Handbook of Operating Procedures

I. POLICY AND GENERAL STATEMENT

The University of Texas Health Science Center at Houston (“University”) relies on University Information Resources and University Data to conduct University business and achieve the University’s mission. University Information Resources and University Data must be used appropriately to ensure their availability and preserve their integrity and confidentiality so that the University can meet its academic, research and clinical commitments and goals. Federal and state laws and regulations, The University of Texas System (UT System) policies and University policies also require appropriate use and adequate protection of University Information Resources and University Data.

All Users are responsible for using and protecting University Information Resources and University Data appropriately and in accordance with this policy. To the extent applicable, this policy applies to students enrolled in distance learning programs and courses.

Nothing in this policy supersedes or modifies HOOP 201, Intellectual Property, HOOP 92, Research Data Retention and Access, or any other applicable University or UT System policies or Regents Rules pertaining to the ownership of intellectual property.

II. DEFINITIONS

University Information Resources:  All computer and telecommunications equipment, software, and media that is owned or controlled by the University or maintained on its behalf. 

University Data: All data or information held on behalf of the University or created as a result and/or in support of University business, including paper records. 

User:  Any individual granted access to University Information Resources and/or University Data.

Confidential Data:  All University Data that is required to be maintained as private or confidential by applicable law.  

Peer-to-Peer File Sharing Software: Computer software, other than computer and network operating systems, that has the capability to allow the computer on which it is used to designate files available for transmission to, transmit files directly to, and request transmission of files from another computer using the same software.  Examples include, but are not limited to, KaZaA, BitTorrent, Gnutella, eDonkey, eMule, Direct Connect, Vuze, Ares.

Virtual Machine: A software implementation of a machine (i.e., a computer) that executes programs as a physical machine would.

III. PROCEDURE

     A. Ownership and Access to University Information Resources; No Right to Privacy

Except as otherwise provided by HOOP 201, HOOP 92, the Long-Term Care Ombudsman Program policies and procedures, the Employee Assistance Program, or any other applicable University or UT System policies or Regents Rules pertaining to ownership of intellectual property, all University Information Resources and University Data are the property of the University and subject to this policy and all other applicable University and UT System policies. All University Data created and/or retained by a User are subject to this policy, even if created, stored, processed and/or transmitted on a User’s or another person’s personal computer, smart phone, email account, or other personal device or other non-University owned website. 

All University Information Resources and University Data are subject to access and/or monitoring by the University and/or UT System without notice for any purpose consistent with the duties or mission of the institution including, but not limited to, responding to public information requests, court orders, subpoenas or litigation holds and conducting University Information Resource related maintenance, inventories and investigations related to the duties and missions of the University. To the extent a User has created, stored, processed and/or transmitted University Data on the User’s or another person’s personal computer, smart phone, email account or other personal device or other non-University owned website, the User must provide the University with access to that University Data upon request.  The University does not assert an ownership interest in the content of exclusively personal information or documents stored on University Information Resources as part of a User’s Incidental Use, as defined in this policy.  However, such information and documents may be subject to access and/or monitoring by the University as described above.     

     B. Guidelines for Use of University Information Resources and University Data

Users are required to formally acknowledge that they will abide by this policy. Users are also required to complete initial and recurring information security awareness training.  Failure to agree to and abide by these requirements will result in termination of User’s access to University Information Resources and University Data.

Users must report any identified weakness in University computer security and any incident of possible misuse or violation of this policy to one of the following:

• the Information Security Department (its@uth.tmc.edu or 713-486-3444);
• the IT User Experience and Solution Center (713-486-4848); or
• the Compliance Hotline.

A User’s access may be disabled (via account or connection) at the University’s sole discretion if required security software is not installed on the User’s computer or device, or if activity indicates that the computer or device may be infected with a virus or malware, be party to a cyber attack or may otherwise endanger the security of University Information Resources or University Data.  Access may be re-established once the computer or device is deemed secure by the Information Security Department.

1. General Practices

• Users must not use a University email account to send emails that are likely to contain computer viruses, “chain letter” emails or “broadcast” emails (unsolicited emails to large groups).
• The use of quotes, inspirational messages, humorous one-liners, etc., in email signatures is not permitted.
• Users must not use University Information Resources to: engage in acts contrary to the mission and purposes of the University; intimidate or harass other Users; alter, damage or degrade the performance of University or other information resources; or circumvent computer information security safeguards.
• University Information Resources must not be used to conduct or promote a personal business or for the sole benefit of individuals or organizations that are not part of The UT System.
• Obscene, pornographic or other offensive material or topics intentionally accessed, created, stored or transmitted using University Information Resources is permitted only in the course of academic research as approved by the Institutional Review Board (“IRB”).  The researcher must provide documentation of this aspect of the research to the Chief Information Security Officer (CISO) so that it can be included with the Internet logs that are regularly reviewed. Offensive materials include, but are not limited to, materials that might offend a reasonable person on the basis of their race, gender, age, national origin, sexual orientation, religious belief, disability or other status protected by law. 
• Users must comply with U.S. Copyright Law and the Software Copyright Compliance Policy (ITPOL-018). Users must not download, copy, reproduce or use any software protected by copyright, including electronic media or files (e.g., e-books, music, photos and videos), except as expressly permitted by the software license. Users may not use unauthorized copies or reproductions on University Information Resources. For information on copyright, including fair use, creating multimedia and other topics, view UT System's Copyright Crash Course.
• Users must not disclose Confidential Information or other information that would, by itself or together, put the University at risk of legal, reputational or other damages, including physical or information security breaches.

• Users must not give the impression that they are representing, giving opinions or making statements on behalf of the University unless authorized to do so. When appropriate, users should use a disclaimer stating that the opinions expressed are their own and not necessarily those of the University.  
• Users may not use University Information Resources  for the conduct or promotion of a personal business or political activity.
• In University and clinical settings, members of the University community may not intentionally make recordings of any type (including video and audio) without the express knowledge and consent of all those being recorded. In general, group meetings should not be recorded except in limited circumstances, such as lectures recorded in the ordinary course and scope of business. These general prohibitions do not apply to security cameras or other recording devices approved by the University for security or operational purposes.

2. Incidental Use

• Users must use University Information Resources for University business only and not for personal use, except for appropriate Incidental Use in accordance with this policy.
• Users have no expectation of privacy with regard to personal information that they elect to store on any University Information Resource. The User’s University email accounts and other University Information Resources should not be used for personal email or other correspondence that is or may be considered confidential to the User or others.
• Incidental Use must not interfere with normal performance of the User’s duties as an employee or, in the case of non-employee Users, the purpose for which the User was granted access to University Information Resources. 
• Access to or storage of sexually explicit materials as part of Incidental Use is prohibited at all times.
• Incidental Use is permitted by the User only and does not extend to family members or others.
• Storage on University Information Resources of any files, emails, documents, text messages, voice mails or other information for Incidental Use is discouraged.  In any event, any such storage must be nominal.
• The University does not assume any responsibility for any personal files, emails, documents, text messages, voice mails or other information stored on University Information Resources as part of a user’s Incidental Use.  Such storage is at the user’s own risk.
• Personal information stored on University Information Resources may be subject to open records requests pursuant to the Texas Public Information Act and other applicable laws.
• Incidental Use must never result in a direct cost to the University, expose the University to unnecessary risk nor violate any applicable laws or University policies.
• Users must not use their University email accounts to send personal commercial advertising nor post personal commercial advertising on University web sites.

3. Email and Internet Use

• University provided email addresses and Internet designations are the property of the University.
• Employees must conduct University business using University email accounts rather than personal or non-University email accounts. Confidential Information contained in email must be encrypted.
• Users’ email and Internet activities are subject to logging and review for purposes related to the University’s mission and duties.
• Users must not use their University email address to subscribe to email lists or email services strictly for personal use.
• Users must not use University email for purposes of political lobbying or campaigning except as permitted by The University of Texas System Regents' Rules and Regulations.
• Users must not read another User's University email unless authorized to do so by the owner of the email account, as authorized for investigation, or as necessary to maintain services.
• Users must not impersonate the identity of another User by sending communication from that User’s University email account, except when authorized to do so by the owner of the email account.
• Only the Office of Development, Office of Public Affairs or other designated positions at each school or unit are authorized to send University or school wide broadcast email.
• Emails sent or received by Users in the course of conducting University business are University Data that are subject to state records retention and security requirements.

4. Access to University Information Resources and University Data

• Access to University Information Resources and University Data must be on a need to know basis and must be granted using the rule of least privilege. All Users must only have access to the resources they need to perform their job responsibilities.
• Users must not deprive other Users of University Information Resources or University Data or obtain extra access to University Information Resources or University Data beyond those assigned.
• Users must not disclose, modify, delete or destroy University Information Resources or University Data unless authorized.

5. Passwords and Access Codes

• Passwords and password use must comply with the Password Policy (ITPOL-002).
• Users must not share passwords or similar information or devices used for identification and authorization purposes, such as digital certificates, security tokens or smart cards.  Each User is responsible for all activities conducted using his or her account(s) to access University Data and/or University Information Resources.
• Users must avoid entering their password through the use of auto logon, application “remember password” features, embedded scripts or hard-coded passwords in client software to access University Information Resources.

6. Security and Protection of University Information Resources and/or University Data

This section applies to all computers and other devices or systems upon which University Information Resources or University Data are maintained regardless of whether the device or system is owned by the University.

• Portable devices must be used in accordance with the Portable Storage Device Policy (ITPOL-001) and Laptop Security Policy (ITPOL-007).
• Password protected screen locking must be enabled and set to activate within 15 minutes or less on all computers, laptops and portable devices, where technologically possible. Screen locks must be manually activated by the User when left unattended.
• Laptops, portable devices and media must be physically secured when unattended.
• Laptop hard drives, other portable devices and media must be encrypted in accordance with the Portable Storage Device Policy (ITPOL-001) and Laptop Security Policy (ITPOL-007).
• Computers and laptops that connect to the University network must be protected by current, updated and functioning security software, which includes virus protection software and may include firewall, host intrusion protection or other security software as specified by the Information Technology Department.  Required security software must not be disabled or bypassed except as required by the installation of software or for other special circumstances or procedures that require the temporary disabling of such software.
• Users must not alter the configuration of any University Information Resource without authorization from the Information Technology Department. This includes, but is not limited to, adding, removing or modifying hardware, software or operating systems, including peer-to-peer file sharing software or virtual machines.
• Peer-to-peer file sharing software must not be used except when required to conduct University business and when specifically authorized by the Information Technology Department. It must not be used inappropriately or in violation of U.S. Copyright Law or other applicable laws or policies. When configured incorrectly or maliciously, or used inappropriately, peer-to-peer file sharing software presents a high risk for security breaches and may result in inappropriate information disclosure and/or loss of information integrity Such incidents can severely reduce availability of University Information Resources and University Data.  
• Users must not download or use security programs or utilities that reveal or exploit weaknesses in the security of a system or that reveal information by circumventing established authorization procedures or controls, except as authorized by the CISO. Examples of such items include password cracking programs, packet sniffers and port scanners.
• All remote access to networks owned or managed by the University or UT System must be accomplished using a remote access method approved by the University or UT System, as applicable.

7. Confidential Information

• Users must not disclose Confidential Information except to authorized parties as required to accomplish authorized functions in support of University business.
• Confidential Information must be stored in the Datacenter Zone, the University’s network zone with the highest level of security. For circumstances in which University business requires that a User save Confidential Information to a portable device or media, it must be done in accordance with the Portable Storage Device Policy (ITPOL-001) and Laptop Security Policy (ITPOL-007) and comply with any policy that the system (information) owner may have communicated (see HOOP 175, Section III(B)). The User should consult with the Information Technology Department to ensure appropriate data protection measures are taken to guard against unauthorized disclosure and loss of availability or integrity of the information.
• Confidential information that must be emailed to conduct University business must be sent using a University email account and must be encrypted in accordance with the University’s Acceptable Encryption Policy (ITPOL-003).
• Confidential information transmitted over external networks must be encrypted in accordance with the University’s Acceptable Encryption Policy (ITPOL-003).
• Confidential information transmitted over wireless networks must use approved wireless transmission protocols and be done in compliance with the Wireless Network Security Standards (ITPOL-015).
• Users who store University Data using commercial cloud services must use services provided or sanctioned by the University, rather than personally obtained cloud services.

8. Enforcement

• Users who fail to comply with this policy are subject to disciplinary action up to and including termination of employment, professional or business relationship, or dismissal from school. In some instances of non-compliance, civil remedies or criminal penalties may apply.

IV. CONTACTS

• • IT Risk and Compliance Manager
  • 713-486-2219
  • itcompliance@uth.tmc.edu

---