The procedures described in this section support the Registration and Protection of Systems Policy. Work instructions for these procedures will be documented and maintained by Certified IT Groups. Note that additional procedures and guidance for Servers, Medical Devices, or other specialized equipment may be required.
Please see the main CUIMC Information Security Procedures page for an overview, effective date and definitions.
A. System Operation
All Systems, and their underlying components (such as Servers), that process, transmit and/or store EPHI must be explicitly managed by a Certified IT Group. To be explicitly managed, the System must meet the following criteria, in addition to the criteria referenced in the Registration and Protection of Systems Policy:
- The System has been scheduled for regular vulnerability scanning by the CUIMC Information Security Office,
- The System has been scheduled for daily DLP scanning by the CUIMC Information Security Office.
- The System is provisioned to use a local IP address (10.x.x.x).
- Public IP addresses are permissible only by explicit authorization by the CUIMC Information Security Office through a Request for Public IP Address form.
- The underlying Server, if possible, will be joined to an Active Directory domain managed by the Certified IT Group
- For Servers that cannot be managed by an Active Directory domain, the Certified IT Group will ensure that the Server has met the minimum configuration standards.
- Any environmental or operational changes made to the System, or its underlying components, will be first authorized through the Change Management Process.
- A set of standards will be developed and maintained by the Certified IT Group to ensure a consistent configuration and management methodology that aligns with Columbia University IT Policies.
- Reference should be made to the UNIX and Web servers “Standard Operating Environment and Security Best Practices” documents maintained by CUIT.
B. System Registration Procedures
All Systems within CUIMC must be registered with the CUIMC Information Security Office in accordance with the following procedure:
- After determination the System will be acquired, the System Owner, or IT Custodian, will access RSAM (https://rsam.cumc.columbia.edu) and fill out the System Registration object.
- Work instructions for this procedure will be documented by the CUIMC Information Security Office, and can be found on the RSAM System Registration Walkthrough website.
- The business purpose and functions of the System must be clearly identified. This will include the following attributes:
- The number of users of the System;
- The number of records the System holds; and
- The date the System went, or will go, into production.
- Other demographic information must be captured, including:
- System Owner;
- IT Custodian(s);
- Other stakeholders;
- Classification of Data stored or processed by the System (Sensitive, Confidential, Internal or Public);
- Location of the Servers’ Data Center;
- The types of services the System provides (such as Application, Database, Email, etc;)
- Flow of Data (especially Sensitive Data) into and out of the System;
- Types, amounts and identifiable characteristics, of Data processed, transmitted and/or stored;
- Users of the System;
- Exposure of the System to the Internet; and
- Maximum allowable permissible downtime.
- All servers supporting the System must be inventoried and documented. This information should be entered into RSAM, with the following attributes:
- IP Address;
- Operating System; and
- Server’s purpose.
C. System Risk Analysis
Systems that have been registered with the CUIMC Information Security Office will be evaluated based on the risk they introduce into CUIMC. This is done through a number of steps and via the following general procedures:
- Newly registered Systems will undergo an initial “inherent risk” evaluation by the CUIMC Information Security Office to determine the criticality of the System and the amount of risk it introduces into CUIMC. This evaluation will take into account:
- The classification of Data stored or processed on the System;
- The number of uniquely identifiable records stored on the System;
- The number of Users of the System; and
- The exposure of the System to the Internet.
- A Controls Based Assessment (CSA) will be provided to the System Owner, which will contain a list of controls based on the nature of the System. The System Owner is responsible for evaluating the configuration of the System against the CSA and providing the results to the CUIMC Information Security Office.
- The CUIMC Information Security Office will review the results of the CSA and identify any gaps that might exist. Gaps that have been identified will be classified as vulnerabilities.
- The CUIMC Information Security Office will conduct a technical vulnerability scan against all Servers comprising the System. The results of the vulnerability scan will be added to the list of identified vulnerabilities.
- The CUIMC Information Security Office will evaluate the threats associated with any technical vulnerabilities and/or any vulnerabilities discovered during the CSA analysis. This threat to vulnerability mapping will result in an evaluation and rating of the gaps with a risk score.
- All risks are described by three descriptive components, namely:
- Issue – the reason why the determined gap is a problem
- Risk – a statement about the risk the gap introduces to the organization and its impacts
- Solution – a recommended resolution to remove or mitigate the risk
- An overall risk score of the System will be recorded based on the highest level of any individual component risk. E.g., if a System is deemed to contain 5 risks comprised of 4 low risks and 1 high risk, then the overall risk of the System will be “High”.
- A final report will be compiled by the CUIMC Information Security Office, comprised of an executive summary, detailed risk findings and technical vulnerability results, and submitted to the Executive Manager of the department or business unit. If the System contains no risks it will be given a score of “Pass” and will be immediately granted “Certified” status.
D. System Remediation
Any System that is found to have risks must undergo a formal Corrective Action Plan and the development of a Plan of Action and Milestones. The following procedures will be followed:
- The System Owner, upon receiving the risk analysis report, will evaluate the risks discovered.
- Within 30 days, the System Owner will respond to the risks identified and either (a) agree with the findings and submit the Corrective Action Plan for remediation of each individual risk, or (b) contest the risk finding.
- Should the System Owner contest the risk, the System Owner and the CUIMC Information Security Office will review it. If the CUIMC Information Security Office agrees with the contestation, the risk will be removed. If it does not agree, then mediation will take place. Mediation will ensure that both parties come to agreement. If necessary, the risk discussion will be escalated to Executive Management for final mediation.
- If the System is given a Critical or High risk score, an emergency risk plan will be developed by the System Owner to execute remediation of the Critical or High risks within 7 days of report issuance. The focus of the plan is to remediate the urgent risks in a timely manner so they are not exploited.
- After the remediation plan has been submitted to the CUIMC Information Security Office and approved by Security Managers, the System Owner will have 90 days to execute the plan.
- While the System is under remediation, System Owners will regularly report to the Security Managers the status of the remediation. In addition, Security Managers will periodically check the status of the remediation with the System Owner.
E. System Certification
Upon attestation from the System Owner that all risks have been mitigated, the CUIMC Information Security Office will initiate a final check to provide the appropriate level of assurance that the risks have been properly mitigated. The following procedure will be followed:
- Security Managers will review the System’s risks and the remediation plan.
- Security Managers will evaluate the controls implemented by the System Owner and test that the controls appropriately mitigate the risk. System Owners will be required to provide evidence of all controls implemented to mitigate the risks.
- If the controls are deemed adequate and all risks have been mitigated to an acceptable level of tolerance, Security Managers will issue a Certification Report to the System Owner and his/her Executive Managers.
- The System will be updated in the RSAM list of CUIMC Certified Systems.
- The System will be scheduled for re-certification at a later date, based upon the inherent risk of the System. The higher the inherent risk of the System the more frequent the risk analysis will be conducted.
F. New System Governance Process
All new Systems that will process, transmit and/or store EPHI must first be approved for use through an IT Steering Committee governance process. System Owners will submit their requests to the IT Steering Committee, which in turn will confirm that the System is filling a particular business need (clinical, research or administrative) and that the proper party to develop, implement and maintain the System has been identified. The process is as follows:
- The System Owner, IT Custodian or User will submit a Request for Approval to Implement New System email to the CUIMC CIO. The email will contain, at a minimum, the following information:
- Business need the System will fulfill;
- Evaluation of skills and capabilities needed to run the System;
- Priority of the request; and
- Constituents and Users who will use and/or be impacted by the System.
- The email will be forwarded to the IT Steering Committee for review.
- The IT Steering Committee will evaluate the request, using the following criteria:
- If the request has a legitimate business need that is not currently available from an existing System;
- If the proposed System Owner’s Certified IT Group has the appropriate skills and capabilities to implement, manage and monitor the System; and
- If the business need is required by more than the individual department or business unit, whether the System should be hosted locally within the Certified IT Group or centrally by CUIMC IT.
After all evaluations have been conducted, the IT Steering Committee will provide a final approval or rejection.
G. Data Backup
For all Systems containing EPHI, the System Owner must comply with Section III(C) of the Business Continuity and Disaster Recovery Policy relating to Data Backup Plans. For such Systems, the Data Backup Plan should address whether a backup of EPHI is needed before any movements of the System (e.g., to a new location).