URP: I.19.a Information Personnel Security

Tags techurp

STATEMENT OF PURPOSE
This document establishes the information personnel security regulations and procedures. The purpose of these regulations and procedures are to manage Texas Woman’s University’s (TWU) risks from inadequate and ineffective: personnel screening; termination processes; and management of third-party access through the establishment of an effective security planning program.


DEFINITIONS
Third-party is a term that describes a person who is not paid through TWU’s payroll system or an organization that is not directly governed by TWU’s Board of Regents.


SCOPE
The scope of these regulations and procedures are applicable to all information resources owned or operated by TWU. All users are responsible for adhering to these regulations and procedures. If needed or appropriate, information regarding roles, responsibilities, management commitment, and coordination among organizational entities are embedded within these procedures.


REGULATIONS AND PROCEDURES
The State of Texas has chosen to adopt the personnel security principles established in NIST SP 800-53 “Personnel Security,” Control Family guidelines. The following subsections outline the personnel security standards that constitute TWU’s regulations and procedures.

PS-1 Personnel Security:

Regulations:

▪ TWU information systems must develop, adopt or adhere to a formal, documented personnel security regulations and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

Procedures:
▪ The Office of Technology (OOT) will maintain regulations and procedures for personnel security regulations and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

PM-2 Position Risk Designation:

Regulations:
▪ TWU must:
• Assign a risk designation to all positions; and
• Establishes screening criteria for individuals filling those positions.

Procedures:

▪ The Office of Human resources has designated all positions to be security sensitive; therefore, all applicants will be subject to background check.

PS-3 Personnel Screening:

Regulations:
▪ TWU must screen individuals prior to authorizing access to information systems.


Procedures:
▪ The Office of Human Resources (HR) has designated all positions to be security sensitive and requires every individual to go through the same pre-screening and background check process that is further outlined in the Search and Selection guide.

▪ A minimum criminal background check (information already available in the public domain) will be completed on all final employment candidates (Staff and Faculty) by TWU HR employment personnel. Out of state background checks are required for all candidates that have lived in states other than Texas within the last 7 years. Out of state background checks may take longer to complete.

▪ TWU HR has developed a Notification and Authorization to Obtain (NAO) information liability release form (included in the application packet) for employment information gathered during the background and selection process for all applicants.


PS-4 Personnel Termination:

Regulations:
▪ Upon termination of individual employment, TWU must:
• Disables information system access;
• Terminates/revokes any information security account associated with the individual;
• Retrieves all security-related organizational information system-related property; and
• Retains access to organizational information and information systems formerly controlled by terminated individual.


 Procedures:
▪ Personnel Termination is managed in HR and supported by automated information system account process managed by OOT. Account access is automatically disabled when employment is ended.
▪ Upon termination, employees must fill out the ‘Exit Packet’ and the employee supervisor will follow the ‘Management Checklist for Faculty/Staff Separation’ document referenced in the Exit Packet. This document serves as a checklist for removing user possession or access including but not limited to; Keys, Access Cards, Computer Equipment, ID Cards, Access Codes, Long Distance Codes, and any passwords for additional systems/networks accessed by the employee.


PS-7 Third-Party Personnel Security:

Regulations:
▪ TWU must:
• Establish personnel security requirements including security roles and responsibilities for third-party providers;
• Require third-party providers to comply with personnel security regulations and procedures established by the university;
• Document personnel security requirements;
• Require third-party providers to notify TWU of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges; and
• Monitor provider compliance.


Procedures:
▪ Third parties, including contractors and third party application providers, (ASP) are required to follow all information security policies, regulations, and procedures established by TWU when connected to any TWU information system.
▪ TWU requires that all ASP disclose who amongst their personnel will have access to the environment hosting the application used by TWU.
▪ TWU requires that all ASP disclose the background check procedures they use prior to being utilized by TWU as an ASP.
▪ All contractors being utilized by Texas Woman’s University must complete the Guest Access form prior to being granted user credentials for use on TWU information systems.

APPLICABILITY TWU Students, Faculty, Staff, and Guest TWU Student TWU Faculty TWU Staff TWU Guest


COMPLIANCE
Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; termination of access; legal action; termination for interns and volunteers; disciplinary review; suspension or expulsion (in the case of a student).

SPECIAL NOTES
Department of Information Resources Security Standards Catalog http://publishingext.dir.texas.gov/portal/internal/resources/DocumentLibrary/Security%20Control%20Standards%20Catalog.pdf 

Office of Human Resources Exit Packet
http://www.twu.edu/downloads/hr-home/Exit_Packet(2).pdf


Office of Human Resources Management Separation Checklist
http://www.twu.edu/downloads/hr-home/Management_Separation_Checklist.doc


Office of Technology Guest Access Form
https://twu.teamdynamix.com/TDClient/Shared/FileOpen?AttachmentID={995FCCD2-85AC-4E4D-A77B-EDB91C62923B}&ItemID=12081&ItemComponent=47

Owner:
Associate Provost for Technology

Details

Article ID: 39629
Created
Tue 9/26/17 12:25 PM
Modified
Tue 4/28/20 9:44 AM