Summary:  This article describes the governance by which website and application security are defined, managed, and enforced.

Approving Authority:  Office of Information Technology

Last Updated: Dec. 5, 2018 

Purpose:  The purpose of this governance is to ensure standardized confidentiality, integrity, and availability of Baylor College of Medicine Information.  

Scope:  This governance applies to all information systems that are authorized to access, store, process, or transmit Baylor College of Medicine information. In particular, this governance applies to those who are responsible for classifying and protecting data.

Definitions

Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.

Integrity

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.

Availability

Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.

Information System

Any electronic system that stores, processes, or transmits information.

Baylor College of Medicine Information

Any data that is owned or licensed by Baylor College of Medicine.

Responsibilities

Office of Technology – Security, Governance, Risk and Compliance

In accordance with policy 12.1.14, Data Security Procedures, the Baylor College of Medicine Office of Information Technology - Information Security and Compliance and Audit Services will implement data security procedures to preserve the physical security, integrity, and reliability of College information, consistent with implementation requirements of related access and security policies that are designed to protect the physical security of College information resources/assets. Information Security personnel, in collaboration with Compliance and Audit Services, will monitor procedural compliance.

These data security procedures must implement appropriate technical and administrative safeguards sufficient to protect Baylor College of Medicine Information that is stored electronically, prevent unauthorized access to Baylor College of Medicine Information Resources/Assets.

Identify Baylor College of Medicine facilities and associated work areas where College Network Access Layer infrastructure is installed, then implement and maintain virtual and physical access controls

Facilitate ongoing assessment of potential risks and vulnerabilities to Baylor College of Medicine information resources/assets

Assess and minimize the risks of utility failures and protect operational reliability of utility systems

Users

Authorized Users must report any evidence of an alleged violation of these procedures to the Baylor College of Medicine Integrity Hotline or call at (855) 764-7292.

Procedural violations will result in a formal investigation by the Baylor College of Medicine Information Security Officer.

Guidelines

Technical Security

Web and mobile applications (applications) must be assessed by Office of Compliance and Audit Services and/or Office of Information Technology Security Governance Risk and Compliance for cyber security risk before being placed into production for the first time, or upon major modification to application components or source code.

Applications that process, transmit or store “sensitive” information must use College-approved cryptographic and access control methods to secure this information.

Web applications must use College-approved application delivery methods to ensure the confidentiality, integrity and/or availability of information assets.

Software and application components must be patched upon vulnerability disclosure, in accordance with patch management standards. Responsibility for maintaining awareness of potential vulnerability and patch management standards is the responsibility of the developer / owner of the specific website / application.

Data Security

Specific data security information may be found in the separate data security guidelines linked below.

Application Security

All applications must be assessed by Office of Compliance and Audit Services and/or Office of Information Technology Security Governance Risk and Compliance for risk before being placed in production.  Requests should be submitted via the IT Service Portal.  The evaluation includes review of application function, port, protocols, and services intended for organizational use.  

Applications will be categorized in terms of confidentiality, integrity and availability.

Applications and the servers they reside on must use supported software, firmware and OS versions.

If applications are internally developed, they must be tested and verified during the development process to identify and remediate web application vulnerabilities.

If applications are from a third-party, they must undergo a risk assessment during the product evaluation stage.

Web application traffic should be monitored and filtered for security threats.

Developers should identify functions, ports, protocols, and services intended for organizational use; develop a data flow diagram; and develop a system integration diagram.

Developers should follow a change control process for major changes.

Access Control should be commensurate with classification i.e. utilize two factor authentication. For cloud / acquired products, access controls must align with our password policies, use federated identity management (SSO), etc.

Data transmission should have a security level commensurate with classification.

Nonconformities

Deviation from this guidance will result in non-access to College data, websites or app stores.  Removal or correction of the application may be requested.

*Note: Policies cited in the Digital Governance document (approved by the Board and published in March 2019) supersede any previous agreement, policy and/or guideline.