Information Security

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.

Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.

Any electronic system that stores, processes, or transmits information.

Any data that is owned or licensed by Baylor College of Medicine.

In accordance with policy 12.1.14, Data Security Procedures, the Baylor College of Medicine Office of Information Technology - Information Security and Compliance and Audit Services will implement data security procedures to preserve the physical security, integrity, and reliability of College information, consistent with implementation requirements of related access and security policies that are designed to protect the physical security of College information resources/assets. Information Security personnel, in collaboration with Compliance and Audit Services, will monitor procedural compliance.

These data security procedures must implement appropriate technical and administrative safeguards sufficient to protect Baylor College of Medicine Information that is stored electronically, prevent unauthorized access to Baylor College of Medicine Information Resources/Assets.

Identify Baylor College of Medicine facilities and associated work areas where College Network Access Layer infrastructure is installed, then implement and maintain virtual and physical access controls

Facilitate ongoing assessment of potential risks and vulnerabilities to Baylor College of Medicine information resources/assets

Assess and minimize the risks of utility failures and protect operational reliability of utility systems

Web and mobile applications (applications) must be assessed by Office of Compliance and Audit Services and/or Office of Information Technology Security Governance Risk and Compliance for cyber security risk before being placed into production for the first time, or upon major modification to application components or source code.

Applications that process, transmit or store “sensitive” information must use College-approved cryptographic and access control methods to secure this information.

Web applications must use College-approved application delivery methods to ensure the confidentiality, integrity and/or availability of information assets.

Software and application components must be patched upon vulnerability disclosure, in accordance with patch management standards. Responsibility for maintaining awareness of potential vulnerability and patch management standards is the responsibility of the developer / owner of the specific website / application.

Specific data security information may be found in the separate data security guidelines linked below.

All applications must be assessed by Office of Compliance and Audit Services and/or Office of Information Technology Security Governance Risk and Compliance for risk before being placed in production. Requests should be submitted via the IT Service Portal. The evaluation includes review of application function, port, protocols, and services intended for organizational use.

Applications will be categorized in terms of confidentiality, integrity and availability.

Applications and the servers they reside on must use supported software, firmware and OS versions.

If applications are internally developed, they must be tested and verified during the development process to identify and remediate web application vulnerabilities.

If applications are from a third-party, they must undergo a risk assessment during the product evaluation stage.

Web application traffic should be monitored and filtered for security threats.

Developers should identify functions, ports, protocols, and services intended for organizational use; develop a data flow diagram; and develop a system integration diagram.

Developers should follow a change control process for major changes.

Access Control should be commensurate with classification i.e. utilize two factor authentication. For cloud / acquired products, access controls must align with our password policies, use federated identity management (SSO), etc.

Data transmission should have a security level commensurate with classification.