Management Overview of Security Manager Role Karen Hughart, MSN, RN-BC, Dir. Systems Support Services What is changing and Why? WHAT? WHY? Security Management responsibilities are being decentralized to the unit level. • Each unit will need a primary and back-up Security Administrator identified and trained before Thanksgiving, 2013. Current System no longer HIPAA compliant. • Requires that systems access limited to just that functionality required to perform job responsibilities. • Role or job change required systems access review and correction • The person with hiring/firing responsibility is accountable for ensuring appropriate systems access. Security Manager Role and Responsibilities Maintain an understanding of Vanderbilt standards and policies regarding information security, confidentiality, and privacy and communicate these to individuals within my department. Assist the organization in identifying, classifying, and securing confidential and restricted information. Orient and train the faculty, staff, and trainees within my department on security awareness in general and security procedures that should be followed in direct relation to their job duties. Monitor compliance with information security policies and procedures, referring ongoing problems to the Information Privacy and Security Office. Security Manager Role and Responsibilities (Cont.) Monitor the process of granting system access to users within my department to ensure that appropriate information access levels and security clearances are maintained when transfers, changes in job functions, and terminations occur. This includes: ■ Creating and maintaining a current process map for all employee types regarding the process for notification of changes to employee status. ■ Creating and maintaining a list of active PAF responsible persons within the area served. ■ Creating and maintaining a list of departmental systems operators/owners that need to be notified when an employee status changes. Refer to policy IM 10-30.19 Authorization and Access to Electronic Systems and Applications Section IV: Specific Information, Item D: Modification of Access. ■ Maintain flow of information to and from department systems operators/owners that need notification of changes to employee status. Security Manager Role and Responsibilities (Cont.) Identify potential exposures and risks to the confidentiality, integrity, and availability of information and make recommendations to my Department Head or the Information Privacy and Security Office (when appropriate) to mitigate the risks. Alert the Information Privacy and Security Office to changes in the patient-care, business, and computer systems environments in the organization that would have an impact on the information security program. Train another individual in the department to act as an ISM backup, in case of emergency or absence. Management Oversight of Security Manager Requires: 1. Support for training and developing proficiency in new role. 2. Regular check-ins to ensure Systems Access is priority consideration for any HR change. 3. Consultation (including CAPS or other resources when warranted) to address complex systems access issues. 4. Knowledgeable and visibly supportive of organizational policies and regulatory requirements for systems privacy and security. 5. Knowledgeable of resources available when Security Manager changes or requires additional training/support. How do you know when there are competency issues? Staff report that they do NOT have appropriate systems access when they start work or change roles You observe staff sharing ID’s/Passwords because one or more do not have needed access Security Manager cannot respond to questions: 1. 2. 3. 4. Security Manager cannot state correct sequence for the following onboarding steps: 1. 2. 3. 4. 5. “Who do you contact when there is an issue obtaining a VU Net ID?” [Should say “VAS” or “Vu Net ID Team” & know phone number and web URL] “Who do you contact when there is an issue with obtaining a Rac F ID or clinical systems access?” [Should say “SAM Team” or “Identity Management”& know phone number and web URL] “How do we get access to VandyWorks?” [Should say e-mail the VandyWorks e-mail address on the person on call will get in touch] “Who grants access to Business Objects?” [Should say contact Maribeth Hagan and Systems Support Services] Submit PAF to HR Register new employee for New Employee Orientation Obtain VU Net ID from VSA (that was automatically generated once PAF processed) Request Rac F ID and appropriate clinical/business systems access Provide Rac F ID letter to new employee Security Manager does not enter Systems Access transfer information or request termination of systems access in a timely fashion with transfers and terminations Triggers for Re-evaluation of Systems Access: New hire? Will need VU Net ID, Rac F ID, access to StarPanel, HEO/Wiz, HED/AdminRx, & possibly Medipac, POU, Teletracking, etc. Refer to grid for role-specific requirements for unit. Cross –train for added duties (eg. CP x-trained as MR)? Will need to compare CP functionality to MR functionality on grid and request what’s missing. Will need Medipac access to enter transfers, discharges, and departures. Job change on same unit (eg. CP to RN)? Will need to compare current functionality to functionality needed for new role and request what’s missing. (Eg. An RN will need a “role change” in HEO to enable them to enter verbal orders for meds. ) Transfer in or out? Termination (voluntary or involuntary)? 2nd Job (eg. CP who is Nursing Student doing clinical placement here)? Will need to compare current functionality to functionality needed for role on new unit and request what’s missing (or delete what is no longer needed). (Eg. POU access may need to be added or deleted). Unit information will need to be updated to show current home dept. Systems access will need to be inactivated. In some cases with involuntary terminations, this needs to be done very quickly to prevent malicious activity. There is a monthly PeopleSoft feed that will eventually inactivate VU Net ID but this is delayed. Be cautious in situations where one job is ending but staff member will continue to have a job elsewhere at VUMC as their access may need to be transitioned to new Security Manager rather than ended. This can get tricky and requires a case-by-case review and perhaps consultation with CAPS or other resource. In general, the individual will need access to perform in both roles AND will need guidance that they need to match what systems they use and how they use them to the role in which they are functioning at any given time. (eg. A Nursing Student might document meds in AdminRx but a CP would not.) Helpful Links Systems Access Online Request Form (Log in with your VUNET ID and Epassword): https://samprod.mc.vanderbilt.edu/sam/Access.aspx Website to print Security Letters and Check Listing of Active Users (Log in with your RACF ID and RACF ID Password): https://10.109.11.191/login.php Websites: Systems Access Management: http://www.mc.vanderbilt.edu/root/vumc.php?site=sam Help Desk: http://helpdesk.mc.vanderbilt.edu Information Technology: http://it.vanderbilt.edu/ AccessVU: http://www.vanderbilt.edu/accessvu/ ITS Product Page for SecurID Tokens: https://its.vanderbilt.edu/services/rsasecurid-tokens Eprocurement Ordering Process Tutorial: (http://its.vanderbilt.edu/files/web_files/RSA_SecurID_eProcurement_tutorial.pdf) Frequently Asked Questions Q -- What is a VSA Administrator and how do I become one? A -- VuNet Services Administrators (VSAs) can assist users dealing with their VuNet IDs, resetting E-passwords, modifying personal options, and other facets of managing a VuNet account. In order to become a VSA, you must: 1) Sumit an application which is found at: http://its.vanderbilt.edu/files/documents/vsa_app.pdf Q – How do you appoint or remove a security manager? A -- the Security Manager’s Appointment and Removal from may be found at the following links: Appointment: http://www.mc.vanderbilt.edu/root/vumc.php?site=sam Removal: http://www.mc.vanderbilt.edu/root/vumc.php?site=sam Training will be scheduled for new Security Managers/VSA Administrators once their applications have been received. Next Steps Identify Security Manager for your unit(s) Negotiate back-up coverage across units (eg. 9W Sec. Mgr. backs up 9E and visa versa) Ensure Security Manager scheduled to attend training class 9/12,14,20,21 instructor-led classes available Sign up via LMS) Visible support first 2-3 months in new role Brief check in q 1-2 wks. Monthly mtgs. to discuss barriers and agree on solutions Use Resources as needed Resources 1. Systems Support Services Web Site: 2. Help Desk: 3-HELP/3-4357 to access support from: • • • Identity Management VSA support Systems Support Services Current State Hiring Mgt. (or surrogate) completes PAF & registers new hire for New Employee Orientation (NEO) VU Net ID is created by feed from PeopleSoft to VSA SSS Sec. Admin. Checks NEO registrations for staff who need systems access Yes Needs Rac F ID /Systems Access No Yes VU Net ID available? SSS Sec. Admin. Requests Rac F ID & access to applications based on role and unit Rac F ID letter sent to SSS Sec. Admin. & given to new employee in NEO Sign On class No SSS Sec. Admin. Checks w/hiring Mgr. (or surrogate) to see if PAF done //Later// Does employee lack appropriate systems access? Manager notifies SSS Sec. Admin. Of needed systems access SSS Sec. Admin. Requests access to applications based on Manager request At present, units seldom notify SSS of role changes, transfers, terminations & other changes that impact systems access requirements resulting in HIPAA violations. Future State – Near Term Hiring Mgt. (or surrogate) completes PAF & registers new hire for New Employee Orientation (NEO) VU Net ID is created by feed from PeopleSoft to VSA Yes VU Net ID available? Security Mgr. requests Rac F ID & access to all applications needed by new employee based on spreadsheet Identity Management sets up access in apps. They support and provides Rac F ID letter to Security Mgr. No //Later// Yes Medipac access needed? No Does employee lack appropriate systems access? Security Manager requests addition/deletion of systems access via SAM on line request form Identity Management makes requested changes Sec. Mgr. assigns appropriate M’Pac functions based on spreadsheet