56.50 - Data Security (SE)

Return to policies website

Policy Statement
TTUHSC El Paso shall implement controls to ensure safeguards are in place to protect Personally Identifiable Information (PII) against loss, unauthorized access, or disclosure.

Reason for Policy
The purpose of the Data Security (SE) policy is to supplement the management, operational and technical security controls to ensure safeguards are in place to protect Personally Identifiable Information (PII) collected or maintained by TTUHSC El Paso against loss, unauthorized access, or disclosure.

Entities Affected by this Policy are any and all users of Information Resources at TTUHSC El Paso.

What is covered in this Policy?
The overall policy addresses the Institutional stance as it applies to Data Security, Inventory of Personally Identifiable Information, and Privacy Incident Response.

It is the stance of TTUHSC El Paso to ensure that there are safeguards in place aligned with NIST 800-53 and TAC 202 to ensure the protection, integrity, and confidentiality of information resources at TTUHSC El Paso.

Who Should Read this Policy?
All individuals accessing, storing, viewing any TTUHSC El Paso information resources.

What happens if I violate this policy?
Any person(s) violating TTUHSC El Paso Information Technology policies are subject to penalty under federal, state, and local legislation. Disciplinary actions are further outlined in HSCEP OP 56.50 Sanctions Policy.

 

SE-01: Inventory Of Personally Identifiable Information (PII)

TTUHSC El Paso establishes, maintains, and updates an inventory that contains a listing of all programs and systems identified as collecting, using, maintaining, or sharing Personally Identifiable Information (PII).

Data/process owners are required to take due care in updating data inventories by identifying linkable data that could create PII.

SE-02: Privacy Incident Response

TTUHSC El Paso:

  • Develops and implements a Privacy Incident Response Plan; and
  • Provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan.

Where technically feasible, and a business reason exists, data/process owners are required to develop and implement a privacy-specific incident response redress process.

 

All other IT Policies can be found at https://ttuhscep.edu/it/policies/

 

  1. HSCEP 56.50 Sanctions Policy
  2. TAC §202.73, §202.74, §202.75

 

Revised May 2018