Handbook of Operating Procedures

I.政策和一般性声明

除非另有规定HOOP 201，，，，HOOP 92or any other applicable university policies, The University of Texas System (“UT System”) policies or Regents Rules pertaining to ownership of intellectual property, University Information Resources and University Data are owned by The University of Texas Health Science Center at Houston (“university”) and exist to support the mission of the university. University Information Resources and University Data must be used, managed and protected appropriately to ensure that they are:

• 可用的;
• 准确而完整；和
• 在需要时适当地披露。

大学信息资源和大学数据属于首席信息官（CIO）的授权和责任，并受联邦，州和地方法律法规的约束，UT系统政策（包括UT系统政策UTS 165），，，，和university policies. The Senior Executive Vice President, Chief Operating and Financial Officer delegates the responsibility to department heads for ensuring that the university is in compliance with all relevant laws, regulations and policies. The Chief Information Security Officer (CISO) and the central Information Technology Department assist department heads by establishing policies, procedures and guidance for University Information Resources and University Data, published in theIT政策和文档存储库。

大学信息资源和大学哒ta are subject to many different threats that can reduce or eliminate data availability, compromise integrity and violate confidentiality; thus, it is imperative that they are safeguarded appropriately. Individual users’ actions can contribute to or reduce the risk of most threats. All users are responsible for their use, management and protection of University Information Resources and University Data and are accountable for their actions. All users have one or more roles to fulfill related to University Information Resources and University Data. This policy outlines such roles and describes the responsibilities of each.

不遵守联邦，州和地方法律法规，UT系统政策和大学政策可能会导致UT系统的罚款，罚款和/或审查，由州审计官办公室进行审查，联邦机构审查，或不赞成。德克萨斯州信息资源部（“ DIR”）和DIR认为必须采取的进一步行动以确保合规性。

此政策中没有任何取代或修改HOOP 201, Intellectual Property，，，，HOOP 92, Research Data Retention and Access，，，，or any other applicable university or UT System policies or Regents Rules pertaining to the ownership of intellectual property.

II. DEFINITIONS

University Information Resources:All computer and telecommunications equipment, software, and media that is owned or controlled by the university or maintained on its behalf.

University Data:代表大学或创建的所有数据或信息。

The university does not assert an ownership interest in the content of exclusively personal information or documents stored on University Information Resources as part of a User’s Incidental Use (see箍180，可接受的大学信息资源）。However, such information and documents may be subject to access and/or monitoring by the university.

用户: Any individual granted access to University Information Resources and/or University Data.

System Owner:负责取决于系统的业务职能或项目的人员。如果系统支持多个业务功能，则系统所有者是负责执行系统支持的整体程序的人。系统所有者的示例包括：

• 部门负责人，例如副院长和助理院长和部门主席；
• 在部门负责人（例如部门负责人，计划董事和首席研究人员）中任职的个人；beplay苹果手机能用吗和
• 对其部门或项目（例如流程所有者，首席调查人员和董事）的财务和/或行政责任和责任的个人。

系统所有者通常比得克萨斯大学哈里斯县精神病中心的总裁，执行副总裁，院长或执行董事的总裁职位低一个组织级别，在以下很少有两个以上的级别。

保管人：Provides technical facilities and/or hardware, software or application production support services for a University Information Resource or University Data. Each Custodian is assigned by Information Technology management and/or the System Owner and should have the knowledge and experience required to adequately perform the associated responsibilities. Examples of Custodians include (1) IT Infrastructure System Owners, (2) system, database and application administrators, (3) third parties providing outsourced support, and (4) school or department support personnel who have physical or logical control over hardware, software or services.

Information Security Administrator (ISA): A Custodian that has additional, security-focused responsibilities as outlined inUT系统政策UTS 165。A Custodian is assigned to the additional role of ISA by the System Owner. A third party providing outsourced support cannot be an ISA. The ISA assists the CISO in advancing the信息安全计划作为信息安全工作组的成员。

Project Manager:负责全部实施信息技术项目从概念到推出的人员，其中包括战略，财务和技术职责，并确保该项目是安全构建和实施的。该实施包括以下所有或大多数：采购，功能和技术规范文档，开发，测试，集成，安装和培训。还必须对任何手动或自动化流程进行考虑，包括其他大学信息资源，包括其他大学信息资源。项目经理的典型例子包括系统所有者，托管人和IT基础设施系统所有者。

信息技术Project: Any project that includes or relies on a University Information Resource.

IT Infrastructure System Owner: A Custodian of shared technology who is responsible for maintaining and operating hardware and associated software to provide computing services, storage and connectivity for University Information Resources. IT Infrastructure System Owners are information technology professionals who report to the university’s central Information Technology Department directly or indirectly through an established information technology department within a school. Examples of IT Infrastructure System Owners include information technology professionals reporting to the following areas:

• 信息技术Security and Disaster Recovery Planning, part of central Information Technology
• 数据中心运营和服务，中央信息技术的一部分
• Communications Technology (part of central Information Technology)
• Medical School Information Technology
• School of Public Health Information Technology Services
• School of Biomedical Informatics
• 哈里斯县精神病中心管理信息系统

首席信息安全官（CISO）：The Senior Executive Vice President, Chief Operating and Financial Officer has designated the CISO to serve as the information security officer as required by Title 1, Rule §202.71(d) of theTexas Administrative Codewith authority for the entire university. The CISO leads the Information Security and Disaster Recovery Planning department and reports directly to the Senior Executive Vice President, Chief Operating and Financial Officer, with an indirect (“dotted-line”) reporting relationship to the Chief Compliance Officer and the Chief Information Officer. The CISO and the department are assisted by the信息技术安全核心团队和部门。

首席信息官（CIO）：The CIO is responsible for overseeing the management of University Information Resources, University Data and the IT risk management program. Per UTS 165, the CIO is designated as the Information Resource Manager for the university, as defined by Chapter 211 of theTexas Administrative Code。

President:The President is ultimately responsible for the security of state information resources. Per Title 1, Texas Administrative Code, 202.70, a key responsibility of the President includes garnering support from senior university officials and information owners for the provision of information security for the information systems that support the operations and assets under their direct or indirect control.

任务关键信息资源：University Information Resources defined by the university to be essential to its function and that, if made unavailable, will inflict substantial harm to the university and the university’s ability to meet is instructional, research, patient care, or public service missions.

Triage Team：分类团队定期开会，以审查可疑的违规事件。Triage小组由以下常任成员组成，其他人则要求根据需要参加：首席法律官，首席人力资源官，德克萨斯大学休斯顿警察局，首席审计官和首席合规官警察局首长。

iii。程序

All Users must be aware of their role(s) and accept the associated responsibilities. Role responsibilities cannot be delegated except as provided below.

Each User, by default, is assigned the User information resource role. Users may have more than one role and are responsible for reading the role descriptions below, identifying all of their additional roles and meeting the responsibilities of each role. For example, a User who is responsible for a business function that depends on a system may also be a System Owner, a User who is responsible for the implementation of a new system may also be a Project Manager, and a User who is responsible for the technical support of a system may also be a Custodian.

主要角色如下：

• 用户
• 系统所有者（信息所有者，数据所有者）
• Custodian
• Information Security Administrator
• Project Manager
• IT Infrastructure System Owner
• Chief Information Security Officer
• Chief Information Officer
• President
• 审计和咨询服务
• Office of Institutional Compliance (“OIC”)
• Triage Team

A. User

用户的主要职责包括：

1. 负责任地使用大学信息资源和大学数据，并出于系统所有者确定的预期目的。
2. 符合控制系统建立的自己的er and be accountable for his or her actions.
3. 知道并遵守已出版的大学政策和程序。
4. 阅读并签署Information Resources User Acknowledgement Form。
5. Do not share passwords or similar information or devices used for identification and authorization purposes.
6. Protect data appropriately regardless of the method of access.
7. Determine if other roles apply to him or her and, if so, accept responsibility for the role(s) and meet the associated responsibilities.
8. Report information security incidents, including unintentional or intentional misuse, in accordance with计算机安全事件响应策略（ITPOL-017）。
9. Complete required University Information Resource and security related training.

B.系统所有者（信息所有者，数据所有者）

A System Owner’s primary responsibilities include:

1. Assume the role of System Owner or delegate the role. Accountability cannot be delegated.
2. Formally assign/acknowledge the Custodian(s) and ISA for the system, including outsourced systems.
3. 批准每个托管人执行所需的管理和维护以及实施所需的安全控制和程序所需的访问级别。
4. 确保该系统符合适用的联邦，州和地方法律法规，UT系统政策以及大学政策，程序和指导。其中包括但不限于：德克萨斯行政法典第206和213章中规定的可访问性要求以及UT系统政策UTS 150;information security and other information resource standards inUT系统政策UTS 165;以及大学政策，程序和指导IT政策和文档存储库。
5. If the University Information Resource is a system containing electronic records subject to the Code of Federal Regulations, Title 21 part 11 (21 CFR part 11), the System Owner must demonstrate compliance with the requirements of those regulations.
6. 确定系统的价值。
7. 每年对任务关键信息资源进行风险评估，并在两年内对非误解关键信息资源进行一次风险评估。识别并记录所需的措施，并采取以满足可接受的风险水平。根据需要实施缓解策略。确保在信息资源的整个生命周期中解决信息安全。
8. Classify and secure data appropriately, taking into consideration security or operational controls required to ensure the availability, confidentiality and integrity of the system’s data. Communicate these controls to the Custodian, train the Users as needed and confirm that the controls are in place on a regular basis.
9. 文件，合理，获得批准并对安全控制的例外负责。系统所有者必须获得CISO安全控制例外的批准。
10. Determine appropriate access for system users based on the minimum necessary access required to perform their assigned job responsibilities. Approve new access assignments and review all assigned access for appropriateness on a regular basis.
11. 报告信息安全事件，包括无意或有意滥用的事件计算机安全事件响应策略（ITPOL-017）。
12. 创建，维护和培训用户在部门业务连续性计划中。
13. Include an adequate disaster recovery plan for the system as part of the departmental business continuity plan; see the信息安全计划。确保指定的保管人拥有灾难恢复计划的副本。
14. Retain and destroy records in accordance with箍政策181记录管理计划。

C.托管人

A Custodian’s primary responsibilities include:

1. 执行大学信息资源和大学数据所需的管理和维护。
2. Implement applicable University Information Resource and University Data policies, procedures and guidance in theIT政策和文档存储库，包括变更管理和安全保障措施和控制。
3. Report information security incidents, including unintentional or intentional misuse, in accordance with计算机安全事件响应策略（ITPOL-017）。
4. Assist System Owners in performing risk assessments and evaluating the cost effectiveness of controls.
5. 实施系统所有者指定的控件，并确认它们是否适当。
6. Implement processes that aid in detecting, reporting and investigating security incidents.
7. Assist System Owners in disaster recovery planning for the University Information Resource and University Data; see the信息安全计划。
8. Maintain a copy of the disaster recovery plan in the appropriate location(s).
9. 协助系统所有者根据箍政策181记录管理计划。
10. Provide information necessary to provide appropriate information security training to employees.
11. Ensure information is recoverable in accordance with risk management decisions.
12. 确保为公众使用而设计的大学信息资源配置为无需用户参与或干预而执行安全策略和程序。信息资源必须在使用前接受横幅或通知。

D. Information Security Administrator

An Information Security Administrator’s primary responsibilities include:

1. 实施并遵守与分配系统有关的所有适用策略和程序。
2. 协助系统所有者对任务关键信息资源进行年度信息安全风险评估。
3. 向CISO报告一般计算和安全事件。
4. 作为ISA工作组的成员，请协助CISO开发，实施和监视信息安全计划。
5. 为CISO建立报告指南，指标和时间表，以监视与分配系统有关的安全策略的有效性。
6. 至少每年向CISO报告大学信息资源和大学数据安全控制的状态和有效性。

E. Project Manager

项目经理的主要职责包括：

1. 确定现有的大学资源used to deliver the required information technology by contacting the university’s central信息技术Department或每个学校的既定信息技术部门。
2. If the information technology project will be outsourced or hosted by a third party and will transmit, process or store university data, refer to the信息服务提供商安全和合规清单。
3. 跟着System Development Methodology (ITGD-004)guideline when implementing information technology projects.
4. Ensure that the information technology project is in compliance with applicable federal, state, and local laws and regulations, UT System policies and university policies, procedures and guidance. These include, but are not limited to: the accessibility requirements set forth in Title 1, Chapters 206 and 213 of the Texas Administrative Code and inUT系统政策UTS 150;information security and other information resource standards inUT系统政策UTS 165;以及大学的政策，程序和指导IT政策和文档存储库。
5. Identify, document, and address security requirements in all phases of development or acquisition of University Information Resources or University Data.
6. Ensure that the University Information Resource is/will be in compliance with federal, state and local laws and regulations, UT System and university policies and applicable University Information Resource policies, procedures and guidance published in theIT政策和文档存储库。

F. IT基础架构系统所有者

IT基础架构系统所有者的主要职责包括：

1. 采购，支持，维护和/或操作计算服务，存储和连接，包括但不限于：服务器，存储系统，Internet，Interanet，广域以太网网络（诊所和业务合作伙伴连接），火灾报警系统，安全摄像机系统德克萨斯大学休斯顿警察局，电话系统，防火墙和入侵检测/保护。
2. 确保该系统符合适用的联邦，州和地方法律法规，UT系统政策以及大学政策，程序和指导。其中包括但不限于：德克萨斯行政法典第206和213章中规定的可访问性要求以及UT系统政策UTS 150;information security and other information resource standards inUT系统政策UTS 165;以及大学政策，程序和指导IT政策和文档存储库。
3. 每年对任务关键信息资源进行风险评估，并在两年内对非误解关键信息资源进行一次风险评估。识别并记录所需的措施，并采取以满足可接受的风险水平。根据需要实施缓解策略。确保在信息资源的整个生命周期中解决信息安全。
4. 报告信息安全事件，包括无意或有意滥用的事件计算机安全事件响应策略（ITPOL-017）。

G. Chief Information Security Officer (CISO)

The CISO’s primary responsibilities include:

1. 开发，监督并监视已记录的信息安全计划以及相关的安全策略和程序（包括监视任务关键信息资源的定义控件的有效性）。该计划适用于所有大学信息资源和大学数据以及在大学中具有大学信息资源或大学数据角色的每个人。
2. 获得总统或其指定人员的信息安全计划的批准。
3. Provide regular reports and updates to the university’s执行合规委员会（ECC）和UT系统。至少每年向总统（或他/她的指定人员）提供有关信息资源安全控制的状态和有效性的报告。
4. 促进适用于大学中央和分散区域的大学信息资源和大学数据安全政策，程序，标准和准则。
5. 与系统所有者，保管人，ISA，IT基础设施系统所有者，项目经理和其他信息技术专业人员合作，以确定大学信息资源以及大学数据和安全解决方案实施的安全要求，以防止未经授权或意外修改，破坏或披露。
6. 拥有安全解决方案和实施决策的权力。
7. 查看和批准购买硬件，软件，应用程序，信息服务或系统开发服务的安全要求。
8. 执行和记录年度风险评估，以确定大学信息资源和大学数据是否得到充分保护，包括识别关键信息资源。
9. Make policy and procedure changes and practice recommendations as appropriate to improve the security environment.
10. Establish and administer a process to address violations of security policies and procedures.
11. Exercise authority to issue exceptions to security policies and procedures after appropriate review. Any such exceptions shall be justified, documented and communicated as part of the risk assessment process.
12. 根据需要获取对任何大学信息资源和大学数据的访问。
13. Report certain violations to the Triage Team, UT System and/or the DIR as required.
14. 确保定期向所有员工提供信息安全意识培训，并在雇用日期的30天内向所有新员工提供。
15. 建立一个由ISA组成的信息安全工作组，并至少每季度举行会议。
16. 拥有培训和经验来管理本政策中描述的功能。
17. Develop and maintain an institution-wide information security plan as required by §2054.133, Texas Government Code.
18. 至少每年至少每年审查大学信息系统及相关所有权和职责的清单。
19. 验证是否确定了安全要求，并在购买信息技术硬件，软件和系统开发服务之前制定并合同商定和义务，为任何接收，维护和/共享的高影响计算机应用程序或计算机应用程序机密数据。
20. 报告信息安全事件，包括无意或有意滥用的事件计算机安全事件响应策略（ITPOL-017）标题1，德克萨斯行政法202.73。
21. 参加UTSYSTEM CISO理事会会议，工作组和相关活动。

H.首席信息官

CIO的主要职责包括：

1. Develop strategic information technology plans and operating and capital budgets for the university to provide reliable and secure University Information Resources and University Data. This includes applications and infrastructure supporting the administrative, academic, research and clinical functions of the university.
2. Promote the University Information Resource and University Data administrative and operational policies, procedures, standards and guidelines applicable to central and decentralized areas of the university.
3. 促进记录管理政策和程序，并为有效，有效的记录管理功能提供适当的系统和服务，并与行业标准以及联邦，州和地方法律和法规一致。
4. 与内部和外部各方建立合作伙伴关系，包括联邦，州和地方机构，UT系统，其他UT机构以及其他德克萨斯州医疗中心实体。
5. Serve as the university’s technical representative to the信息技术治理委员会。
6. Perform an annual risk assessment for University Information Resources.
7. Responsible for the design, execution and effectiveness of internal controls providing reasonable assurance that operations are effective and efficient, assets are safeguarded, financial information is reliable, and applicable laws, regulations, policies and procedures are met.
8. 响应信息资源审核建议和风险缓解要求。
9. 按照《信息资源经理》的角色填写继续教育要求Texas Administrative Code.
10. 根据德克萨斯州政府法规§2054.133填写并提交两年期的信息安全计划。

I. President

The President is ultimately responsible for the security of University Information Resources. The President’s responsibilities include:

1. Designate a Chief Information Security Officer who has the explicit authority and the duty to administer the information security requirements of Title 1, Texas Administrative Code, Rule 202.70 for the entire university.
2. 为正在进行的信息安全补救，实施和合规活动分配资源，这些活动将风险降低到总统认为可以接受的水平。
3. Ensure that senior university officials and system owners, in collaboration with the Chief Information Officer (the university’s designated Information Resource Manager) and the Chief Information Security Officer, endorse the provision of information security for the information systems that support the operations assets under their direct or indirect (e.g., cloud computing or outsourced) control.
4. Ensure that the university has trained personnel to assist the university in complying with the requirements of Title 1, Texas Administrative Code and related policies.
5. Ensure that senior university officials support the university Chief Information Security Officer in developing, at least annually, a report on the university’s information security program.
6. 批准高级风险管理决策。
7. 至少每年审查并批准大学信息安全计划。
8. 确保信息安全管理流程是大学战略规划和运营流程的一部分。

J.审计与咨询服务

Auditing and Advisory Services (A&AS) assesses information resources and the control environment and reports results to management and the Audit Committee, including at least a biennial review of the information security program as required by Texas Administrative Code Chapter 202.

K. Office of Institutional Compliance (OIC)

The OIC promotes compliance with all applicable legal, regulatory and policy requirements. The OIC assists the university’s Information Technology department(s) in conducting an annual risk assessment, identifying high risk areas with the assistance of theECC，制定降低风险计划并执行验证活动，以确保对大学的信息资源风险水平在ECC可接受的范围内。

L. Triage团队

首席合规官与分类小组协调，调查或协调所有涉嫌违反联邦，州或地方法律或法规，UT系统政策或大学政策的报告的调查。分诊小组还建议采取适当的行动，其中可能包括咨询，纪律处分和/或根据需要向其他机构报告。Triage团队审查了所有调查的结果，并建议根据需要采取进一步的行动。

iv。联系人

• • IT Risk and Compliance Manager
  • 713-486-2219
  • itcompliance@uth.tmc.edu

---