The Indiana University School of Medicine Technology Strategic Plan established a school-wide information services organization, Information Services & Technology Management (ISTM), with several key responsibility areas - infrastructure, support, integrity, and standards. Based on these responsibilities, ISTM has developed this charter to describe how the organization will meet the IT needs of the school. This charter describes the roles and responsibilities of all members of the IUSM and also provides guidance on the formulation and issuance of school-wide IT policies.
1. Roles and Responsibilities
The IUSM Strategic Technology Plan states "...the IUSM will continue to develop policies and implement procedures that protect the security of information technology resources and data, safeguard personal privacy, and respect intellectual property rights, while at the same time promoting two traditional university values associated with academic freedom: access to information and freedom of discourse." (page 12 IUSM Strategic Technology Plan)
All members of the IUSM community share in the responsibility for protecting information resources for which they have access or stewardship. This section describes the responsibilities and practices each member of the IUSM community shares for information technology use and security. Individuals and departments within the IUSM may adopt additional requirements that are specific to their operations, provided that such requirements are consistent with existing IU and/or IUSM policies. However, in the event that more specific policies govern certain types of information, e.g., Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), or financial information under the Gramm-Leach-Bliley Act (GLBA), the more specific policy will take precedence. Some individuals will have responsibilities in more than one area: a Manager is also a User and may be a Steward as well.
1.1. IUSM Chief Information Officer
The Chief Information Officer (CIO) has the primary responsibility to lead the school-wide Information Services (IS) organization and to ensure the IS organization coordinates technology efforts across the school. The CIO also coordinates negotiations about technology matters with the school's strategic partners. The CIO shall report concurrently to the Dean of the School and the University Vice President for Information Technology/CIO, and his/her responsibilities include the following:1.1.1. Policy Setting and Enforcement. In accordance with the IUSM Strategic Technology Plan (Section 2 Organization - Page 14 and Page 17) the CIO is responsible for setting and enforcing policies for Information Technology use throughout the IUSM.
1.1.2. Initiatives of the Strategic Technology Plan. The CIO has primary responsibility to develop and implement the overall information services and technology management strategy for IUSM and to coordinate that strategy within IUSM and with its strategic partners.
1.1.3. Information Technology Security. The CIO is ultimately responsible for the security of IUSM computing resources.
1.1.4. Utilization of UITS Services. The CIO is responsible for enhancing utilization of services provided by the IU University Information Technology Services (UITS).
1.1.5. Information Services and Technology Management (ISTM) leadership. The CIO is responsible for leading the activities of the ISTM unit. This includes development of service offerings, organizational management, and responsibility for the budget.
1.2. IUSM Chief Technology Officer
The IUSM Chief Technology Officer (CTO) has the primary responsibility for evaluating new technologies and for leading the day-to-day operations of the ISTM. The Chief Technology Officer will report to the CIO and will manage the ISTM technical, operation, and administrative staff.1.2.1. Chain of Command. The IUSM CTO will have the authority to discharge the duties of the IUSM Chief Information Officer in the absence of the CIO.
1.2.2. Evaluate New Technologies. The IUSM CTO directs activities related to identifying, assessing, and deploying new technologies to benefit the IUSM community.
1.2.3. Operations. The IUSM CTO will lead the day-to-day operations of the ISTM staff. This includes all client support activities, hardware and software support, application development, budget process review, and human resource management.
1.3. IUSM Security Officer
The IUSM Security Officer, or the individual(s) designated in writing by the IUSM Chief Information Officer to fulfill such duties, has primary responsibility for oversight of information security, networks and systems, security policy, and educating the IUSM community about security responsibilities. The IUSM Security Officer shall report to the IUSM Chief Information Officer, and his/her responsibilities include the following:1.3.1. Policy Oversight. The IUSM Security Officer must stay abreast of Federal and local legislation and how it affects security policy and planning. In addition, the IUSM Security Officer must monitor activities and best practices relating to security at other institutions and follow the activities of organizations in healthcare and higher education such as the American Association of Medical Colleges (AAMC), Educause, the Healthcare Information Management Systems Society (HIMSS), etc.
1.3.2. Regulatory Requirements Oversight. In collaboration with the IUSM Privacy Officer, provide overall leadership for the IUSM HIPAA Compliance Plan and its continuing compliance efforts.
1.3.3. User training and awareness. In cooperation with Managers, the IUSM Security Officer is responsible for managing a school-wide training and awareness program for all members of the IUSM community and for consulting with members of the IUSM on information security issues.
1.3.4. Oversight authority for IUSM networks and systems. The IUSM Security Officer is responsible for overseeing network and system security for resources managed by and/or connected to resources managed by the IUSM. The IUSM Security Officer also has approval authority for implementations that deviate from this policy when those implementations could have a school-wide impact. Such implementations should only occur with full knowledge of the CIO and CTO.
1.3.5. Policy enhancements and revisions. In cooperation with other members of the school and university, the IUSM Security Officer shall periodically reassess policies to determine if revisions are needed to accommodate the fast changing nature of information technology or weaknesses in the policy. If such revision becomes necessary, the IUSM Security Officer will make all necessary revisions and submit the revised policy through the IUSM policy process for review and approval. The revised policy must be consistent with other university policies, laws, and agreements.
1.3.6. Incident Handling and Reporting. The IUSM Security Officer will be the lead investigative officer for all security-related incidents.
1.4. Users
All members of the IUSM community are "Users" of IUSM's information resources, even if they do not have responsibility for managing the resources. Users include, but are not limited to, students, faculty, staff, contractors, consultants, sponsored account holders, and temporary employees. Users are responsible for protecting information resources to which they have access. Their responsibilities cover both computerized and non-computerized information and information technology devices (paper, reports, books, film, microfiche, microfilm, computers, PDAs, disks, printers, phones, fax machines, etc.) that are in their care or possession. They shall follow the information security practices listed below, as well as any departmental or university information security practices.1.4.1. Familiarity with and adherence to university and IUSM policies. Users are expected to adhere to all Indiana University and IUSM policies and exercise good judgment in the use and protection of information resources.
1.4.2. Physical security. Users shall utilize appropriate physical security for university equipment including desktop computers, laptop computers, PDAs, etc.
1.4.3. Computer Security. Users must take steps to protect their desktop computers, laptop computers, PDAs, and all other equipment from electronic compromise by unauthorized individuals.
1.4.4. Storage of information. Sensitive electronic information must be provided a high level of protection against unauthorized access and not be sent outside of IUSM unless it can be assured adequate protection.
1.4.5. Destruction and disposal of information and devices. Sensitive information must be disposed of in such manner as to ensure it cannot be retrieved and recovered by unauthorized persons.
1.4.6. Passwords. Users are responsible for creating and protecting passwords that grant them access to resources. Because shared passwords and identifiers present a major security risk, User identifiers and passwords must never be shared. Passwords that provide access to IUSM or other university resources must not be stored on personal computers and must not be displayed where they can be accessed by unauthorized individuals.
1.4.7. Logging out. Users shall log off from applications, computers, and networks when finished, never leaving unattended personal computers with open sessions. If computers are located in the open or in a shared computer lab, Users shall complete their session and log off fully before leaving the computer. The use of boot or other start-up passwords is recommended in environments where unauthorized persons may have physical access to computers.
1.4.8. Virus and malicious code protection. Users shall make sure that their computers employ mechanisms that protect against viruses and other forms of malicious code, which may be distributed through e-mail or the Web.
1.4.9. Backups. Information stored on departmental and university file servers must be backed up regularly, following established procedures for off-site storage and business continuity readiness. Users should consider storing important files on these servers. Information that is stored on computers and not easily replaced shall be either copied to removable media or to the server in order to protect against losses caused by a disk failure, virus, malicious activity, accidental deletion, or other act. If the information is copied to removable media it should be physically secured against loss.
1.4.10. Incident handling and reporting. Users shall report suspected or known compromises of information resources, including contamination of resources by computer viruses, to their Managers, the IUSM Security Officer, and/or university Security Personnel via current incident reporting procedures.
1.5. Managers
Managers are members of the IUSM community who have management or supervisory responsibility including, but not limited to, deans, department chairs, directors, department heads, group leaders, supervisors. Faculty who supervise teaching and research assistants are included. Managers have all the responsibilities of Users and, where information resources originate, Stewards. In addition, they share responsibility for information security with the people they manage and supervise. They also are responsible for the following:1.5.1. Establishing security policies and procedures. If Managers decide to establish specific information security policies and procedures for the people they manage or supervise, these must be consistent with IUSM policies, as well as with other university policies, contractual agreements, and laws.
1.5.2. Managing authorizations. Managers must make sure people they manage have the access authorizations needed to perform their jobs. The authorizations themselves are acquired from the Stewards of the information resources. Managers are responsible for terminating an individual's access when that person is terminated or their job responsibilities change.
1.5.3. Confidentiality. Managers are responsible for administering and retaining confidentiality statements for the people they manage or supervise if confidentiality statements are required by the Steward(s) of the information.
1.5.4. User training and awareness. Managers shall provide an environment that promotes security. They shall ensure the people they manage have the training and tools needed to protect information.
1.5.5. Incident handling and reporting. Managers shall report suspected or known compromises of information resources, including contamination of resources by computer viruses, to their Managers, the IUSM Security Officer, and/or university Security Personnel via current incident reporting procedures.
1.6. Stewards
Stewards are those members of the IUSM community who have the primary responsibility for managing access to, and use of, particular information. All information covered under this policy has a Steward. One becomes the Steward either by designation or by virtue of having acquired, developed, or created information resources for which no other party has stewardship. For example, the Campus Librarians are the Stewards of the library catalogs and related records; and the IUSM Registrars are the Stewards of student data. For purposes of the Information Security Policy, faculty are considered the Stewards of their research and course materials; students are considered the Stewards of their own work.The term Steward as used here does not imply ownership in any legal sense, for example, as holder of a copyright or patent. Indeed, information stored on IUSM computers and networks may be legally owned by entities outside IUSM. This is the case, for example, with licensed software or data. In this context, Steward means only the person with primary responsibility for managing access to, or use of, an information resource.
Stewards have the same responsibilities as Users of their information. In addition, they are responsible for the following:
1.6.1. Establishing security policies and procedures. Stewards may establish specific information security policies and procedures for their information where appropriate. Stewards are responsible for the procedures related to the creation, retention, distribution and disposal of information. These must be consistent with IUSM policies, as well as with other university policies, contractual agreements, and laws. Stewards may impose additional requirements that enhance security.
1.6.2. Assigning classifications and marking information. Stewards are responsible for determining the classification of their information and any specific information handling requirements, particularly as may be imposed by confidentiality agreements with third parties.
1.6.3. Determining authorizations. Stewards determine who is authorized to have access to their information. They shall make sure that those with access have a need to know the information and know the security requirements for that information. Information may be disclosed only if disclosure is consistent with laws, regulations and internal university policies, including those covering privacy. Except under unusual and specifically recognized circumstances, access shall be granted only to individuals in such manner as to provide individual accountability. Access authorization should not be shared unless extenuating circumstances require it.
1.6.4. Record Keeping. It is required that Stewards keep records documenting the creation, distribution, and disposal of sensitive information. This process is also recommended for other types of information.
1.6.5. Incident reporting. Stewards shall report suspected or known compromises of their information to their Managers, the IUSM Security Officer, and/or university Security Personnel via current incident reporting procedures.
2. Indiana University School of Medicine IT Policies
As defined by the IUSM Technology Strategic Plan, one of the duties of ISTM is to: "Develop and maintain global policies, procedures, and basic standards of conduct and operations for information processes, electronic technologies, and IUSM web-based activities." (IUSM Strategic Technology Plan - Page 17)
A policy is statement of principle(s), action(s), standard(s) and/or expectation(s) that form the basis and the requirements of an organization's operations.
IUSM information technology policies serve to create an environment that will help protect the vital role information plays in the IUSM's educational, research, operational, and clinical missions, and the importance of taking the necessary steps to protect information in all forms. As more information is used and shared by students, faculty and staff, both within and outside the IUSM, a coordinated effort must be made to protect systems and information. Policies serve to protect information resources from threats both within and outside of IUSM by setting forth responsibilities and practices that will help IUSM prevent, deter, detect, respond to, and recover from compromises to these resources, and to foster an environment of secure dissemination of information.
Indiana University School of Medicine IT policies must be kept current and made available electronically to all relevant operating units in a timely manner, to assure compliance with policy objectives and to establish the accountability of operating units and individuals affected by each policy.
2.1. Definitions
Impact Statement is a statement within the policy that describes the impact and potential risk (if known) to the School if a particular policy is not developed and implemented. Policy Statement is the section that summarizes what is expected and may state major conditions or restrictions. This is generally written at a high-level and does not contain procedures or standards. The overall goal of a policy statement is that it should stand the test of time and technology. Purpose is a statement within the policy document that explains the rationale behind the need for such a policy. Responsible Office, operating under the direction of the CIO, will develop and administer a particular policy and any associated procedures and will be accountable for the accuracy of its subject matter, its issuance, and timely updating. Scope is a statement within the policy document that identifies who should follow the policy.
2.2. Formulation and Issuance of IT Policies
The IUSM Information Services and Technology Management unit will formally approve, promulgate in a consistent format, and centrally maintain all official school-wide IT policies. People responsible for writing, updating, and distributing these policies must comply with the conditions and procedures that are outlined in this document. This document defines a School IT policy, explains the standardized policy format, and outlines the steps for formulating, approving, issuing, and amending policies and procedures.
2.3. Criteria for Establishing IT Policy
An Indiana University School of Medicine IT policy is defined by all of the following criteria:2.3.1. It has broad application throughout the school.
2.3.2. It helps ensure compliance with applicable laws and regulations, promotes operational efficiencies, enhances the School's mission, or reduces institutional risks.
2.3.3. It mandates actions or constraints, references specific procedures for compliance, and articulates desired outcomes.
2.3.4. The subject matter requires the IUSM Dean and/or executive officer review and approval for policy issuance and major changes.
2.3.5. Many other department-level policies and procedures do not meet all of the above criteria. They are not considered School-level policies and are not governed by this document. However, these local policies and procedures should be clearly written and well communicated, and it is recommended they follow the same format described in this document.
2.4 Formulating and Approving an IT Policy
The need for new IUSM IT policies and procedures may arise anywhere, but every policy must fall within the jurisdiction of the CIO. The CIO takes charge of beginning the formulation process. The CIO will designate a responsible office, which is listed in the header of the written policy document. The responsible office will generally be the office that develops and administers the policy and procedures, and will be accountable for the accurate formulation, issuance, and timely updating of the document.Under the direction of the CIO, an individual within the responsible office who wishes to propose a new policy must:
2.4.1. Formulate the draft document using the standard format that includes the following sections: Purpose, Scope, Policy Statement, and an Impact Statement.
2.4.2. Submit these documents to the CIO who will then submit them to the appropriate body for review and preliminary approval. See attached Policy Approval Process.
2.4.3. Follow the IUSM policy review process to obtain review and approval of the policy once drafted.
2.5. Standard Format for IT Policies
To ensure consistency, a standard format for policies is recommended based on Indiana University 's policy format. Use of the standard format facilitates the adoption of clear, concise policies and procedures at all levels of the organization. A copy of the standard format will be provided on the School of Medicine ISTM web site.2.6. Interim IT Policies
The CIO is empowered to issue interim IT policies in situations where a School policy must be established in a time period too short to permit the completion of the process delineated in this policy. Each interim policy will include only a Policy Statement and the identity of the Responsible Office. This interim policy will remain in force for up to six months from the date of issuance and will be automatically superceded by the official policy document once the document has been vetted through the formal review and approval process. All interim policies will adhere to the standardized policy format described above.
2.7. Issuing an IT Policy
Policies approved for the School of Medicine will be issued by the Office of the Dean. All official IT policies will have the IUSM seal affixed on the top right portion of the policy document. The policy will be made available on the appropriate web site and a brief summary of the policy, including the link to that policy, will be communicated to all School of Medicine personnel. Additionally, the IUSM Compliance Office will make the policy available to all IUSM practice plans. Each department will be responsible for introducing the policy to their respective department personnel.2.8. Amending an IT Policy
From time to time policies and procedures need to be amended or updated. The responsible office is charged with keeping a policy up to date. Policies should be reviewed and the need for amendment assessed. A detailed review should occur at least once every five years. When changes are necessary to a School policy, the responsible office must utilize the process identified in the section above on formulating and approving a policy.
Version: 1 Oct 03
