vanderbilt higher standards for it pros
DESCRIPTION
Vanderbilt IT personnel are granted elevated or privileged access to Vanderbilt University’s information and information systems. This privileged access places the Vanderbilt IT professional in a higher level of trust. To maintain this level of trust, Vanderbilt IT professionals must develop, maintain, and continually enhance their skills and abilities on behalf of those they serve.TRANSCRIPT
Vanderbilt’s Acceptable Use Policy – Higher Standards for IT Professionals
Vanderbilt IT personnel are granted elevated or privileged access to Vanderbilt University’s information and information systems. This privileged access places the Vanderbilt IT professional in a higher level of trust. To maintain this level of trust, Vanderbilt IT professionals must develop, maintain, and continually enhance their skills and abilities on behalf of those they serve. IT professionals employed by Vanderbilt University must strive to be trusted and highly skilled custodians through:
A. Preserving confidentiality Does not access regulated and/or confidential information* outside what is required as part of
their work. Does not share regulated and/or confidential information* they access or view while doing their
work. Does not share any detail at all about what they see in the context of doing their work. Complete annual reviews of Acceptable Use Policy and confidentiality policies.
B. Protecting data and information integrity Keeps computers locked when they’re not using them to prevent others from using them. Protects/secures the passwords they use to access this information. Does not circumvent any Vanderbilt security measures. Does not install or place anything on computers or the Vanderbilt network that isn’t supposed to
be there – sniffers, keystroke loggers, other devices unless required to do so for work.
C. Establishing and maintaining availability of information systems Stays trained on current technologies relative to their work. Responds to service outages in a timely fashion depending on the service level required for
systems they manage. Monitor usage and availability of systems they manage.
D. Educating those around them about IT and social risks related to information systems Does not “cyber slack” – cyber slacking sets a bad example for others and there are security risks
with going to some outside services. (i.e., don’t watch movies, the final four, YouTube, or go to Facebook, etc. unless required to do so for work.)
Stays current on IT and social risks through reading and training, and disseminates that information to their department members on a bi-annual basis.
E. Enhancing and maintaining technical skills Stay trained on current technologies relative to their work. Recommend 40 hours of work and technology related training each year. Gain and maintain certifications for the systems and servers they manage.
F. Demonstrating an understanding of the areas they serve Exhibit an extemporaneous understanding of the desktop and server environments for which they
are responsible. Understand and document the applications their department and colleagues use on a regular
basis. Understand and document technology processes in their department. They understand the data types and data classifications of the information processed in their
department, and the risks associated with that data.Violation LevelsVanderbilt University Page 1 of 5 v.1.14/12/2023 cmf
In f o r m a t i o n Te c h n o l o g y Se r v i c e s
Level 1: Negligent Act (Carelessness) A. This level of violation occurs when a workforce member unintentionally or carelessly does
something that leaves regulated and/or confidential information* susceptible to being overheard, accessed, or revealed to unauthorized individuals.
B. Examples of Level 1 violations include: a. Emailing a file that includes regulated and/or confidential information* to the wrong person; b. Faxing regulated and/or confidential information* to an incorrect fax number in error; c. Gossiping about a student, faculty or staff member’s private information based upon hearsay
information without the student, faculty or staff member’s authorization, when such gossip results in a complaint by that faculty or staff member or their representative to an appropriate Vanderbilt authority.
d. Leaving a computer unlocked when it has access to systems with regulated and/or confidential information*.
Level 2: Negligent Act (Not Following Procedure) A. This level of violation occurs when a workforce member takes an action that fails to comply with a
privacy or information security procedure or policy, resulting in potential or actual breach of information privacy or security.
B. Examples of Level 2 violations include: a. Releasing information to another individual about a user(s) without proper authorization,
identification or verification; b. Releasing information about a user who is designated as “No Information status” to anyone
not directly involved in the support of a user or otherwise required to have access to the information to do their job at Vanderbilt;
c. Gossiping or sharing information about a Vanderbilt user’s confidential information with someone who is otherwise not authorized to have access to that information;
d. Failure to follow defined policies or procedures that results in unintentional disclosure or incidental disclosure of highly sensitive data causing distress or harm to a person or the institution;
e. Failure to account for disclosures as required by law and policy within Vanderbilt. f. Sharing ID/password with another person or using another person’s ID/password that allows
access to that individual’s computer or personal information, not to restricted system/s and confidential information of others.
g. Leaving medical records, or a copy of regulated and/or confidential information*, or other federal or state regulated data, or other confidential information out in the open and unattended;
h. Repeated incidents of Level 1 violations.
Vanderbilt University Page 2 of 5 v.1.34/12/2023 cmf
In f o r m a t i o n Te c h n o l o g y Se r v i c e s
Level 3: Deliberate Act (Curiosity or Concern) A. This level of violation occurs when a workforce member deliberately accesses, reviews, or discusses
confidential information or systems, without documented authorization to do so.B. Examples of Level 3 violations include:
a. Accessing another person’s confidential information:i. Accessing and reviewing the record of a user out of concern or curiosity without
authorization; ii. Gossiping or sharing regulated and/or confidential information* or other federal or
state regulated data obtained through your role at Vanderbilt with someone otherwise not authorized to have access to that information, without appropriate authorization to disclose that information;
iii. Looking up birthdates, addresses, or other demographic or appointment information without authorization to do so.
b. Security of Information Systems: i. Sharing ID/password with another person or using another person’s ID/password that
allows access to restricted system/s and regulated and/or confidential information* of others. (e.g., Tier 2 information as defined in OP 10-40.33);
ii. Accessing or connecting to Vanderbilt information systems (e.g., computers, servers, routers, switches) without authorization;
iii. Circumventing Vanderbilt security measures without documented authorization;iv. Giving an individual access to your electronic signature; v. Attempting to gain unauthorized or inappropriate access to any system or data.
c. Repeated incidents of Level 1 or Level 2 violations.
Level 4: Blatant Disregard for Confidentiality (Personal Use or Malicious Intent) A. This level of violation occurs when a workforce member accesses, reviews, or discloses confidential
information or fails to comply with information security safeguards that result in loss of availability, integrity, and confidentiality of systems or data for personal gain or with malicious intent.
B. Examples of Level 4 violations include: a. Accessing another person’s confidential information:
i. Accessing or allowing access to regulated and/or confidential information* without having a legitimate reason and disclosure or abuse of the information for personal gain or malicious intent;
ii. Accessing another person’s regulated and/or confidential information* to use for personal purposes or in a personal relationship;
iii. Compiling a mailing list for personal use or to be sold. b. Security of Information Systems
i. Tampering with or unauthorized destruction of information; ii. Deliberate acts that adversely affect the integrity, availability, and/or confidentiality
of Vanderbilt information systems (e.g., introduction of a virus to the Vanderbilt network);
Vanderbilt University Page 3 of 5 v.1.34/12/2023 cmf
In f o r m a t i o n Te c h n o l o g y Se r v i c e s
c. Unauthorized or inappropriate access to any system or data for personal gain or with malicious intent.
Discipline Levels
Level 1 or Level 2 Violations: A. The administrator or chairman, or their designees responsible for implementing
disciplinary/corrective action have enforcement discretion, taking into consideration the findings of the investigation and the specific facts and circumstances of the situation.
B. Gross negligence resulting in disclosure of that information to someone else not otherwise authorized to access that information, whether it is to a Vanderbilt employee or someone outside of Vanderbilt, results in the highest level of disciplinary action, up to and including termination of employment.
C. The administrator or chairman, or their designees consult with Human Resources/Employee Relations in determining the action to be taken.
D. Most incidents result in progressive action steps beginning with re-education, work-flow analysis, and process improvement. Repeated violations may result in escalation of disciplinary steps, up to and including termination of employment.
Level 3 or Level 4 Violations: A. The nature of some violations is serious enough to warrant specific disciplinary action as opposed to
implementing progressive action steps.
B. Deliberate, unauthorized access to an individual’s regulated and/or confidential information* results in Final Performance Improvement Counseling (PIC) for staff; and a minimum of a written warning for faculty, students and staff.
C. Deliberate, unauthorized access to a user’s record and disclosure of that information to someone else not otherwise authorized to access that information, whether it is to a Vanderbilt employee or someone outside of Vanderbilt, results in the highest level of disciplinary action, up to and including termination of employment.
D. Gaining unauthorized access to any system and compromising the integrity, availability, or confidentiality of the system or any data results in the highest level of disciplinary action, up to and including termination of employment.
Vanderbilt University Page 4 of 5 v.1.34/12/2023 cmf
In f o r m a t i o n Te c h n o l o g y Se r v i c e s
* Regulated and/or confidential information includes: Personally Identifyable Information (PII) Protected Health Information (PHI) Payment Card Industry (PCI) information Family Educational Rights and Privacy Act (FERPA) information Federal Information Security Management Act (FISMA) information Gramm-Leach-Bliley Act (GLB) information Other information Vanderbilt deems confidential
Vanderbilt University Page 5 of 5 v.1.34/12/2023 cmf