NCSA wiki will be offline Friday, Apr 19, 2024, from 1700 hours until Sun, Apr 21, 2024 in order to upgrade Confluence.
...
| Panel |
|---|
Document Name: NCSA Information Security Policy |
| Table of Contents | ||
|---|---|---|
|
...
NCSA accounts may or may not be deactivated, depending on the role the person maintains with the Center. However, if they are departing staff, they must be removed from all staff groups in NCSA authorization systems and staff email lists. They will also be removed from any other NCSA email lists unless the list owner actively approves of their continued membership.
Advanced Computational Health Enclave
The Advanced Computational Health Enclave (ACHE) is a special environment with restricted physical and electronic access at NCSA. All electronic Protected Health Information (ePHI) processed or stored at NCSA is done within this environment.
All NCSA workforce members who need access to this environment or who may come in contact with ePHI during day-to-day operations or an emergency are designated as a part of the NCSA Health Care Component (NHCC) of the University of Illinois Covered Entity.
Security Controls
NCSA prescribes security controls consummate with the risk level of the information systems. Current controls are in place to prevent, detect, contain, respond to, and/or otherwise recover from security incidents. These controls are found in the following security policy documents:
- NCSA HIPAA Access Control Standard
- NCSA HIPAA Facility Security Procedures
- Identity and Access Management Policy
- ACHE Vulnerability and Patch Management Standard
- NCSA Incident Response Policy
- NCSA Information Security Policy (this document)
- NCSA Network Security Policy
- NCSA Security Monitoring Policy
Systems or users may not bypass security controls either unintentionally or otherwise. The NCSA Security Office reserves the right to prevent such bypassing of security controls. Intentional bypassing of security controls may be treated as a violation of NCSA security policies.
Advanced Computational Health Enclave
The Advanced Computational Health Enclave (ACHE) is a special environment with restricted physical and electronic access at NCSA. All electronic Protected Health Information (ePHI) processed or stored at NCSA is done within this environment.
All NCSA workforce members who need access to this environment or who may come in contact with ePHI during day-to-day operations or an emergency are designated as a part of the NCSA Health Care Component (NHCC) of the University of Illinois Covered Entity.
All workforce members in the All workforce members in the covered entity must take the official UofI HIPAA training annually. If they use laptops to access these systems, the devices must utilize full disk encryption. All laptops and workstations they use for this work must also employ password protected screen savers that automatically lock after a period of inactivity.
...
The Security Office will verify compliance to the ACHE policy through various methods, including but not limited to, periodic physical inspection, video monitoring, security and business tool reports, internal and external audits.
Violations
The NCSA Security Office has the right and responsibility to take systems offline that are compromised (e.g. either attacking or causing harm to others). It also has the right and responsibility to take the systems offline of those persons violating NCSA security policies. In the event that systems are to be removed from the network in the case of security and business tool reports, internal and external audits.
Violations
The NCSA Security Office has the right and responsibility to take systems offline that are either attacking or causing harm to others. It also has the right and responsibility to take the systems offline of those persons violating NCSA security policiespolicy violations a ticket shall be created to track the incident. The CISO shall make the final decision and document this in the ticket, noting the impact on risk and thereby justifying the decision to remove the system. If the CISO is unable to be contacted and cannot make a decision in a timely manner, the ICI director will make the decision and document it in the ticket. While due effort is made to notify system owners before taking a host offline, this is not always possible in an emergency.
Depending upon the severity, type and recurrence of a violation, the Security Office may report the issue to supervisors, HR, senior management or even law enforcement. Violations of the NCSA or University's policies involving electronic Protected Health Information (ePHI) will be reported to the UofI HIPAA Privacy and Security Officer, and violators will be subject to disciplinary action as described by the University's policies.
...
Questions regarding this policy or its implications can be sent to the Security Office (security@ncsasecurity@ncsa.illinois.edu) or the NCSA Help Desk (help@ncsahelp@ncsa.illinois.edu).
References
University Security Policies & Standards
...