SlideShare a Scribd company logo

Vanderbilt Higher Standards for IT Pros

Download as DOCX, PDF
UC Santa Barbara
UC Santa Barbara

Vanderbilt IT professionals are granted elevated access to Vanderbilt's information systems which places them in a position of high trust. The Acceptable Use Policy outlines standards for IT professionals to preserve confidentiality, protect data integrity, maintain system availability, educate others on IT risks, enhance technical skills, and demonstrate understanding of the systems they support. Violations are divided into 4 levels - from negligent acts to blatant disregard - and disciplinary actions range from re-education for minor incidents to termination for serious or repeated offenses like unauthorized access or disclosure of confidential information.

Education
1 of 5
Vanderbilt University Page 1 of 5 v.1.1 1/29/2015 cmf Vanderbilt’s Acceptable Use Policy – Higher Standards for IT Professionals Vanderbilt IT personnel are granted elevated or privileged access to Vanderbilt University’s information and information systems. This privileged access places the Vanderbilt IT professional in a higher level of trust. To maintain this level of trust, Vanderbilt IT professionals must develop, maintain, and continually enhance their skills and abilities on behalf of those they serve. IT professionals employed by Vanderbilt University must strive to be trusted and highly skilled custodians through: A. Preserving confidentiality  Does not access regulated and/or confidential information* outside what is required as part of their work.  Does not share regulated and/or confidential information* they access or view while doing their work.  Does not share any detail at all about what they see in the context of doing their work.  Complete annual reviews of Acceptable Use Policy and confidentiality policies. B. Protecting data and information integrity  Keeps computers locked when they’re not using them to prevent others from using them.  Protects/secures the passwords they use to access this information.  Does not circumvent any Vanderbilt security measures.  Does not install or place anything on computers or the Vanderbilt network that isn’t supposed to be there – sniffers, keystroke loggers, other devices unless required to do so for work. C. Establishing and maintaining availability of information systems  Stays trained on current technologies relative to their work.  Responds to service outages in a timely fashion depending on the service level required for systems they manage.  Monitor usage and availability of systems they manage. D. Educating those around them about IT and social risks related to information systems  Does not “cyber slack” – cyber slacking sets a bad example for others and there are security risks with going to some outside services. (i.e., don’t watch movies, the final four, YouTube, or go to Facebook, etc. unless required to do so for work.)  Stays current on IT and social risks through reading and training, and disseminates that information to their department members on a bi-annual basis. E. Enhancing and maintaining technical skills  Stay trained on current technologies relative to their work.  Recommend 40 hours of work and technology related training each year.  Gain and maintain certifications for the systems and servers they manage. F. Demonstrating an understanding of the areas they serve  Exhibit an extemporaneous understanding of the desktop and server environments for which they are responsible.  Understand and document the applications their department and colleagues use on a regular basis.  Understand and document technology processes in their department.  They understand the data types and data classifications of the information processed in their department, and the risks associated with that data.
Inform ation Tec hnology Servic es Vanderbilt University Page 2 of 5 v.1.3 1/29/2015 cmf Violation Levels Level 1: Negligent Act (Carelessness) A. This level of violation occurs when a workforce member unintentionally or carelessly does something that leaves regulated and/or confidential information* susceptible to being overheard, accessed, or revealed to unauthorized individuals. B. Examples of Level 1 violations include: a. Emailing a file that includes regulated and/or confidential information* to the wrong person; b. Faxing regulated and/or confidential information* to an incorrect fax number in error; c. Gossiping about a student, faculty or staff member’s private information based upon hearsay information without the student, faculty or staff member’s authorization, when such gossip results in a complaint by that faculty or staff member or their representative to an appropriate Vanderbilt authority. d. Leaving a computer unlocked when it has access to systems with regulated and/or confidential information*. Level 2: Negligent Act (Not Following Procedure) A. This level of violation occurs when a workforce member takes an action that fails to comply with a privacy or information security procedure or policy, resulting in potential or actual breach of information privacy or security. B. Examples of Level 2 violations include: a. Releasing information to another individual about a user(s) without proper authorization, identification or verification; b. Releasing information about a user who is designated as “No Information status” to anyone not directly involved in the support of a user or otherwise required to have access to the information to do their job at Vanderbilt; c. Gossiping or sharing information about a Vanderbilt user’s confidential information with someone who is otherwise not authorized to have access to that information; d. Failure to follow defined policies or procedures that results in unintentional disclosure or incidental disclosure of highly sensitive data causing distress or harm to a person or the institution; e. Failure to account for disclosures as required by law and policy within Vanderbilt. f. Sharing ID/password with another person or using another person’s ID/password that allows access to that individual’s computer or personal information, not to restricted system/s and confidential information of others. g. Leaving medical records, or a copy of regulated and/or confidential information*, or other federal or state regulated data, or other confidential information out in the open and unattended; h. Repeated incidents of Level 1 violations.
Inform ation Tec hnology Servic es Vanderbilt University Page 3 of 5 v.1.3 1/29/2015 cmf Level 3: Deliberate Act (Curiosity or Concern) A. This level of violation occurs when a workforce member deliberately accesses, reviews, or discusses confidential information or systems, without documented authorization to do so. B. Examples of Level 3 violations include: a. Accessing another person’s confidential information: i. Accessing and reviewing the record of a user out of concern or curiosity without authorization; ii. Gossiping or sharing regulated and/or confidential information* or other federal or state regulated data obtained through your role at Vanderbilt with someone otherwise not authorized to have access to that information, without appropriate authorization to disclose that information; iii. Looking up birthdates, addresses, or other demographic or appointment information without authorization to do so. b. Security of Information Systems: i. Sharing ID/password with another person or using another person’s ID/password that allows access to restricted system/s and regulated and/or confidential information* of others. (e.g., Tier 2 information as defined in OP 10-40.33); ii. Accessing or connecting to Vanderbilt information systems (e.g., computers, servers, routers, switches) without authorization; iii. Circumventing Vanderbilt security measures without documented authorization; iv. Giving an individual access to your electronic signature; v. Attempting to gain unauthorized or inappropriate access to any system or data. c. Repeated incidents of Level 1 or Level 2 violations. Level 4: Blatant Disregard for Confidentiality (Personal Use or Malicious Intent) A. This level of violation occurs when a workforce member accesses, reviews, or discloses confidential information or fails to comply with information security safeguards that result in loss of availability, integrity, and confidentiality of systems or data for personal gain or with malicious intent. B. Examples of Level 4 violations include: a. Accessing another person’s confidential information: i. Accessing or allowing access to regulated and/or confidential information* without having a legitimate reason and disclosure or abuse of the information for personal gain or malicious intent; ii. Accessing another person’s regulated and/or confidential information* to use for personal purposes or in a personal relationship; iii. Compiling a mailing list for personal use or to be sold. b. Security of Information Systems i. Tampering with or unauthorized destruction of information; ii. Deliberate acts that adversely affect the integrity, availability, and/or confidentiality of Vanderbilt information systems (e.g., introduction of a virus to the Vanderbilt network);
Inform ation Tec hnology Servic es Vanderbilt University Page 4 of 5 v.1.3 1/29/2015 cmf c. Unauthorized or inappropriate access to any system or data for personal gain or with malicious intent. Discipline Levels Level 1 or Level 2 Violations: A. The administrator or chairman, or their designees responsible for implementing disciplinary/corrective action have enforcement discretion, taking into consideration the findings of the investigation and the specific facts and circumstances of the situation. B. Gross negligence resulting in disclosure of that information to someone else not otherwise authorized to access that information, whether it is to a Vanderbilt employee or someone outside of Vanderbilt, results in the highest level of disciplinary action, up to and including termination of employment. C. The administrator or chairman, or their designees consult with Human Resources/Employee Relations in determining the action to be taken. D. Most incidents result in progressive action steps beginning with re-education, work-flow analysis, and process improvement. Repeated violations may result in escalation of disciplinary steps, up to and including termination of employment. Level 3 or Level 4 Violations: A. The nature of some violations is serious enough to warrant specific disciplinary action as opposed to implementing progressive action steps. B. Deliberate, unauthorized access to an individual’s regulated and/or confidential information* results in Final Performance Improvement Counseling (PIC) for staff; and a minimum of a written warning for faculty, students and staff. C. Deliberate, unauthorized access to a user’s record and disclosure of that information to someone else not otherwise authorized to access that information, whether it is to a Vanderbilt employee or someone outside of Vanderbilt, results in the highest level of disciplinary action, up to and including termination of employment. D. Gaining unauthorized access to any system and compromising the integrity, availability, or confidentiality of the system or any data results in the highest level of disciplinary action, up to and including termination of employment.
Inform ation Tec hnology Servic es Vanderbilt University Page 5 of 5 v.1.3 1/29/2015 cmf * Regulated and/or confidential information includes:  Personally Identifyable Information (PII)  Protected Health Information (PHI)  Payment Card Industry (PCI) information  Family Educational Rights and Privacy Act (FERPA) information  Federal Information Security Management Act (FISMA) information  Gramm-Leach-Bliley Act (GLB) information  Other information Vanderbilt deems confidential

Recommended

CyberSecurity Series Malware slides
CyberSecurity Series Malware slidesCyberSecurity Series Malware slides
CyberSecurity Series Malware slides
Jim Kaplan CIA CFE
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
Security Plan
Security PlanSecurity Plan
Security Plan
Jerrell Collymore
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information system
Online
 
MIS-CH08: Securing Information Systems
MIS-CH08: Securing Information SystemsMIS-CH08: Securing Information Systems
MIS-CH08: Securing Information Systems
Sukanya Ben
 
Securing information systems
Securing information systemsSecuring information systems
Securing information systems
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
Technology and Web 2.0 Across Institutions - Risk Mitigation
Technology and Web 2.0 Across Institutions - Risk MitigationTechnology and Web 2.0 Across Institutions - Risk Mitigation
Technology and Web 2.0 Across Institutions - Risk Mitigation
Dan Michaluk
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
hubbargf
 

Recommended

CyberSecurity Series Malware slides
CyberSecurity Series Malware slidesCyberSecurity Series Malware slides
CyberSecurity Series Malware slides
Jim Kaplan CIA CFE
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
Security Plan
Security PlanSecurity Plan
Security Plan
Jerrell Collymore
 
Security & control in management information system
Security & control in management information systemSecurity & control in management information system
Security & control in management information system
Online
 
MIS-CH08: Securing Information Systems
MIS-CH08: Securing Information SystemsMIS-CH08: Securing Information Systems
MIS-CH08: Securing Information Systems
Sukanya Ben
 
Securing information systems
Securing information systemsSecuring information systems
Securing information systems
Amity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
Technology and Web 2.0 Across Institutions - Risk Mitigation
Technology and Web 2.0 Across Institutions - Risk MitigationTechnology and Web 2.0 Across Institutions - Risk Mitigation
Technology and Web 2.0 Across Institutions - Risk Mitigation
Dan Michaluk
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
hubbargf
 
Week 10 Technical Stack Pt. 1
Week 10 Technical Stack Pt. 1Week 10 Technical Stack Pt. 1
Week 10 Technical Stack Pt. 1
UC Santa Barbara
 
Week 4 Software Development In The 21st Century
Week 4 Software Development In The 21st CenturyWeek 4 Software Development In The 21st Century
Week 4 Software Development In The 21st Century
UC Santa Barbara
 
Microsoft Live Instructions
Microsoft Live InstructionsMicrosoft Live Instructions
Microsoft Live Instructions
UC Santa Barbara
 
Microsoft Live Instructions
Microsoft Live InstructionsMicrosoft Live Instructions
Microsoft Live Instructions
UC Santa Barbara
 
Group 65 Debate Framework
Group 65 Debate FrameworkGroup 65 Debate Framework
Group 65 Debate Framework
UC Santa Barbara
 
Week 5 Disruption
Week 5 DisruptionWeek 5 Disruption
Week 5 Disruption
UC Santa Barbara
 
Week 3 -- An Open World
Week 3 -- An Open WorldWeek 3 -- An Open World
Week 3 -- An Open World
UC Santa Barbara
 
Pwning The Faerie Queene
Pwning The Faerie QueenePwning The Faerie Queene
Pwning The Faerie Queene
UC Santa Barbara
 
Week 10 Technical Stack I I 03
Week 10 Technical Stack I I 03Week 10 Technical Stack I I 03
Week 10 Technical Stack I I 03
UC Santa Barbara
 
NIST Privacy Engineering Working Group - Risk Model
NIST Privacy Engineering Working Group - Risk ModelNIST Privacy Engineering Working Group - Risk Model
NIST Privacy Engineering Working Group - Risk Model
David Sweigert
 
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docxResourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
debishakespeare
 
Data information and security unit 1.pdf
Data information and security unit 1.pdfData information and security unit 1.pdf
Data information and security unit 1.pdf
deepakbharathi16
 
The Risks of Horizontal Privilege Escalation.pdf
The Risks of Horizontal Privilege Escalation.pdfThe Risks of Horizontal Privilege Escalation.pdf
The Risks of Horizontal Privilege Escalation.pdf
uzair
 
Security
SecuritySecurity
Security
Nabatah
 
CH01-CompSec4e.pptx
CH01-CompSec4e.pptxCH01-CompSec4e.pptx
CH01-CompSec4e.pptx
ams1ams11
 
University Personal Devices (BYOD) Policy
University Personal Devices (BYOD) PolicyUniversity Personal Devices (BYOD) Policy
University Personal Devices (BYOD) Policy
keyashaj
 
Untitled document.pdf
Untitled document.pdfUntitled document.pdf
Untitled document.pdf
google
 
Internet policy[1]
Internet policy[1]Internet policy[1]
Internet policy[1]
leslieannpt
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01
ITNet
 
IA 124 Lecture 01 2022 -23-1.pdf hahahah
IA 124 Lecture 01 2022 -23-1.pdf hahahahIA 124 Lecture 01 2022 -23-1.pdf hahahah
IA 124 Lecture 01 2022 -23-1.pdf hahahah
flyinimohamed
 
Cyber Security_Training Presentation.pptx
Cyber Security_Training Presentation.pptxCyber Security_Training Presentation.pptx
Cyber Security_Training Presentation.pptx
musicalworld14
 
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
SALU18
 

More Related Content

Viewers also liked

Viewers also liked (9)

Week 10 Technical Stack Pt. 1
Week 10 Technical Stack Pt. 1Week 10 Technical Stack Pt. 1
Week 10 Technical Stack Pt. 1
 
Week 4 Software Development In The 21st Century
Week 4 Software Development In The 21st CenturyWeek 4 Software Development In The 21st Century
Week 4 Software Development In The 21st Century
 
Microsoft Live Instructions
Microsoft Live InstructionsMicrosoft Live Instructions
Microsoft Live Instructions
 
Microsoft Live Instructions
Microsoft Live InstructionsMicrosoft Live Instructions
Microsoft Live Instructions
 
Group 65 Debate Framework
Group 65 Debate FrameworkGroup 65 Debate Framework
Group 65 Debate Framework
 
Week 5 Disruption
Week 5 DisruptionWeek 5 Disruption
Week 5 Disruption
 
Week 3 -- An Open World
Week 3 -- An Open WorldWeek 3 -- An Open World
Week 3 -- An Open World
 
Pwning The Faerie Queene
Pwning The Faerie QueenePwning The Faerie Queene
Pwning The Faerie Queene
 
Week 10 Technical Stack I I 03
Week 10 Technical Stack I I 03Week 10 Technical Stack I I 03
Week 10 Technical Stack I I 03
 

Similar to Vanderbilt Higher Standards for IT Pros

Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docxResourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
debishakespeare
 
The Risks of Horizontal Privilege Escalation.pdf
The Risks of Horizontal Privilege Escalation.pdfThe Risks of Horizontal Privilege Escalation.pdf
The Risks of Horizontal Privilege Escalation.pdf
uzair
 
Untitled document.pdf
Untitled document.pdfUntitled document.pdf
Untitled document.pdf
google
 
Internet policy[1]
Internet policy[1]Internet policy[1]
Internet policy[1]
leslieannpt
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01
ITNet
 
Cyber Security_Training Presentation.pptx
Cyber Security_Training Presentation.pptxCyber Security_Training Presentation.pptx
Cyber Security_Training Presentation.pptx
musicalworld14
 
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
SALU18
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
hyacinthshackley2629
 
1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx
blondellchancy
 
dokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docx
dokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docxdokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docx
dokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docx
ams1ams11
 
Text me the answer fetc 2013
Text me the answer fetc 2013Text me the answer fetc 2013
Text me the answer fetc 2013
Carlos Fernandez
 

Similar to Vanderbilt Higher Standards for IT Pros (20)

NIST Privacy Engineering Working Group - Risk Model
NIST Privacy Engineering Working Group - Risk ModelNIST Privacy Engineering Working Group - Risk Model
NIST Privacy Engineering Working Group - Risk Model
 
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docxResourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
Resourcescomputeruse2_Unit III Publisher 4 (Project 9-4).docx.docx
 
Data information and security unit 1.pdf
Data information and security unit 1.pdfData information and security unit 1.pdf
Data information and security unit 1.pdf
 
The Risks of Horizontal Privilege Escalation.pdf
The Risks of Horizontal Privilege Escalation.pdfThe Risks of Horizontal Privilege Escalation.pdf
The Risks of Horizontal Privilege Escalation.pdf
 
Security
SecuritySecurity
Security
 
CH01-CompSec4e.pptx
CH01-CompSec4e.pptxCH01-CompSec4e.pptx
CH01-CompSec4e.pptx
 
University Personal Devices (BYOD) Policy
University Personal Devices (BYOD) PolicyUniversity Personal Devices (BYOD) Policy
University Personal Devices (BYOD) Policy
 
Untitled document.pdf
Untitled document.pdfUntitled document.pdf
Untitled document.pdf
 
Internet policy[1]
Internet policy[1]Internet policy[1]
Internet policy[1]
 
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01
 
IA 124 Lecture 01 2022 -23-1.pdf hahahah
IA 124 Lecture 01 2022 -23-1.pdf hahahahIA 124 Lecture 01 2022 -23-1.pdf hahahah
IA 124 Lecture 01 2022 -23-1.pdf hahahah
 
Cyber Security_Training Presentation.pptx
Cyber Security_Training Presentation.pptxCyber Security_Training Presentation.pptx
Cyber Security_Training Presentation.pptx
 
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docxABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
ABC Healthcare LimitedIncidence Response Policy1. Purpose. T.docx
 
Responsibilities of the CSIRT--abss.pptx
Responsibilities of the CSIRT--abss.pptxResponsibilities of the CSIRT--abss.pptx
Responsibilities of the CSIRT--abss.pptx
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
 
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
1.    TitleIT Security Risk Assessment2.    IntroductionYou .docx
 
CSI-ZG-513
CSI-ZG-513CSI-ZG-513
CSI-ZG-513
 
1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx
 
dokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docx
dokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docxdokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docx
dokumen_tips_computer_security_by_william_stallings_ch_1_mcq.docx
 
Text me the answer fetc 2013
Text me the answer fetc 2013Text me the answer fetc 2013
Text me the answer fetc 2013
 

More from UC Santa Barbara

More from UC Santa Barbara (7)

Next Generation Network @ VU Abridged Oct. 2010
Next Generation Network @ VU Abridged Oct. 2010Next Generation Network @ VU Abridged Oct. 2010
Next Generation Network @ VU Abridged Oct. 2010
 
Who is watching facebook
Who is watching facebookWho is watching facebook
Who is watching facebook
 
Cyberinfrastructure And Network Computing
Cyberinfrastructure And Network ComputingCyberinfrastructure And Network Computing
Cyberinfrastructure And Network Computing
 
Unified Collaboration And Technical Vision
Unified Collaboration And Technical VisionUnified Collaboration And Technical Vision
Unified Collaboration And Technical Vision
 
CFT2009: Digital Intervention in the Dissemination of Knowledge
CFT2009: Digital Intervention in the Dissemination of KnowledgeCFT2009: Digital Intervention in the Dissemination of Knowledge
CFT2009: Digital Intervention in the Dissemination of Knowledge
 
Understanding Games
Understanding GamesUnderstanding Games
Understanding Games
 
Week 8 -- Digital Distribution
Week 8 -- Digital DistributionWeek 8 -- Digital Distribution
Week 8 -- Digital Distribution
 

Recently uploaded

Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 

Recently uploaded (20)

Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 

Vanderbilt Higher Standards for IT Pros

  • 1. Vanderbilt University Page 1 of 5 v.1.1 1/29/2015 cmf Vanderbilt’s Acceptable Use Policy – Higher Standards for IT Professionals Vanderbilt IT personnel are granted elevated or privileged access to Vanderbilt University’s information and information systems. This privileged access places the Vanderbilt IT professional in a higher level of trust. To maintain this level of trust, Vanderbilt IT professionals must develop, maintain, and continually enhance their skills and abilities on behalf of those they serve. IT professionals employed by Vanderbilt University must strive to be trusted and highly skilled custodians through: A. Preserving confidentiality  Does not access regulated and/or confidential information* outside what is required as part of their work.  Does not share regulated and/or confidential information* they access or view while doing their work.  Does not share any detail at all about what they see in the context of doing their work.  Complete annual reviews of Acceptable Use Policy and confidentiality policies. B. Protecting data and information integrity  Keeps computers locked when they’re not using them to prevent others from using them.  Protects/secures the passwords they use to access this information.  Does not circumvent any Vanderbilt security measures.  Does not install or place anything on computers or the Vanderbilt network that isn’t supposed to be there – sniffers, keystroke loggers, other devices unless required to do so for work. C. Establishing and maintaining availability of information systems  Stays trained on current technologies relative to their work.  Responds to service outages in a timely fashion depending on the service level required for systems they manage.  Monitor usage and availability of systems they manage. D. Educating those around them about IT and social risks related to information systems  Does not “cyber slack” – cyber slacking sets a bad example for others and there are security risks with going to some outside services. (i.e., don’t watch movies, the final four, YouTube, or go to Facebook, etc. unless required to do so for work.)  Stays current on IT and social risks through reading and training, and disseminates that information to their department members on a bi-annual basis. E. Enhancing and maintaining technical skills  Stay trained on current technologies relative to their work.  Recommend 40 hours of work and technology related training each year.  Gain and maintain certifications for the systems and servers they manage. F. Demonstrating an understanding of the areas they serve  Exhibit an extemporaneous understanding of the desktop and server environments for which they are responsible.  Understand and document the applications their department and colleagues use on a regular basis.  Understand and document technology processes in their department.  They understand the data types and data classifications of the information processed in their department, and the risks associated with that data.
  • 2. Inform ation Tec hnology Servic es Vanderbilt University Page 2 of 5 v.1.3 1/29/2015 cmf Violation Levels Level 1: Negligent Act (Carelessness) A. This level of violation occurs when a workforce member unintentionally or carelessly does something that leaves regulated and/or confidential information* susceptible to being overheard, accessed, or revealed to unauthorized individuals. B. Examples of Level 1 violations include: a. Emailing a file that includes regulated and/or confidential information* to the wrong person; b. Faxing regulated and/or confidential information* to an incorrect fax number in error; c. Gossiping about a student, faculty or staff member’s private information based upon hearsay information without the student, faculty or staff member’s authorization, when such gossip results in a complaint by that faculty or staff member or their representative to an appropriate Vanderbilt authority. d. Leaving a computer unlocked when it has access to systems with regulated and/or confidential information*. Level 2: Negligent Act (Not Following Procedure) A. This level of violation occurs when a workforce member takes an action that fails to comply with a privacy or information security procedure or policy, resulting in potential or actual breach of information privacy or security. B. Examples of Level 2 violations include: a. Releasing information to another individual about a user(s) without proper authorization, identification or verification; b. Releasing information about a user who is designated as “No Information status” to anyone not directly involved in the support of a user or otherwise required to have access to the information to do their job at Vanderbilt; c. Gossiping or sharing information about a Vanderbilt user’s confidential information with someone who is otherwise not authorized to have access to that information; d. Failure to follow defined policies or procedures that results in unintentional disclosure or incidental disclosure of highly sensitive data causing distress or harm to a person or the institution; e. Failure to account for disclosures as required by law and policy within Vanderbilt. f. Sharing ID/password with another person or using another person’s ID/password that allows access to that individual’s computer or personal information, not to restricted system/s and confidential information of others. g. Leaving medical records, or a copy of regulated and/or confidential information*, or other federal or state regulated data, or other confidential information out in the open and unattended; h. Repeated incidents of Level 1 violations.
  • 3. Inform ation Tec hnology Servic es Vanderbilt University Page 3 of 5 v.1.3 1/29/2015 cmf Level 3: Deliberate Act (Curiosity or Concern) A. This level of violation occurs when a workforce member deliberately accesses, reviews, or discusses confidential information or systems, without documented authorization to do so. B. Examples of Level 3 violations include: a. Accessing another person’s confidential information: i. Accessing and reviewing the record of a user out of concern or curiosity without authorization; ii. Gossiping or sharing regulated and/or confidential information* or other federal or state regulated data obtained through your role at Vanderbilt with someone otherwise not authorized to have access to that information, without appropriate authorization to disclose that information; iii. Looking up birthdates, addresses, or other demographic or appointment information without authorization to do so. b. Security of Information Systems: i. Sharing ID/password with another person or using another person’s ID/password that allows access to restricted system/s and regulated and/or confidential information* of others. (e.g., Tier 2 information as defined in OP 10-40.33); ii. Accessing or connecting to Vanderbilt information systems (e.g., computers, servers, routers, switches) without authorization; iii. Circumventing Vanderbilt security measures without documented authorization; iv. Giving an individual access to your electronic signature; v. Attempting to gain unauthorized or inappropriate access to any system or data. c. Repeated incidents of Level 1 or Level 2 violations. Level 4: Blatant Disregard for Confidentiality (Personal Use or Malicious Intent) A. This level of violation occurs when a workforce member accesses, reviews, or discloses confidential information or fails to comply with information security safeguards that result in loss of availability, integrity, and confidentiality of systems or data for personal gain or with malicious intent. B. Examples of Level 4 violations include: a. Accessing another person’s confidential information: i. Accessing or allowing access to regulated and/or confidential information* without having a legitimate reason and disclosure or abuse of the information for personal gain or malicious intent; ii. Accessing another person’s regulated and/or confidential information* to use for personal purposes or in a personal relationship; iii. Compiling a mailing list for personal use or to be sold. b. Security of Information Systems i. Tampering with or unauthorized destruction of information; ii. Deliberate acts that adversely affect the integrity, availability, and/or confidentiality of Vanderbilt information systems (e.g., introduction of a virus to the Vanderbilt network);
  • 4. Inform ation Tec hnology Servic es Vanderbilt University Page 4 of 5 v.1.3 1/29/2015 cmf c. Unauthorized or inappropriate access to any system or data for personal gain or with malicious intent. Discipline Levels Level 1 or Level 2 Violations: A. The administrator or chairman, or their designees responsible for implementing disciplinary/corrective action have enforcement discretion, taking into consideration the findings of the investigation and the specific facts and circumstances of the situation. B. Gross negligence resulting in disclosure of that information to someone else not otherwise authorized to access that information, whether it is to a Vanderbilt employee or someone outside of Vanderbilt, results in the highest level of disciplinary action, up to and including termination of employment. C. The administrator or chairman, or their designees consult with Human Resources/Employee Relations in determining the action to be taken. D. Most incidents result in progressive action steps beginning with re-education, work-flow analysis, and process improvement. Repeated violations may result in escalation of disciplinary steps, up to and including termination of employment. Level 3 or Level 4 Violations: A. The nature of some violations is serious enough to warrant specific disciplinary action as opposed to implementing progressive action steps. B. Deliberate, unauthorized access to an individual’s regulated and/or confidential information* results in Final Performance Improvement Counseling (PIC) for staff; and a minimum of a written warning for faculty, students and staff. C. Deliberate, unauthorized access to a user’s record and disclosure of that information to someone else not otherwise authorized to access that information, whether it is to a Vanderbilt employee or someone outside of Vanderbilt, results in the highest level of disciplinary action, up to and including termination of employment. D. Gaining unauthorized access to any system and compromising the integrity, availability, or confidentiality of the system or any data results in the highest level of disciplinary action, up to and including termination of employment.
  • 5. Inform ation Tec hnology Servic es Vanderbilt University Page 5 of 5 v.1.3 1/29/2015 cmf * Regulated and/or confidential information includes:  Personally Identifyable Information (PII)  Protected Health Information (PHI)  Payment Card Industry (PCI) information  Family Educational Rights and Privacy Act (FERPA) information  Federal Information Security Management Act (FISMA) information  Gramm-Leach-Bliley Act (GLB) information  Other information Vanderbilt deems confidential