Information Security Procedures

Many of these information security procedures are technical in nature and are intended for information custodians, systems administrators and other IT professionals in the enterprise.

Executive Summaries

Information Security & Appropriate Use
Privacy and Patient Information

Exception Request and other Related Forms

   

Links to Information Security Related Forms

   

 Information Security Procedures

Effective Date   Last Updated
Access to Data Center, Switch Rooms and Network Closets  09/16/2003 07/01/2013
Access to Secured IT Work area in Business Service Center 01/02/2008 01/07/2013
Access Control of IT Resources 03/05/2007 07/27/2012
Access Control Form (09-2-10) Word Format    
Access Control - Active Directory Computer Accounts 01/29/2013  08/02/2013
Access Control - Active Directory User Accounts 01/29/2013  08/02/2013
Access Control - Client Management and Asset Management 07/01/2013  
Access Control - Endpoint Protection 07/02/2013  
Access Control - File Server Management Suite 07/12/2013  
Access Control - LDAP Access Control User Accounts  10/04/2013  11/21/2013
Access Control - Symantec Endpoint Encryption 08/01/2013  
Access Control - Vulnerability Scanner 03/08/2013  
Access Control - Web Filtering 03/08/2013  
Active Directory:  Security Principles Across Domains 11/2006 01/16/2013
Audit of Electronic Protected Health Information (ePHI) in Information Systems 11/01/2006 07/27/2012
Authentication Services 11/21/2013  
Blocking MAC Address on Wireless (See Inappropriate Network Traffic)    
Business and Academic Partner Network Access  03/04/2003 07/27/2012
 UNMC Business Partner Agreement (Network Access / No contract exists)   09/2014
 UNMC Business Partner Addendum (Network Access / signed contract is already in place)   09/2014
 NMC Business Partner Agreement (Network Access / no contract exists)   09/2014
 NMC Business Partner Addendum (Network Access /signed contract is already in place)   09/2014

 Business "Associate" Forms are located on the HIPAA Forms Page
 Guidelines - When to use a Business "PARTNER" vs Business "ASSOCIATE" Agreement

   
Change Control ~ Sample Change Control Document 02/2005  01/10/2013
Change Management (UNMC) 10/2013  
Credit Card Processing 08/2007 08/2013
DMZ Servers (Internet/Public Access) 01/21/2003 07/27/2012
Database Security 09/29/2003 12/27/2011
Destruction of Private and Confidential Information 03/17/2003 08/18/2013
Disaster Recovery Plan 10/04/2004 07/26/2012
Key Business Processes 08/2007 08/13/2013
Disposal of Equipment (See Lifecycle Management of Laptops & PC Towers)  ~  ~
Electronic Communication of Protected Health Information (PHI) - Replaces Emails Containing PHI) 07/24/2003 09/24/2013
eDiscovery (Proper handling of eDiscovery and Legal Requests) 01/13/2009 03/15/2013
Emails Containing Protected Health Information (PHI) - See Electronic Communication of PHI)    
Encryption (See End User Device)  ~  ~
End User Device (Mobile Devices, Encryption, software, backups, physical security... more) 01/21/2003 06/18/2013
Executive Summary - Information Security and Appropriate Use  ~  ~
Executive Summary - Privacy and Patient Information  ~  ~
Facility Security -- Computing Center Building (Replaced by Access to Data Center, Switch Rooms & Network Closets)  ~  ~
File Transfer of Confidential Information 07/28/2010 01/03/2013
Inappropriate Network Traffic (Handling of) 09/21/2010 10/06/2011
Information Security Incident Reporting and Response 01/21/2003 07/16/2012
Information Security Plan 02/09/2004 03/05/2013
International Travel - Protecting Mobile Devices (See Travel with Electronic Devices) 01/20/2011  
Legal Requests (see eDiscovery)    
Lifecycle Management of Laptops/Computer Towers/Tablets (Purchase, Transfer and Destruction of) 05/01/2011  09/18/2013
Mobile Devices - Draft as of 08/12/2013 DRAFT  ~
Network Equipment and Infrastructure Access Control 01/21/2003 07/27/2012
Network Vulnerability Assessment  03/21/2007 07/11/2013

Exception Form for Network Vulnerability Scans (word document)

   
Password Security 01/18/2003 06/2014

Passwords - Shared Account Risk Assessment Form

   
Posting Software on eServ (Employee Services) 08/15/2007 01/16/2013
Port Deactivation -- See Inappropriate Network Traffic  ~  ~
Risk Assessment    ~   Risk Assessment Exception Request Form  01/2011  01/03/2013
Remote Access (for Workforce)  02/06/2006  02/19/2013
Remote Access for Backup File Server 03/05/2007 10/06/2011
Remote Access - GRaSP (Grants and Special Projects) Account Setup (ITS Procedure) 10/16/2012  ~
Remote Access Grid - Outlines remote access privileges that are auto-populated and those that require manual entry for UNMC, UNMCP, TNMC and BMC. 02/19/2013  
Flowchart:  Outlines how the auto-populated field "Attribute 11" is completed.    
Security Review Template (word document)  ~  09/2014
Separations (UNMC Physicians) 07/2012  
Spam (Compliance with can-SPAM Act of 2003) 04/20/2004 08/01/2013
Spam Email Complaints (Handling of) 03/05/2007 10/06/2011
Special Circumstance Separation (Notification Procedure) 02/14/2007 06/16/2014
Special Circumstance Separation (UNMC Physicians)  ~  ~
Telehealth (See Privacy Policies & Procedures under HIPAA Page)  ~  ~
Transfer/Disposal of Equipment (See Lifecycle Management of Laptops & PC Towers)  ~  ~
Travel with Electronic Devices (under development)    
Trusted File Server 01/21/2003 07/27/2012
Vendor Network Access (See Business & Academic Partner Network Access)  ~  ~
Wireless Use 01/21/2003 11/06/2012
Workforce Remote Access (See Remote Access) 02/06/2006 02/19/2013
Workstations - Securing of (See End User Devices)    
Workstation Changes/Patch Management 03/05/2007 07/11/2013

 

;