Access to departmental computing systems must be authorized by the department head or designee. Access to University computing systems containing or transmitting sensitive and protected information must be authorized by the department head and approved by the University designated data custodian. To ensure confidentiality, special attention should be taken when authorizing system access to vendors and/or contractors, including those repairing and/or maintaining computers and computing devices. When possible, it is advisable to have vendors and/or contractors sign a confidentiality agreement. Computer access control also includes physical security to UNM equipment and information, such as: locks on doors/windows for equipment and storage, locking paper files, and paper shredders. The department head or designee ensures proper management of computer accounts and user identification by:
- handling system user authentication securely (e.g. passwords, PIN numbers, access codes);
- terminating an account in a timely manner when an individual's affiliation with the University is terminated or completed;
- providing guidelines for computer account locking, unlocking and appeal (e.g. IT's procedures are at IT: Account Locking and Unlocking Policy); and
- following established policies and procedures and legal due process when violations are detected or suspected.
3. Network Access
IT provides guidelines, standards, and minimum requirements for attaching and detaching to UNM network resources and for accessing University computing systems remotely at http://it.unm.edu/network/policy.html.
4. Access to Computer Systems Containing Sensitive and Protected Information
An individual who requires access to sensitive and protected information (i.e. ERP suite of tools, PowerPark, etc.) must comply with UAP 2000 ("Responsibility and Accountability for University Information and Transactions”) and must be authorized by the data custodian responsible for the specific application. All contractors and vendors who have access to sensitive or protected information are required to sign confidentiality agreements prior to gaining such access. The data custodian is an individual officially appointed to authorize access to the system and ensure application-specific security. Authorization will only be granted to those individuals with a demonstrated need to use such information and/or electronic processes and who has taken the required training applicable to the system being requested. The data custodian will advise the individual on the system specific process used to authorize and gain access to the requested system. The data custodian or designee must review and approve each request for access to a specific system, ensure that all required training has been taken prior to granting access, and authorizes access based on the user’s business need and role in accordance with application-specific access procedures. Contact IT for list of Data custodians.
4.1. Remote Access
For the purposes of this Policy, “remote access” is defined as any means by which any faculty, staff, student employee, consultant, vendor or affiliate connects to the UNM Network using a non-UNM network device or service to access sensitive or protected information. This provision applies regardless of the type of device being used or if the device is University owned or personally owned. IT, department heads, designees and users share the responsibility for ensuring appropriate security mechanisms are in place to preserve the integrity of the network, to preserve the data transmitted over that network, and to maintain the level of confidentiality of the data at all times. Because of the increased level of risk inherent with remote access, strong security measures are required. When a user accesses sensitive or protected information remotely, identification and authentication of the user shall be performed in such a manner as to not disclose the password or other authentication information that could be intercepted and used by a third party.
4.1.1. Approval for Remote Access
Users will be allowed to access to sensitive or protected information from a remote location only upon approval by the data custodian. Once approved, the user is responsible for ensuring adequate security measures are in place at the remote location for secure transmission of agency data and protection of University computing resources. Computing devices used for remote access must conform to minimum security controls listed in Section 6 of Rules of Use: Campus Data Communication Network. IT can assist the user in identifying the appropriate protection mechanisms necessary to protect against theft of University resources, unauthorized disclosure of information, and unauthorized access the University network. The user is responsible for ensuring devices used for remote access are protected by a firewall and virus scans, and contain all up-to-date security patches.
UNM recommends that users leave data on UNM servers as much as possible and not copy sensitive data, as described in Section 4.1.2. herein, onto any mobile computing device. Storage of sensitive data and protected information on a non UNM computer is prohibited unless a formal written exemption is granted by the data custodian. When stored remotely on a UNM computing device the data must be encrypted.
4.1.2. Sensitive Data
Users should be especially careful with the following types of data:
- confidential financial information
- account names and passwords
- social security and/or credit card numbers
- personal contact names and phone numbers
- decryption keys or pass-phrases
5. System Protection
Department heads are responsible for protecting the systems under their control from system intrusion, compromise, or data loss.
5.1. Virus Protection
Virus detection and elimination software is essential to protect University data and systems. Department heads, or designees are responsible for maintaining the latest version of an antiviral software and current updates on their computers. Systems must have active virus protection turned on with each system scanned regularly. Assistance with virus protection and software are available from IT at IT: Virus Protection.
5.2. Privacy and Confidentiality
Department heads, or designees must take appropriate measures to ensure privacy and confidentiality of system data in accordance with applicable laws and policies such as:
UAP 2030 ("Social Security Numbers”)
UAP 2040 ("Identify Theft Protection Program”)
UAP 2550 ("Information Security”)
UNM Student Records Policy
Family Educational Rights and Privacy Act of 1974
Department of Health and Human Services (Health Information Privacy)
New Mexico Inspection of Public Records Act
5.3. System Integrity
Department heads, or designees may monitor and investigate systems or jobs under their control for appropriate use of resources, to protect or improve system performance, or in compliance with audit or legal requests. Jobs, procedures, and/or functions may be restricted or limited to ensure system integrity. Departments must maintain current versions of system software and security patches, especially when there are known security issues.
5.4. Data Loss Protection
For all computing systems that store or process sensitive or protected information department heads or designees are responsible for developing, maintaining and executing backup, off-site storage and disaster recovery procedures for computerized University information.
5.5. Records Management
Department heads, or designees are responsible for computerized data retention and backup procedures that comply with University Records Management requirements for classification and retention of University information.
6. Security Violation Handling
Department heads, or designees should detect and correct any non-compliance with this and other University computer policies. In addition to following any College or department-mandated security incident reporting process, any and all employees, faculty, or staff who reasonably believe:
- there has been a breach to any University computer application or system,
- there has been a breach to UNM’s computer security controls (i.e. a computer has been hacked or somehow has been compromised by an unauthorized person), or
- there has been a violation of this Policy
are required to report the incident, within twenty-four (24) hours of becoming aware of the violation or breach, to the UNM Chief Information Officer (CIO) or the UNM IT Security Office. If the CIO or the UNM IT Security Office receives a security incident report that involves healthcare-related entity or may involve protected health information, they must notify the UNM Privacy Office and the HSC IT Security Office as soon as reasonably possible.
All investigations should follow proper investigative procedures to ensure confidentiality and due process. Any employee who detects or suspects non-compliance should report such conduct to the department head. Misconduct should be reported in accordance with UAP 2200 ("Whistleblower Protection and Reporting Suspected Misconduct and Retaliation").
7. User Responsibility and Accountability
Users are responsible for proper use and protection of University information and are prohibited from sharing information with unauthorized individuals. The web-based information systems allow an authorized user the ability to complete transactions directly on-line and forward the forms to the appropriate administrators for approval. By completing a form on-line, the user accepts responsibility to follow all applicable policies and procedures.
Employees who do not demonstrate due care in the administration of their duties as required by this Policy may be subject to sanctions, including withdrawal of privilege to enter information directly into the system; and/or disciplinary action, up to and including, discharge.