Management Overview for Security Manager Role 11.11.2013

advertisement
Management Overview of
Security Manager Role
Karen Hughart, MSN, RN-BC, Dir.
Systems Support Services
What is changing and Why?
WHAT?
WHY?
Security Management responsibilities are being
decentralized to the unit level.
• Each unit will need a primary and back-up Security
Administrator identified and trained before
Thanksgiving, 2013.
Current System no longer HIPAA compliant.
• Requires that systems access limited to just that
functionality required to perform job responsibilities.
• Role or job change required systems access review and
correction
• The person with hiring/firing responsibility is
accountable for ensuring appropriate systems access.
Security Manager Role and Responsibilities
Maintain an understanding of Vanderbilt standards and policies regarding
information security, confidentiality, and privacy and communicate these to
individuals within my department.
Assist the organization in identifying, classifying, and securing confidential and
restricted information.
Orient and train the faculty, staff, and trainees within my department on security
awareness in general and security procedures that should be followed in direct
relation to their job duties.
Monitor compliance with information security policies and procedures, referring
ongoing problems to the Information Privacy and Security Office.
Security Manager Role and Responsibilities
(Cont.)
Monitor the process of granting system access to users within my department
to ensure that appropriate information access levels and security clearances
are maintained when transfers, changes in job functions, and terminations
occur. This includes:
■ Creating and maintaining a current process map for all employee types
regarding the process for notification of changes to employee status.
■ Creating and maintaining a list of active PAF responsible persons within
the area served.
■ Creating and maintaining a list of departmental systems
operators/owners that need to be notified when an employee status
changes. Refer to policy IM 10-30.19 Authorization and Access to
Electronic Systems and Applications Section IV: Specific Information,
Item D: Modification of Access.
■ Maintain flow of information to and from department systems
operators/owners that need notification of changes to employee status.
Security Manager Role and Responsibilities
(Cont.)
Identify potential exposures and risks to the confidentiality, integrity, and
availability of information and make recommendations to my Department Head
or the Information Privacy and Security Office (when appropriate) to mitigate the
risks.
Alert the Information Privacy and Security Office to changes in the patient-care,
business, and computer systems environments in the organization that would
have an impact on the information security program.
Train another individual in the department to act as an ISM backup, in case of
emergency or absence.
Management Oversight of Security
Manager Requires:
1. Support for training and developing proficiency in
new role.
2. Regular check-ins to ensure Systems Access is priority
consideration for any HR change.
3. Consultation (including CAPS or other resources when
warranted) to address complex systems access issues.
4. Knowledgeable and visibly supportive of
organizational policies and regulatory requirements
for systems privacy and security.
5. Knowledgeable of resources available when Security
Manager changes or requires additional
training/support.
How do you know when there are competency issues?
 Staff report that they do NOT have appropriate systems access when they start
work or change roles
 You observe staff sharing ID’s/Passwords because one or more do not have needed
access
 Security Manager cannot respond to questions:
1.
2.
3.
4.

Security Manager cannot state correct sequence for the following onboarding
steps:
1.
2.
3.
4.
5.

“Who do you contact when there is an issue obtaining a VU Net ID?” [Should say “VAS” or
“Vu Net ID Team” & know phone number and web URL]
“Who do you contact when there is an issue with obtaining a Rac F ID or clinical systems
access?” [Should say “SAM Team” or “Identity Management”& know phone number and
web URL]
“How do we get access to VandyWorks?” [Should say e-mail the VandyWorks e-mail
address on the person on call will get in touch]
“Who grants access to Business Objects?” [Should say contact Maribeth Hagan and Systems
Support Services]
Submit PAF to HR
Register new employee for New Employee Orientation
Obtain VU Net ID from VSA (that was automatically generated once PAF processed)
Request Rac F ID and appropriate clinical/business systems access
Provide Rac F ID letter to new employee
Security Manager does not enter Systems Access transfer information or request
termination of systems access in a timely fashion with transfers and
terminations
Triggers for Re-evaluation of Systems Access:
New hire?
Will need VU Net ID, Rac F ID, access to StarPanel, HEO/Wiz, HED/AdminRx, & possibly Medipac, POU,
Teletracking, etc. Refer to grid for role-specific requirements for unit.
Cross –train for
added duties (eg.
CP x-trained as
MR)?
Will need to compare CP functionality to MR functionality on grid and request what’s missing. Will need
Medipac access to enter transfers, discharges, and departures.
Job change on
same unit (eg. CP
to RN)?
Will need to compare current functionality to functionality needed for new role and request what’s
missing. (Eg. An RN will need a “role change” in HEO to enable them to enter verbal orders for meds. )
Transfer in or
out?
Termination
(voluntary or
involuntary)?
2nd Job (eg. CP
who is Nursing
Student doing
clinical
placement
here)?
Will need to compare current functionality to functionality needed for role on new unit and request
what’s missing (or delete what is no longer needed). (Eg. POU access may need to be added or deleted).
Unit information will need to be updated to show current home dept.
Systems access will need to be inactivated. In some cases with involuntary terminations, this needs to be
done very quickly to prevent malicious activity. There is a monthly PeopleSoft feed that will eventually
inactivate VU Net ID but this is delayed. Be cautious in situations where one job is ending but staff
member will continue to have a job elsewhere at VUMC as their access may need to be transitioned to
new Security Manager rather than ended.
This can get tricky and requires a case-by-case review and perhaps consultation with CAPS or other
resource. In general, the individual will need access to perform in both roles AND will need guidance that
they need to match what systems they use and how they use them to the role in which they are
functioning at any given time. (eg. A Nursing Student might document meds in AdminRx but a CP would
not.)
Helpful Links
 Systems Access Online Request Form (Log in with your VUNET ID and Epassword):
https://samprod.mc.vanderbilt.edu/sam/Access.aspx
 Website to print Security Letters and Check Listing of Active Users (Log in with your
RACF ID and RACF ID Password): https://10.109.11.191/login.php
Websites:
 Systems Access Management:
http://www.mc.vanderbilt.edu/root/vumc.php?site=sam
 Help Desk: http://helpdesk.mc.vanderbilt.edu
 Information Technology: http://it.vanderbilt.edu/
 AccessVU: http://www.vanderbilt.edu/accessvu/
 ITS Product Page for SecurID Tokens: https://its.vanderbilt.edu/services/rsasecurid-tokens
 Eprocurement Ordering Process Tutorial:
(http://its.vanderbilt.edu/files/web_files/RSA_SecurID_eProcurement_tutorial.pdf)
Frequently Asked Questions
Q -- What is a VSA Administrator and how do I become one?
A -- VuNet Services Administrators (VSAs) can assist users dealing with their VuNet IDs, resetting E-passwords, modifying personal
options, and other facets of managing a VuNet account.
In order to become a VSA, you must: 1) Sumit an application which is found at:
http://its.vanderbilt.edu/files/documents/vsa_app.pdf
Q – How do you appoint or remove a security manager?
A -- the Security Manager’s Appointment and Removal from may be found at the following links:
Appointment: http://www.mc.vanderbilt.edu/root/vumc.php?site=sam
Removal: http://www.mc.vanderbilt.edu/root/vumc.php?site=sam
Training will be scheduled for new Security Managers/VSA Administrators once their applications have been received.
Next Steps
 Identify Security Manager for your unit(s)
 Negotiate back-up coverage across units (eg. 9W Sec.
Mgr. backs up 9E and visa versa)
 Ensure Security Manager scheduled to attend training
class
 9/12,14,20,21 instructor-led classes available
 Sign up via LMS)
 Visible support first 2-3 months in new role
 Brief check in q 1-2 wks.
 Monthly mtgs. to discuss barriers and agree on solutions
 Use Resources as needed
Resources
1.
Systems Support Services Web Site:
2.
Help Desk: 3-HELP/3-4357 to access support from:
•
•
•
Identity Management
VSA support
Systems Support Services
Current State
Hiring Mgt. (or
surrogate) completes
PAF & registers new
hire for New Employee
Orientation (NEO)
VU Net ID is created
by feed from
PeopleSoft to VSA
SSS Sec. Admin. Checks
NEO registrations for
staff who need systems
access
Yes
Needs Rac F
ID /Systems
Access
No
Yes
VU Net ID
available?
SSS Sec. Admin.
Requests Rac F ID &
access to applications
based on role and unit
Rac F ID letter sent to
SSS Sec. Admin. &
given to new employee
in NEO Sign On class
No
SSS Sec. Admin. Checks
w/hiring Mgr. (or
surrogate) to see if PAF
done
//Later//
Does
employee
lack
appropriate
systems
access?
Manager notifies SSS
Sec. Admin. Of needed
systems access
SSS Sec. Admin.
Requests access to
applications based on
Manager request
At present, units seldom notify
SSS of role changes, transfers,
terminations & other changes
that impact systems access
requirements resulting in
HIPAA violations.
Future State – Near Term
Hiring Mgt. (or
surrogate) completes
PAF & registers new
hire for New Employee
Orientation (NEO)
VU Net ID is created
by feed from
PeopleSoft to VSA
Yes
VU Net ID
available?
Security Mgr. requests
Rac F ID & access to all
applications needed by
new employee based
on spreadsheet
Identity Management
sets up access in apps.
They support and
provides Rac F ID letter
to Security Mgr.
No
//Later//
Yes
Medipac
access
needed?
No
Does
employee
lack
appropriate
systems
access?
Security Manager
requests
addition/deletion of
systems access via SAM
on line request form
Identity Management
makes requested
changes
Sec. Mgr. assigns
appropriate M’Pac
functions based on
spreadsheet
Download