology and Web 2.0 Across Institutions - Risk Mitigation
Technology and Web 2.0 Across Institutions - Risk MitigationDan Michaluk
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awarenesshubbargf
 

Empfohlen

CyberSecurity Series Malware slides
CyberSecurity Series Malware slidesCyberSecurity Series Malware slides
CyberSecurity Series Malware slidesJim Kaplan CIA CFE
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Security Plan
Security PlanSecurity Plan
Security PlanJerrell Collymore
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information systemOnline
 
MIS-CH08: Securing Information Systems
MIS-CH08: Securing Information SystemsMIS-CH08: Securing Information Systems
MIS-CH08: Securing Information SystemsSukanya Ben
 
Securing information systems
Securing information systemsSecuring information systems
Securing information systemsAmity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
Technology and Web 2.0 Across Institutions - Risk Mitigation
Technology and Web 2.0 Across Institutions - Risk MitigationTechnology and Web 2.0 Across Institutions - Risk Mitigation
Technology and Web 2.0 Across Institutions - Risk MitigationDan Michaluk
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awarenesshubbargf
 
Week 10 Technical Stack Pt. 1
Week 10 Technical Stack Pt. 1Week 10 Technical Stack Pt. 1
Week 10 Technical Stack Pt. 1UC Santa Barbara
 
Week 4 Software Development In The 21st Century
Week 4 Software Development In The 21st CenturyWeek 4 Software Development In The 21st Century
Week 4 Software Development In The 21st CenturyUC Santa Barbara
 
Microsoft Live Instructions
Microsoft Live InstructionsMicrosoft Live Instructions
Microsoft Live InstructionsUC Santa Barbara
 
Microsoft Live Instructions
Microsoft Live InstructionsMicrosoft Live Instructions
Microsoft Live InstructionsUC Santa Barbara
 
Group 65 Debate Framework
Group 65 Debate FrameworkGroup 65 Debate Framework
Group 65 Debate FrameworkUC Santa Barbara
 
Week 5 Disruption
Week 5 DisruptionWeek 5 Disruption
Week 5 DisruptionUC Santa Barbara
 
Week 3 -- An Open World
Week 3 -- An Open WorldWeek 3 -- An Open World
Week 3 -- An Open WorldUC Santa Barbara
 
Pwning The Faerie Queene
Pwning The Faerie QueenePwning The Faerie Queene
Pwning The Faerie QueeneUC Santa Barbara
 
Week 10 Technical Stack I I 03
Week 10 Technical Stack I I 03Week 10 Technical Stack I I 03
Week 10 Technical Stack I I 03UC Santa Barbara
 
NIST Privacy Engineering Working Group - Risk Model
NIST Privacy Engineering Working Group - Risk ModelNIST Privacy Engineering Working Group - Risk Model
NIST Privacy Engineering Working Group - Risk ModelDavid Sweigert
 
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docxResourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docxdebishakespeare
 
Data information and security unit 1.pdf
Data information and security unit 1.pdfData information and security unit 1.pdf
Data information and security unit 1.pdfdeepakbharathi16
 
The Risks of Horizontal Privilege Escalation.pdf
The Risks of Horizontal Privilege Escalation.pdfThe Risks of Horizontal Privilege Escalation.pdf
The Risks of Horizontal Privilege Escalation.pdfuzair
 
Security
SecuritySecurity
SecurityNabatah
 
CH01-CompSec4e.pptx
CH01-CompSec4e.pptxCH01-CompSec4e.pptx
CH01-CompSec4e.pptxams1ams11
 
University Personal Devices (BYOD) Policy
University Personal Devices (BYOD) PolicyUniversity Personal Devices (BYOD) Policy
University Personal Devices (BYOD) Policykeyashaj
 
Untitled document.pdf
Untitled document.pdfUntitled document.pdf
Untitled document.pdfgoogle
 
Internet policy[1]
Internet policy[1]Internet policy[1]
Internet policy[1]leslieannpt
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01ITNet
 
IA 124 Lecture 01 2022 -23-1.pdf hahahah
IA 124 Lecture 01 2022 -23-1.pdf hahahahIA 124 Lecture 01 2022 -23-1.pdf hahahah
IA 124 Lecture 01 2022 -23-1.pdf hahahahflyinimohamed
 
Cyber Security_Training Presentation.pptx
Cyber Security_Training Presentation.pptxCyber Security_Training Presentation.pptx
Cyber Security_Training Presentation.pptxmusicalworld14
 
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxSALU18
 

Weitere ähnliche Inhalte

Andere mochten auch

Week 10 Technical Stack Pt. 1
Week 10 Technical Stack Pt. 1Week 10 Technical Stack Pt. 1
Week 10 Technical Stack Pt. 1UC Santa Barbara
 
Week 4 Software Development In The 21st Century
Week 4 Software Development In The 21st CenturyWeek 4 Software Development In The 21st Century
Week 4 Software Development In The 21st CenturyUC Santa Barbara
 
Microsoft Live Instructions
Microsoft Live InstructionsMicrosoft Live Instructions
Microsoft Live InstructionsUC Santa Barbara
 
Microsoft Live Instructions
Microsoft Live InstructionsMicrosoft Live Instructions
Microsoft Live InstructionsUC Santa Barbara
 
Week 10 Technical Stack I I 03
Week 10 Technical Stack I I 03Week 10 Technical Stack I I 03
Week 10 Technical Stack I I 03UC Santa Barbara
 

Andere mochten auch (9)

Week 10 Technical Stack Pt. 1
Week 10 Technical Stack Pt. 1Week 10 Technical Stack Pt. 1
Week 10 Technical Stack Pt. 1
 
Week 4 Software Development In The 21st Century
Week 4 Software Development In The 21st CenturyWeek 4 Software Development In The 21st Century
Week 4 Software Development In The 21st Century
 
Microsoft Live Instructions
Microsoft Live InstructionsMicrosoft Live Instructions
Microsoft Live Instructions
 
Microsoft Live Instructions
Microsoft Live InstructionsMicrosoft Live Instructions
Microsoft Live Instructions
 
Group 65 Debate Framework
Group 65 Debate FrameworkGroup 65 Debate Framework
Group 65 Debate Framework
 
Week 5 Disruption
Week 5 DisruptionWeek 5 Disruption
Week 5 Disruption
 
Week 3 -- An Open World
Week 3 -- An Open WorldWeek 3 -- An Open World
Week 3 -- An Open World
 
Pwning The Faerie Queene
Pwning The Faerie QueenePwning The Faerie Queene
Pwning The Faerie Queene
 
Week 10 Technical Stack I I 03
Week 10 Technical Stack I I 03Week 10 Technical Stack I I 03
Week 10 Technical Stack I I 03
 

Ähnlich wie Vanderbilt IT Acceptable Use Policy

NIST Privacy Engineering Working Group - Risk Model
NIST Privacy Engineering Working Group - Risk ModelNIST Privacy Engineering Working Group - Risk Model
NIST Privacy Engineering Working Group - Risk ModelDavid Sweigert
 
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docxResourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docxdebishakespeare
 
Data information and security unit 1.pdf
Data information and security unit 1.pdfData information and security unit 1.pdf
Data information and security unit 1.pdfdeepakbharathi16
 
The Risks of Horizontal Privilege Escalation.pdf
The Risks of Horizontal Privilege Escalation.pdfThe Risks of Horizontal Privilege Escalation.pdf
The Risks of Horizontal Privilege Escalation.pdfuzair
 
Security
SecuritySecurity
SecurityNabatah
 
CH01-CompSec4e.pptx
CH01-CompSec4e.pptxCH01-CompSec4e.pptx
CH01-CompSec4e.pptxams1ams11
 
University Personal Devices (BYOD) Policy
University Personal Devices (BYOD) PolicyUniversity Personal Devices (BYOD) Policy
University Personal Devices (BYOD) Policykeyashaj
 
Untitled document.pdf
Untitled document.pdfUntitled document.pdf
Untitled document.pdfgoogle
 
Internet policy[1]
Internet policy[1]Internet policy[1]
Internet policy[1]leslieannpt
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01ITNet
 
IA 124 Lecture 01 2022 -23-1.pdf hahahah
IA 124 Lecture 01 2022 -23-1.pdf hahahahIA 124 Lecture 01 2022 -23-1.pdf hahahah
IA 124 Lecture 01 2022 -23-1.pdf hahahahflyinimohamed
 
Cyber Security_Training Presentation.pptx
Cyber Security_Training Presentation.pptxCyber Security_Training Presentation.pptx
Cyber Security_Training Presentation.pptxmusicalworld14
 
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxSALU18
 
Responsibilities of the CSIRT--abss.pptx
Responsibilities of the CSIRT--abss.pptxResponsibilities of the CSIRT--abss.pptx
Responsibilities of the CSIRT--abss.pptxMuhammadAbdullah311866
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...cyberprosocial
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docxhyacinthshackley2629
 
1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docxblondellchancy
 
dokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docx
dokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docxdokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docx
dokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docxams1ams11
 
Text me the answer fetc 2013
Text me the answer fetc 2013Text me the answer fetc 2013
Text me the answer fetc 2013Carlos Fernandez
 

Ähnlich wie Vanderbilt IT Acceptable Use Policy (20)

NIST Privacy Engineering Working Group - Risk Model
NIST Privacy Engineering Working Group - Risk ModelNIST Privacy Engineering Working Group - Risk Model
NIST Privacy Engineering Working Group - Risk Model
 
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docxResourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
 
Data information and security unit 1.pdf
Data information and security unit 1.pdfData information and security unit 1.pdf
Data information and security unit 1.pdf
 
The Risks of Horizontal Privilege Escalation.pdf
The Risks of Horizontal Privilege Escalation.pdfThe Risks of Horizontal Privilege Escalation.pdf
The Risks of Horizontal Privilege Escalation.pdf
 
Security
SecuritySecurity
Security
 
CH01-CompSec4e.pptx
CH01-CompSec4e.pptxCH01-CompSec4e.pptx
CH01-CompSec4e.pptx
 
University Personal Devices (BYOD) Policy
University Personal Devices (BYOD) PolicyUniversity Personal Devices (BYOD) Policy
University Personal Devices (BYOD) Policy
 
Untitled document.pdf
Untitled document.pdfUntitled document.pdf
Untitled document.pdf
 
Internet policy[1]
Internet policy[1]Internet policy[1]
Internet policy[1]
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01
 
IA 124 Lecture 01 2022 -23-1.pdf hahahah
IA 124 Lecture 01 2022 -23-1.pdf hahahahIA 124 Lecture 01 2022 -23-1.pdf hahahah
IA 124 Lecture 01 2022 -23-1.pdf hahahah
 
Cyber Security_Training Presentation.pptx
Cyber Security_Training Presentation.pptxCyber Security_Training Presentation.pptx
Cyber Security_Training Presentation.pptx
 
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
 
Responsibilities of the CSIRT--abss.pptx
Responsibilities of the CSIRT--abss.pptxResponsibilities of the CSIRT--abss.pptx
Responsibilities of the CSIRT--abss.pptx
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
 
CSI-ZG-513
CSI-ZG-513CSI-ZG-513
CSI-ZG-513
 
1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx
 
dokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docx
dokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docxdokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docx
dokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docx
 
Text me the answer fetc 2013
Text me the answer fetc 2013Text me the answer fetc 2013
Text me the answer fetc 2013
 

Mehr von UC Santa Barbara

Next Generation Network @ VU Abridged Oct. 2010
Next Generation Network @ VU Abridged Oct. 2010Next Generation Network @ VU Abridged Oct. 2010
Next Generation Network @ VU Abridged Oct. 2010UC Santa Barbara
 
Cyberinfrastructure And Network Computing
Cyberinfrastructure And Network ComputingCyberinfrastructure And Network Computing
Cyberinfrastructure And Network ComputingUC Santa Barbara
 
Unified Collaboration And Technical Vision
Unified Collaboration And Technical VisionUnified Collaboration And Technical Vision
Unified Collaboration And Technical VisionUC Santa Barbara
 
CFT2009: Digital Intervention in the Dissemination of Knowledge
CFT2009: Digital Intervention in the Dissemination of KnowledgeCFT2009: Digital Intervention in the Dissemination of Knowledge
CFT2009: Digital Intervention in the Dissemination of KnowledgeUC Santa Barbara
 
Week 8 -- Digital Distribution
Week 8 -- Digital DistributionWeek 8 -- Digital Distribution
Week 8 -- Digital DistributionUC Santa Barbara
 

Mehr von UC Santa Barbara (7)

Next Generation Network @ VU Abridged Oct. 2010
Next Generation Network @ VU Abridged Oct. 2010Next Generation Network @ VU Abridged Oct. 2010
Next Generation Network @ VU Abridged Oct. 2010
 
Who is watching facebook
Who is watching facebookWho is watching facebook
Who is watching facebook
 
Cyberinfrastructure And Network Computing
Cyberinfrastructure And Network ComputingCyberinfrastructure And Network Computing
Cyberinfrastructure And Network Computing
 
Unified Collaboration And Technical Vision
Unified Collaboration And Technical VisionUnified Collaboration And Technical Vision
Unified Collaboration And Technical Vision
 
CFT2009: Digital Intervention in the Dissemination of Knowledge
CFT2009: Digital Intervention in the Dissemination of KnowledgeCFT2009: Digital Intervention in the Dissemination of Knowledge
CFT2009: Digital Intervention in the Dissemination of Knowledge
 
Understanding Games
Understanding GamesUnderstanding Games
Understanding Games
 
Week 8 -- Digital Distribution
Week 8 -- Digital DistributionWeek 8 -- Digital Distribution
Week 8 -- Digital Distribution
 

Kürzlich hochgeladen

How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxnelietumpap1
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 

Kürzlich hochgeladen (20)

How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptx
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 

Vanderbilt IT Acceptable Use Policy

  • 1. Vanderbilt University Page 1 of 5 v.1.1 1/29/2015 cmf Vanderbilt’s Acceptable Use Policy – Higher Standards for IT Professionals Vanderbilt IT personnel are granted elevated or privileged access to Vanderbilt University’s information and information systems. This privileged access places the Vanderbilt IT professional in a higher level of trust. To maintain this level of trust, Vanderbilt IT professionals must develop, maintain, and continually enhance their skills and abilities on behalf of those they serve. IT professionals employed by Vanderbilt University must strive to be trusted and highly skilled custodians through: A. Preserving confidentiality  Does not access regulated and/or confidential information* outside what is required as part of their work.  Does not share regulated and/or confidential information* they access or view while doing their work.  Does not share any detail at all about what they see in the context of doing their work.  Complete annual reviews of Acceptable Use Policy and confidentiality policies. B. Protecting data and information integrity  Keeps computers locked when they’re not using them to prevent others from using them.  Protects/secures the passwords they use to access this information.  Does not circumvent any Vanderbilt security measures.  Does not install or place anything on computers or the Vanderbilt network that isn’t supposed to be there – sniffers, keystroke loggers, other devices unless required to do so for work. C. Establishing and maintaining availability of information systems  Stays trained on current technologies relative to their work.  Responds to service outages in a timely fashion depending on the service level required for systems they manage.  Monitor usage and availability of systems they manage. D. Educating those around them about IT and social risks related to information systems  Does not “cyber slack” – cyber slacking sets a bad example for others and there are security risks with going to some outside services. (i.e., don’t watch movies, the final four, YouTube, or go to Facebook, etc. unless required to do so for work.)  Stays current on IT and social risks through reading and training, and disseminates that information to their department members on a bi-annual basis. E. Enhancing and maintaining technical skills  Stay trained on current technologies relative to their work.  Recommend 40 hours of work and technology related training each year.  Gain and maintain certifications for the systems and servers they manage. F. Demonstrating an understanding of the areas they serve  Exhibit an extemporaneous understanding of the desktop and server environments for which they are responsible.  Understand and document the applications their department and colleagues use on a regular basis.  Understand and document technology processes in their department.  They understand the data types and data classifications of the information processed in their department, and the risks associated with that data.
  • 2. Inform ation Tec hnology Servic es Vanderbilt University Page 2 of 5 v.1.3 1/29/2015 cmf Violation Levels Level 1: Negligent Act (Carelessness) A. This level of violation occurs when a workforce member unintentionally or carelessly does something that leaves regulated and/or confidential information* susceptible to being overheard, accessed, or revealed to unauthorized individuals. B. Examples of Level 1 violations include: a. Emailing a file that includes regulated and/or confidential information* to the wrong person; b. Faxing regulated and/or confidential information* to an incorrect fax number in error; c. Gossiping about a student, faculty or staff member’s private information based upon hearsay information without the student, faculty or staff member’s authorization, when such gossip results in a complaint by that faculty or staff member or their representative to an appropriate Vanderbilt authority. d. Leaving a computer unlocked when it has access to systems with regulated and/or confidential information*. Level 2: Negligent Act (Not Following Procedure) A. This level of violation occurs when a workforce member takes an action that fails to comply with a privacy or information security procedure or policy, resulting in potential or actual breach of information privacy or security. B. Examples of Level 2 violations include: a. Releasing information to another individual about a user(s) without proper authorization, identification or verification; b. Releasing information about a user who is designated as “No Information status” to anyone not directly involved in the support of a user or otherwise required to have access to the information to do their job at Vanderbilt; c. Gossiping or sharing information about a Vanderbilt user’s confidential information with someone who is otherwise not authorized to have access to that information; d. Failure to follow defined policies or procedures that results in unintentional disclosure or incidental disclosure of highly sensitive data causing distress or harm to a person or the institution; e. Failure to account for disclosures as required by law and policy within Vanderbilt. f. Sharing ID/password with another person or using another person’s ID/password that allows access to that individual’s computer or personal information, not to restricted system/s and confidential information of others. g. Leaving medical records, or a copy of regulated and/or confidential information*, or other federal or state regulated data, or other confidential information out in the open and unattended; h. Repeated incidents of Level 1 violations.
  • 3. Inform ation Tec hnology Servic es Vanderbilt University Page 3 of 5 v.1.3 1/29/2015 cmf Level 3: Deliberate Act (Curiosity or Concern) A. This level of violation occurs when a workforce member deliberately accesses, reviews, or discusses confidential information or systems, without documented authorization to do so. B. Examples of Level 3 violations include: a. Accessing another person’s confidential information: i. Accessing and reviewing the record of a user out of concern or curiosity without authorization; ii. Gossiping or sharing regulated and/or confidential information* or other federal or state regulated data obtained through your role at Vanderbilt with someone otherwise not authorized to have access to that information, without appropriate authorization to disclose that information; iii. Looking up birthdates, addresses, or other demographic or appointment information without authorization to do so. b. Security of Information Systems: i. Sharing ID/password with another person or using another person’s ID/password that allows access to restricted system/s and regulated and/or confidential information* of others. (e.g., Tier 2 information as defined in OP 10-40.33); ii. Accessing or connecting to Vanderbilt information systems (e.g., computers, servers, routers, switches) without authorization; iii. Circumventing Vanderbilt security measures without documented authorization; iv. Giving an individual access to your electronic signature; v. Attempting to gain unauthorized or inappropriate access to any system or data. c. Repeated incidents of Level 1 or Level 2 violations. Level 4: Blatant Disregard for Confidentiality (Personal Use or Malicious Intent) A. This level of violation occurs when a workforce member accesses, reviews, or discloses confidential information or fails to comply with information security safeguards that result in loss of availability, integrity, and confidentiality of systems or data for personal gain or with malicious intent. B. Examples of Level 4 violations include: a. Accessing another person’s confidential information: i. Accessing or allowing access to regulated and/or confidential information* without having a legitimate reason and disclosure or abuse of the information for personal gain or malicious intent; ii. Accessing another person’s regulated and/or confidential information* to use for personal purposes or in a personal relationship; iii. Compiling a mailing list for personal use or to be sold. b. Security of Information Systems i. Tampering with or unauthorized destruction of information; ii. Deliberate acts that adversely affect the integrity, availability, and/or confidentiality of Vanderbilt information systems (e.g., introduction of a virus to the Vanderbilt network);
  • 4. Inform ation Tec hnology Servic es Vanderbilt University Page 4 of 5 v.1.3 1/29/2015 cmf c. Unauthorized or inappropriate access to any system or data for personal gain or with malicious intent. Discipline Levels Level 1 or Level 2 Violations: A. The administrator or chairman, or their designees responsible for implementing disciplinary/corrective action have enforcement discretion, taking into consideration the findings of the investigation and the specific facts and circumstances of the situation. B. Gross negligence resulting in disclosure of that information to someone else not otherwise authorized to access that information, whether it is to a Vanderbilt employee or someone outside of Vanderbilt, results in the highest level of disciplinary action, up to and including termination of employment. C. The administrator or chairman, or their designees consult with Human Resources/Employee Relations in determining the action to be taken. D. Most incidents result in progressive action steps beginning with re-education, work-flow analysis, and process improvement. Repeated violations may result in escalation of disciplinary steps, up to and including termination of employment. Level 3 or Level 4 Violations: A. The nature of some violations is serious enough to warrant specific disciplinary action as opposed to implementing progressive action steps. B. Deliberate, unauthorized access to an individual’s regulated and/or confidential information* results in Final Performance Improvement Counseling (PIC) for staff; and a minimum of a written warning for faculty, students and staff. C. Deliberate, unauthorized access to a user’s record and disclosure of that information to someone else not otherwise authorized to access that information, whether it is to a Vanderbilt employee or someone outside of Vanderbilt, results in the highest level of disciplinary action, up to and including termination of employment. D. Gaining unauthorized access to any system and compromising the integrity, availability, or confidentiality of the system or any data results in the highest level of disciplinary action, up to and including termination of employment.
  • 5. Inform ation Tec hnology Servic es Vanderbilt University Page 5 of 5 v.1.3 1/29/2015 cmf * Regulated and/or confidential information includes:  Personally Identifyable Information (PII)  Protected Health Information (PHI)  Payment Card Industry (PCI) information  Family Educational Rights and Privacy Act (FERPA) information  Federal Information Security Management Act (FISMA) information  Gramm-Leach-Bliley Act (GLB) information  Other information Vanderbilt deems confidential