Procedure to Add a Server to the Trusted Zone

Procedure to Adda Device or System to the Trusted Zone

The Trusted Zone is logical segment of EmoryUniversity's network designed with appropriate security controls to comply with EmoryUniversity's policies and procedures for sensitive data and information, such as HIPAA (Health Insurance Portability and Accountability Act of 1996) ( As the Trusted Zone maintains a higher level of security, any introduction of servers, software, processes, or procedures must be assessed in order to ensure they do not introduce a higher level of risk to the University, including those data and information already in the Trusted Zone.

The scope of this document is intended solely for HIPAA data. Additional sensitive data, such as FERPA, may have additional processes and are outside the purview of the HIPAA Steering Committee.

Process:

All new devices, applications, and services must complete the following process to be added to the Trusted Zone. It is recommended that the application owner consult with your local IT support for assistance.

1. Complete the Trusted Zone application
2. Review your Unit'sRisk Assessment and identify any variances or additional risks that may be introduced with your application/service. Your local IT support should have a copy of the Risk Assessment.
3. Identify and document any changes to your system and their planned date in the Plan of Action and Milestones (PoA&M) document to minimize any additional risks once the system is in production.
4. Submit all three documents to your point of contact.
5. These documents will go through the approval process (see Approval Section).
6. Once approval has been given, a security check will be scheduled at a convenient time with the application owner. This security check will randomly review various aspects of the server or application to guarantee it meets the requirements of the trusted zone.
7. If the system does not pass, your point of contact will work with the system owner to secure the system.
8. Once the security of the server is established, your point of contact will request a network port in the Trusted Zone and provide the appropriate IP information for the server.
9. The server owner makes the necessary network changes.

Approval Process:

A request for a new device or service to be placed in the Trusted Zone or a significant change to the device or service that introduces a higher risk to the University must have authorization fromall of the following:

1. Application Owner
2. Leadership from the Application Owner's Department
3. Unit's IT Director or his/her delegate
4. CISO (or either of the University's Deputy CIO’s or Healthcare CIO if the CISO is not available)

Emergency Process:

In the event of a critical emergency where a change or new service must be placed in the Trusted Zone immediately, an interimapproval may be granted with authorization from:

• The VP of Information Technology

OR

• A Dean or VP equivalent AND a Deputy CIO or above

This approval is for 30 days during which time the normal approval process must be followed.

Trusted Zone Application

1. Service/Initiative Name: ______

1. Person(s) responsible for the application/server and an alternate emergency contact.

Name:

Title:

Phone Number:

E-mail Address:

Name:

Title:

Phone Number:

E-mail Address:

1. Physical location of the application/system (e.g., ACS co-location space, NDB data center):

______

1. Describe the roles and responsibilities of the types ofusers (e.g., system administrators, programmers, super users) that haveaccess to the application/system. Include approximate number of authorized users and their physical location. Be certain to specify if they have remote access. Also, please explain how access authorization is determined.

1. Provide a general description of the application/system. Include a diagram of architecture here or in an appendix, if applicable.

1. Describe the primary computing platform(s) used (e.g., Windows 2003 server) and a description of the principal application/system components, including hardware, software, and communications resources (e.g. Protocols used by end-users/administrators/developers).

1. List any applications/systems interconnected to this entity and whether or not the dependent applications/systems have been HIPAA certified (e.g., LDAP, Active Directory).You may indicate if this is known or not.

1. Please include any additional information about this device or application that may impact its risk to EmoryUniversity.

You must provide an explanation for every No or Not Applicable.

ID / Yes / No / Not Applicable
1.0 / Are all appropriate security patches installed and a process in place to install security patches when determined appropriate?
1.1 / - For the application(s)?
1.2 / - For the operating system(s)?
1.3 / Are all services that are not required turned off (e.g., DHCP, HTTP if it is not a Web server)?
1.4 / Are procedures in place to ensure strong passwords? (link to strong password policy statement?)
1.5 / Is access to network services limited to those users which require access?
1.6 / Are access/event/audit logs being generated and reviewed on a regular basis?
1.7 / Are strongly-encrypted remote login protocols being used exclusively?
1.8 / Is anti-virus software in use and updated regularly?
1.9 / Are procedures in place to prohibit servers being used as desktops?
1.10 / Is the equipment in a secured server room?
1.11 / Has HIPAAtraining been provided to users and information security and HIPAA training been provided to system administrators?
1.12 / ArePHI data required (data cannot be de-identified)?
1.13 / Are these data covered under FERPA?
1.14 / Do end user’s have access to components other than the applications front-end?
1.15 / Are default accounts and passwords disabled, changed, or removed from the system?
1.16 / Is there a change management system in place?
1.17 / Arethe data or passwords encrypted at rest?
1.18 / Arethe data encrypted while transmitted outside the Trusted Zone?
1.19 / Do system administrators perform privileged operations using privileged accounts separate from their personal accounts?
1.20 / Are appropriate signed agreements in place for any third party provider connecting to the system?

1. Please include any additional information to help clarify answers, especially for those questions that have been answered as "no" or "not applicable.

1. Please review your Unit's Risk Assessment. Will this device or service minimize, increases, or contradicts any risks identified in your Unit's Risk Assessment? If so, please document.

1 of 5