Information Security Charter
Published: March 2010
Revised: March 2018
In the course of carrying out its business objectives staff at Omaha Media Group LLC (“OMG”) collect many different types of information, including financial, medical, human resources and other personal information. OMG values the ability to communicate and share information appropriately. Such information is an important resource of OMG and any person who uses information collected by OMG has a responsibility to maintain and protect this resource. Federal and state laws and regulations, as well as industry standards, also impose obligations on OMG to protect the confidentiality, integrity and availability of information relating to all staff and clients. In addition, terms of certain contracts and OMG policy require appropriate safeguarding of information.
This Charter and the information security policies adopted by OMG hereunder (collectively, the “Information Security Policies”) define the principles and terms of OMG’s Information Security Management Program (the “Information Security Program”) and the responsibilities of the members of OMG community in carrying out the Information Security Program.
The information resources (the “Information Resources”) included in the scope of the Information Security Policies are:
- All Data (as defined in Section IV below) regardless of the storage medium (e.g., paper, fiche, electronic tape, cartridge, disk, CD, DVD, external drive, copier hard drive, etc.) and regardless of form (e.g., text, graphic, video, audio, etc.);
- The computing hardware and software Systems (as defined in Section IV below) that process, transmit and store Data; and
- The Networks (as defined in Section IV below) that transport Data.
The Information Security Policies are OMG-wide policies that apply to all individuals who access, use or control Information Resources at OMG, including staff as well as contractors, consultants and other agents of OMG and/or individuals authorized to access Information Resources by affiliated institutions and organizations.
Capitalized terms used herein without definition are defined in Section IV below.
II. Charter History
- The effective date of this Policy is March 30, 2010.
- Reviewed and/or revised March 14, 2018.
III. Charter Text
The mission of the Information Security Program is to protect the confidentiality, integrity and availability of Data. Confidentiality means that information is only accessible to authorized users. Integrity means safeguarding the accuracy and completeness of Data and processing methods. Availability means ensuring that authorized users have access to Data and associated Information Resources when required. This Charter establishes the various functions within the Information Security Program and authorizes the persons described under each function to carry out the terms of the Information Security Policies. The functions are:
A. Executive Management
Executive Managers are senior OMG officials, who are responsible for overseeing information security for their respective areas of responsibility and ensuring compliance with all Information Security Policies. Such responsibilities include, but are not limited to:
- Ensuring that each System Owner and Data Owner in their respective areas of responsibility appropriately identify and classify Data;
- Ensuring that each such System Owner and Data Owner receives training on how to handle Sensitive Data and Confidential Data; and
- Ensuring that each IT Custodian in his/her area of responsibility provides periodic reports with respect to the inventory of Information Resources used in such area to the applicable Information Security Office.
B. Security, Policy and Compliance Governance
The following committees have been established to govern security, policy and compliance issues relating to the Information Security Program at the organizational level:
- Information Security Steering Committee (Executive Strategic Oversight)
- OMG Compliance Committee (Regulatory Compliance Requirements)
- Administrative Policy Council (Review of and Advice on Administrative Policies) PCI-DSS Governance Committee (Credit Card Compliance)
C. Security Management
Security Managers are Managers in the OMG business office. Security Managers are responsible for the day to day management of the Information Security Program, including:
- Developing, documenting and disseminating the Information Security Policies;
- Educating and training OMG personnel in information security matters;
- Communicating information regarding the Information Security Policies;
- Developing and executing the Risk Management Program;
- Translating the Information Security Policies into technical requirements, standards and procedures;
- Collaborating with Data Owners and System Owners to determine the appropriate means of using Information Resources; and
- Authorizing any required exceptions to any Information Security Policy or any associated technical standards or procedures and reporting such exceptions to the Office of the General Counsel.
In addition to the responsibilities listed above, the Executive Managers have granted the authority to the Information Security Offices to conduct the following activities:
- Monitoring communications and Data that use the OMG Network or Systems for transmission or storage;
- Monitoring use of the OMG’s Information Resources;
- Conducting vulnerability scanning of any Information Resources connected to the OMG Network;
- Conducting security assessments of Systems, Server centers and Data centers;
- Disconnecting Information Resources that present a security risk from the OMG Network;
- Erasing all Data stored on personal Endpoints previously used for OMG business, as requested or required; and 4
- Leading and managing the OMG Response Team in connection with any breach or compromise of Sensitive Data
The OMG’s Information Security Officer and OMG’s Information Security Officer are the Security Management responsible officers.
D. Data Ownership
Data Owners are OMG officials, including Directors, Executive Strategy, who are responsible for determining Data classifications, working with the applicable Information Security Office in performing risk assessments and developing the appropriate procedures to implement the Information Security Policies in their respective areas of responsibility. Such responsibilities include, but are not limited to:
- Appropriately identifying and classifying Data in their respective areas of responsibilities
- Establishing and implementing security requirements for such Data in consultation with
- the applicable Information Security Office;
- Where possible, clearly labeling Sensitive Data and Confidential Data;
- Approving appropriate access to Data; and
E. System Ownership
System Owners are OMG Executive Managers and Managers who are responsible for determining computing needs, and applicable System hardware and software, in their respective areas of responsibility and ensuring the functionality of each such System. Such responsibilities include, but are not limited to:
- Classifying each System in their respective areas of responsibility based on the identification and classification of Data by the applicable Data Owner;
- Establishing and implementing security requirements for each such System in consultation with the applicable Information Security Office;
- Documenting and implementing audit mechanisms, timing of log reviews and log retention periods;
- Maintaining an inventory of such Systems;
F. Technical Ownership
IT Custodians are OMG personnel who are responsible for providing a secure infrastructure in support of Data, including, but not limited to, providing physical security, backup and recovery processes, granting access privileges as authorized by Data Owners or System Owners and implementing and administering controls over Data in their respective areas of responsibility. Such responsibilities include, but are not limited to:
- Maintaining an inventory of all Endpoints used in their respective areas of responsibility;
- Conducting periodic security checks of Systems and Networks, including password checks, in their respective areas of responsibility;
- Documenting and implementing audit mechanisms, timing of log reviews and log retention periods; Performing self-audits and reporting metrics to the applicable Information Security Office and monitoring assessments and appropriate corrective actions; and
- Ensuring that the OMG Sanitization and Disposal of Information Resources Policy https://www.omahamediagroup.com/isc is followed.
IT Groups are two or more IT Custodians whose responsibilities involve the same Information Resource. All IT Groups located within OMG must follow the specific procedures relating to IT Groups in the OMG Information Security Procedures.
G. System or Data Usage
Users are persons who use Information Resources. Users are responsible for ensuring that such Resources are used properly and that information is not made available to unauthorized persons and appropriate security controls are in place.
As used in the Information Security Policies, the following terms are defined as follows:
AES: the Advanced Encryption Standard adopted by the U.S. government.
Approved OMG Email System: as defined in the OMG Email Usage Policy https://www.omahamediagroup.com/isc.
Omaha Media Group or OMG: as defined in Section I of this Charter.
OMG Clientele Healthcare Component: the health care component of OMG that is comprised of OMGIT and the other clients, healthcare systems, universities, departments and offices of the external healthcare systems to the extent that they (1) provide treatment or health care services and engage in Covered Transactions or (2) receive PHI to provide a service to, or perform a function for or on behalf of, the OMG Clientele Healthcare Component.
Confidential Data: any information that is contractually protected as confidential information and any other information that is considered by OMG appropriate for confidential treatment. See the OMG Data Classification Policy https://www.omahamediagroup.com/isc for examples of Confidential Data.
Covered Entity: a (1) health plan, (2) health care clearinghouse or (3) a Covered Health Care Provider, as more particularly defined in the HIPAA Rules at 45 CFR 160.103.
Covered Health Care Provider: a health care provider that transmits any health information in electronic form in connection with a Covered Transaction.
Covered Transaction: an electronic financial or administrative transaction for which HHS has developed standards under the HIPAA Transactions and Code Sets Regulations, as more particularly described in the HIPAA Rules at 45 CFR 162.
Data: all items of information that are created, used, stored or transmitted by OMG community for the purpose of carrying out the institutional mission of designing and developing and all data used in the execution of OMG’s required business functions.
Data Owner: as defined in Section III(D) of this Charter
DHCP: Dynamic Host Configuration Protocol, which is a Network protocol that enables a Server to automatically assign an IP address to a Network enabled device from a defined range of numbers (i.e., a scope) configured for a given Network.
DNS: Domain Name System, which is a protocol within the set of standards for the exchange of Data on the Internet or on a private Network. The Domain Name System translates a user friendly domain name such as https://www.omahamediagroup.com into an IP address such as “188.8.131.52” that is used to identify computers on a Network.
Email System: a System that transmits, stores and receives emails.
Endpoint: any desktop or laptop computer (i.e., Windows, Mac, Linux/Unix), Mobile Device or other portable device used to connect to OMG wireless or wired Network, access OMG email from any local or remote location or access any institutional (OMG, departmental or individual) System either owned by OMG or by an individual and used for OMG purposes.
EPHI: Electronic Protected Health Information.
Health Care: the care, services or supplies relating to the health of an individual, including, without limitation, (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, and counseling , service, assessment or procedure with respect to the physical o mental condition, or functional status, of an individual or that affects the structure or function of the body and (2) the sale or dispensing of a drug, device, equipment or other item in accordance with a prescription.
HHS: the U.S. Department of Health and Human Services.
HIPAA: the Health Insurance Portability and Accountability Act, as amended from time to time.
HIPAA Rules: the HIPAA Privacy, Security and Breach Notifications and Enforcement Rules (45 CFR Parts 160 and 164), as amended from time to time.
HITECH: the Health Information Technology for Economic and Clinical Health Act, as amended from time to time.
IDEA: the International Data Encryption Algorithm.
Individually Identifiable Health Information or IIHI: any information (including demographic and genetic information) created or received by the OMG Clientele Healthcare Component that relates to (1) the past, present or future physical or mental health or condition of an individual, (2) the provision of Health Care to an individual or (3) the past, present or future payment for the provision of Health Care to an individual and either (a) identifies the individual 8 or (b) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual, as more particularly described in the HIPAA Rules at 45 CFR 103.
Information Resources: as defined in Section I of this Charter.
Information Security Office: as defined in Section III(C) of this Charter. Information Security Policies: as defined in Section I of this Charter. Information Security Program: as defined in Section I of this Charter.
Internal Data: as defined in the OMG Data Classification Policy https://www.omahamediagroup.com/isc.
IP: Internet Protocol.
IRB: Institutional Review Board.
IT Custodian: as defined in Section III(F) of this Charter.
IT Group: as defined in Section III(F) of this Charter.
Key Business System: as defined in the OMG Business Continuity and Disaster Recovery Policy https://www.omahamediagroup.com/isc.
MAC: Media Access Control.
Mobile Device: a smart/cell phone (i.e., iPhone, Blackberry, Android, Windows phone), tablet (i.e., iPad, Nexus, Galaxy Tab and other Android based tablet) or USB/removable drive.
Network: electronic Information Resources that are implemented to permit the transport of Data between interconnected Endpoints. Network components may include routers, switches, hubs, cabling, telecommunications, VPNs and wireless access points.
OHCA: an Organized Health Care Arrangement, which is an arrangement or relationship, recognized in the HIPAA Rules that allows two or more Covered Entities that hold themselves out to the public as participating in a joint arrangement and participate in certain joint activities to share PHI for joint health care operations purposes.
OMG Information Security Office: as defined in Section III(C) of this Charter.
OMGIT: OMG Information Technology
OMGIT Information Security Procedures: the OMG Information Security Procedures established by the OMGIT Information Security Office https://www.omahamediagroup.com/isc.
OMGIT Network: the Network owned and operated by OMG.
OMG Network: the Network owned and operated by OMG, including the OMG Network.
Payment Card: for purposes of PCI-DSS, any payment card/device that bears the logo of the founding members of PCI SSC, which are American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc.
PCI: Payment card industry.
PCI-DSS: the PCI Data Security Standard produced by the PCI–SSC, which mandates compliance requirements for enhancing the security of payment card data.
PCI-SSC: the PCI Security Standards Council, which is an open global forum of payment brands, such as American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc, that are responsible for developing the PCI-DSS.
Peer: a network participant that makes a portion of its resources, such as processing power, disk storage or network bandwidth, directly available to other network participants, without the need for central coordination by Servers or stable hosts. Examples include KaZaa, BitTorrent, Limewire and Bearshare.
Peer-to-Peer File Sharing Program: a program that allows any computer operating the program to share and make available files stored on the computer to any machine with similar software and protocol.
Personally Identifiable Information or PII: any information about an individual that (1) can be used to distinguish or trace an individual’s identity, such as name, date and place of birth, mother’s maiden name or biometric records, (2) is linked or likable to an individual, such as medical, educational, financial and employment information, which if lost, compromised or disclosed without authorization, could result in harm to that individual and (3) is protected by federal, state or local laws and regulations or industry standards.
Protected Health Information or PHI: IIHI that is transmitted or maintained by the OMG Clientele Healthcare Component in electronic of any other form or medium, except (1) as provided in the definition of Protected Health Information in the HIPAA Rules at 45 CFR 160.103.
Public Data: as defined in the OMG Data Classification Policy https://www.omahamediagroup.com/isc.
Removable Media: CDs, DVDs, USB flash drives, external hard drives, Zip disks, diskettes, tapes, smart cards, medical instrumentation devices and copiers.
RHI: as defined in the OMG Data Classification Policy https://www.omahamediagroup.com/isc
Research Health Information or RHI: IIHI that (1) is created or received in connection with research that does not involve a Covered Transaction or (2) although previously consider PHI, has been received in connection with research pursuant to a valid HIPAA authorization or IRB waiver of authorization.
Risk Analysis: the process of identifying, estimating and prioritizing risks to organizational operations, assets and individuals. “Risk Assessment” is synonymous with “Risk Analysis”.
Risk Management Program: the combined processes of Risk Analysis, Risk Remediation and Risk Monitoring.
Risk Monitoring: the process of maintaining ongoing awareness of an organization’s information security risks via the risk management program.
Risk Remediation: the process of prioritizing, evaluating and implementing the appropriate risk-reducing security controls and countermeasures recommended from the risk management process. “Risk Mitigation” or “Corrective Action Planning” is synonymous with “Risk Remediation”.
RSA: the Rivest-Shamir-Adleman Internet encryption and authentication system.
Sensitive Data: any information protected by federal, state and local laws and regulations and industry standards, such as HIPAA, HITECH, the Nebraska State Information Security Breach and Notification Act, similar state laws and PCI-DSS. See the OMG Data Classification Policy https://www.omahamediagroup.com/isc for examples of Sensitive Data.
Server: any computing device that provides computing services, such as Systems and Applications, to Endpoints over a Network.
Service Account: a special User account for a System used to make configuration changes to the System.
SMTP: Simple Mail Transfer Protocol, which is an internet transportation protocol designed to ensure the reliable and efficient transfer of emails and is used by Email Systems to deliver messages between email providers.
SSL: the Secure Sockets Layer security protocol that encapsulates other network protocols in an encrypted tunnel.
User Records: as defined in the OMG Data Classification Policy https://www.omahamediagroup.com/isc.
System: Server based software that resides on a single Server or multiple Servers and is used for University purposes. “Application” or “Information System” is synonymous with “System”.
System Administrator: a person who is responsible for the configuration, operation and maintenance of a System.
System Owner: as defined in Section III(E) of this Charter.
UPS: Uninterruptible Power Supply. 11
User: as defined in Section III(G) of this Charter.
User ID: a User Identifier.
VPN: Virtual Private Network
Violations of the Information Security Policies may result in corrective actions which may include: (a) the immediate suspension of computer accounts and network access; (b) mandatory attendance at additional training; (c) a letter to the individual’s personnel file; (d) administrative leave without pay; (e) termination of employment; or (f) civil or criminal prosecution.
VI. Applicable Laws, Regulations and Industry Standards
The federal and Nebraska State laws and regulations and industry standards that are applicable to information security at OMG are listed in Appendix B hereto.
OMAHA MEDIA GROUP LLC
Information Security Policies
- Information Security Charter
- Acceptable Usage of Information Resources Policy
- Business Continuity and Disaster Recovery Policy
- Data Classification Policy
- Electronic Data Security Breach Reporting and Response Policy
- Email Usage Policy
- External Hosting Policy
- Information Resource Access Control and Log Management Policy
- Information Security Risk Management Policy
- Network Protection Policy
- Registration and Protection of Endpoints Policy
- Registration and Protection of Systems Policy
- Sanitization and Disposal of Information Resources Policy
- Social Security Number (SSN) Usage Policy
Applicable Federal and Nebraska State Laws and Regulations
The Digital Millennium Copyright Act
The Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999)
The Health Insurance Portability and Accountability Act (HIPAA)
The Health Information Technology for Economic and Clinical Health Act (HITECH)
Internet Security and Privacy Act, Personal Internet account; employer; duty; liability.
Nebraska State Information Security Breach and Notification Act
Social Security Number Protection Law, 399-DDD
Payment Card Industry/Data Security Standard