THE OHIO STATE UNIVERSITY COLLEGE OF OPTOMETRY … · 3 Introduction The following document...

THE OHIO STATE UNIVERSITY COLLEGE OF OPTOMETRY

Computing Policies & Procedures

Proposed: 10 December, 2000

Updated: 05 March 2009

Last Modified: 11 May 2009

Original Approved: 06 June 2002

Version Approved: 23 April 2009

The Ohio State University College of Optometry

2

Table of Contents

Introduction .................................................................................................................................................. 3

Optometry General Computing Policy .......................................................................................................... 4

Optometry Service and Support Policy ......................................................................................................... 8

Major Systems Acquisition, Development & Maintenance ........................................................................ 12

Policy on Protected Information ................................................................................................................. 15

What is protected information? .............................................................................................................. 15

Handling protected information. ............................................................................................................ 15

What happens if protected information is exposed? .............................................................................. 16

What is the university’s policy on protected information? ..................................................................... 17

College of Optometry Password Policy ....................................................................................................... 18

College of Optometry Information Technology Change Management Policy for Critical Systems ............ 19

3

Introduction

The following document outlines policies concerning the use of computing resources in the College of

Optometry (known as ‘the College’) at The Ohio State University. The definition of computing resources

shall include any account, computer, peripheral, network or server provided or supported by the College

of Optometry Information Technology Department (known as ‘IT’). Use of these computing resources

includes the use of data/programs stored on IT computing systems, data/programs stored on magnetic

tape, floppy disk, CD-ROM or other storage media that is maintained or supported by IT. The “user” of

the system is any person using the computing resources of the College of Optometry. The purpose of

these policies is to provide an efficient, productive computing environment for all users of College

computing resources. We endeavor to provide an environment where users will find it easy to use these

resources in an effective, ethical and lawful manner.

Users are reminded that College of Optometry computing resources are owned by The Ohio State

University and are to be used only for the purpose for which they are authorized by this policy and are

not to be used for unauthorized activities. Users are hereby reminded that unauthorized use of a

College computing resource is a violation of College and University policies and may also be a violation

of state and federal law. Users are further reminded that the laws and policies mentioned above are

outside the scope of this document as they are too numerous to list; ALL College users are hereby

notified that it is the user’s sole responsibility to be knowledgeable of these laws and policies. Also,

please be advised that explanations of the policies are outside of the scope of this document, and one

should contact Information Technology or the Office of the CIO for any explanations and/or

clarifications.

The computing resources outlined in these policies include both public and protected resources.

Protected College resources include all those that store restricted or sensitive data, including patient

data and are governed by state and federal law. Public College resources are resources that contain

data which is accessible to the public. A stricter standard shall govern the use of protected College

resources. A separate College policy, as well as a University policy define and govern the access and use

of restricted data.

We hope that these policies help to enlist all Optometry users’ assistance in helping to make our

computing environment productive, reliable and secure.

All policies contained herein and updates to these policies are posted on the transfer drive (T:\) here:

T:\COLLEGE DOCUMENTS\POLICIES\Computing

Please check the policy for updates regularly.

4

Optometry General Computing Policy

The following outlines the College of Optometry’s Acceptable Use Policy regarding the use of College

computing resources.

By using and/or accessing College resources, all users of said computing resources agree to abide by

College of Optometry policies, University policies, local laws, state laws, and federal laws. The specific

University policies that users will be held to can be found on the CIO’s web site. Users are reminded to

check the CIO’s web site regularly for changes. http://cio.osu.edu.

1. As the College of Optometry computing resources store public, sensitive and restricted data, sensitive

and restricted data may not, at any time, be stored on resources that are not authorized to hold such

information.

2. Users are responsible for protecting the data to which they have access via their user account.

3. Users are required to report any weakness in computer resource security, any incidents of possible

misuse or violation of this agreement to the proper authorities by contacting the Director of Information

Technology.

4. Users shall not attempt to access any data or programs contained in College computing resources for

which they do not have authorization by the data owner or the Information Technology Department.

5. Users shall not share their College computing account(s) with anyone. This includes sharing the

password to the account, allowing another user to use your account after logging in, or any other means

of sharing.

6. Users shall not make unauthorized copies of copyrighted software, except as permitted by law or by

the copyright owner.

7. Users shall not install unapproved or non-supported software on any College system without

consultation with Information Technology. This will help to keep all College systems as stable as

possible and keep downtime to a minimum.

8. Users shall not attempt to disable or circumvent anti-virus or security programs present within any

College computing resource.

9. Users shall not make copies of system configuration files (e.g. registry, logon scripts, etc.) for their

own, unauthorized personal use or to provide to other people/users for unauthorized uses.

http://cio.osu.edu/

5

10. Users shall not purposely engage in activity with the intent to: harass other users, degrade the

performance of computing resources, deprive any authorized user access to a resource, obtain extra

resources beyond those allocated, circumvent Information Technology security measures or gain access

to an Optometry resource for which proper authorization has not been given.

11. Personal use of College computing resources is permitted when it does not consume a significant

amount of those resources, does not negatively impact the user’s job performance and other University

responsibilities, and is in compliance with all applicable laws and policies.

12. Electronic communication facilities (e.g., e-mail, news, web sites) are for authorized College users

only. Fraudulent, harassing or obscene messages and/or materials shall not be sent from, to, or stored

on College computing resources.

13. Users shall not download, install or run security programs or utilities that reveal weaknesses in the

security of any computing resource. For example, users shall not run password cracking programs or

port scanners on any College computing resource.

14. Users not directly employed by Information Technology to College computing resources shall at no

time have access to any systems or applications that allow the management of security on College


15. Users shall be required to have a password that meets length and strength requirements (see

password policy).

16. New users shall be assigned temporary passwords and will be required to change this password at

first logon. The security system shall remember the previous 5 passwords to ensure that the user does

not re-use them.

17. Users must change their passwords at least every 180 days. The security system shall remember the

previous 5 passwords to ensure that the user does not re-use them.

18. Users shall not purchase or utilize any computing hardware that is not supported by Information

Technology without adequate business justification and written approval from the Director of IT. This

includes peripherals such as USB memory/drives and other peripherals.

19. Users are encouraged not to forward any unsolicited e-mail, in whole or in part, to other users

within the College. For example, virus warnings, news stories, advertisements, OSUToday, University-

wide mailings, etc.

6

20. Users shall contact Information Technology in order to send any bulk e-mail announcement to any

part of the University community (e.g. OSUToday announcements, bulk mailings to students, etc.). Users

shall not send any such announcement or mailing that has not been approved by the Director of

Information Technology and College administration. Users who wish to send out research-related

mailings are also advised that such mailings may need to be approved by the University’s Office of

Research.

21. Users wishing to send such bulk e-mail shall make sure the message they wish to send does not

exceed approximately 600 characters. Any message that needs to convey more information will need to

have a web page set up to communicate this information to the intended audience.

22. Users requiring support or service shall follow the procedures outlined in the Service and Support

section of this document.

23. As all data contained on College computing systems is owned by the College and The Ohio State

University, backup services shall be provided by IT to all College users. All College-owned data shall be

placed on the user’s U: drive as data contained on this drive is backed up nightly by Information

Technology.

24. All users shall receive a College e-mail address and will utilize Microsoft Outlook when sending e-

mail in the College. Any user utilizing College email shall have their OIT forwarding set to their College

email account. The Director of Information Technology must approve any exceptions to this policy. Each

exception shall be reviewed on a yearly basis.

25. The College’s computing resources shall be solely maintained by Information Technology. The only

exception to this rule concerns direct vendor support for hardware and/or outside support for

application development. There shall be no exceptions made for consultants, students, or employees

not hired by or under the direct supervision of Information Technology. All consultants hired to provide

such support shall require approval by Information Technology.

26. Fulfilling the mission of the College requires reasonable access by users to computing resources.

Security is based on the principle of least privilege. The Director of IT will determine access privileges for

network services. The default status will be 'user.' Once granted, status should not be changed without

reasonable prior notice to the user unless there is clear evidence that such action is needed to prevent

imminent damage to College computing resources.

7

Any non-compliance with these requirements could have a very detrimental effect on College

computing resources. We ask that all users adhere to these policies to the best of their abilities to assist

Information Technology and your fellow users in maintaining a secure, efficient and productive

computing environment. This, in turn, will allow Information Technology to perform their duties to the

utmost of their abilities and allow them to service all College users in the best manner possible.

Violations of said policies will be reported to the user’s supervisor, the Director of Information

Technology, and the Office of the Dean. Users are reminded that serious violations, especially those

involving patient records, place serious liabilities on the College and therefore could result in civil or

criminal prosecution.

Monitoring of users by Information Technology personnel may take place as a result of suspected

violations of College or University policies and all applicable laws. Monitoring of authorized College

users will take place in accordance with the University CIO’s policies on monitoring of University

personnel. Monitoring of the public (i.e. non-employees and non-students of The Ohio State University)

will take place at the discretion of the Director of Information Technology, in accordance with College

security policies.

Users are also reminded that logging of user activities are a normal process of the systems and software

installed on the College network and do not constitute monitoring (under the University CIO’s definition

of monitoring), although such logs may be used as evidence to commence active monitoring and may

also be used as evidence if so required by law enforcement or other legal means.

8

Optometry Service and Support Policy

The following outlines the College of Optometry’s Service and Support policy involving College


Following are policies and procedures that shall be undertaken by Information Technology and by users

requiring service and/or support. User adherence to these policies will ensure that the College maintains

an effective, efficient system of computing resources. The following also outlines issues that are under

the domain of IT Support.

Information Technology has responsibility for maintaining College computing resources within a large

community of users. The responsibility to maintain a functioning network for the benefit of all within the

College must be fulfilled while maintaining a respect for the sensitive nature of the information

contained on computers and in users' work areas. The following policies outline the authority of IT with

respect to access to individuals' work area and computing resources.

1. Generally, any hardware problem with a user’s IT-supported personal computer/terminal or its

network connection is within the domain of IT Service. IT only provides support for university-owned

equipment.

2. Support is also provided for software-related issues concerning supported software applications. If

you are unsure if a specific software package is supported, please contact the Director of IT.

3. Users shall consult IT when planning the purchase of computing hardware regardless of the source of

funding or purpose of the equipment. IT consultation will greatly help to avoid the purchase of

equipment that is of lesser quality or that is not compatible with other College computing resources and

allow the College to be a good steward of its limited resources. Hardware shall not be connected to the

College network without the express permission of Information Technology.

4. Users shall use personal computers that allow the use of Microsoft Windows. Any exceptions to this

policy are solely for faculty or for tasks which can only be performed on an alternate operating system.

Computers that utilize alternate operating systems (e.g. MacOS, Linux, Solaris, IRIX) may not be able to

adequately access many College computing resources, although Information Technology shall make

every effort to allow adequate access to College computing resources to other operating system

platforms. Information Technology recognizes the value of mobile productivity tools, such as handhelds

and cell-phones, and will make every effort to assist in the utilization of these devices. However, there

is no official support for these devices and any support provided will be time-permitting.

9

5. Unless prior arrangements have been made with IT, support for, or installation of, specialized

hardware or applications is beyond the scope of service provided by Information Technology. In this

case, users shall arrange support for such hardware or software with the hardware/software vendor.

This includes non-OSU internet service providers (e.g. AOL, Prodigy, AT&T Worldnet, etc.).

6. IT Support Contact Procedures:

a. The preferred and most efficient way to contact Information Technology is via the Help Desk website.

The website may be accessed via the College’s “MyOffice” page here:

http://optometry.osu.edu/myoffice/, then click on “Help Desk.” After submission of your ticket, you will

receive an e-mail outlining an estimate of when your ticket will begin to be addressed. To avoid

confusion and to save time, the user who files a ticket should be the only user communicating with IT

Support concerning the issue.

b. All issues require a Help Desk ticket be created. It is imperative that you attempt to file a detailed

Help Desk ticket before contacting IT Support as defined below.

c. Other methods of contacting IT Support are as follows:

i. Via e-mail at: [email protected] (note: please do not send e-mail specifically

requesting support to IT staff’s personal address(es) – this can cause delays in service as we

cannot see what received in each other’s accounts).

ii. Via telephone: 688-4596. If you get voice mail, please leave as detailed a message as possible.

Voice mail messages will be checked at least once per day.

7. IT Support will respond to requests for help with an estimate as to when the issue will be addressed.

IT Support will also contact the user if there is a subsequent change in the scheduling for the request. IT

Support will respond to requests for help as follows:

a. Any Help Desk ticket filed as Urgent (immediate) or ASAP (within 24 hours) will receive a

response via e-mail within 4 working hours.

b. If your computer is inoperative, IT will provide the user with a written response or by a

telephone call.

10

8. It is part of the job of IT to determine what needs to be done to repair a computer and where and

how the work is to be completed. IT should make reasonable efforts to communicate these plans to the

user if the repair involves removal of a computing resource from a work area or making significant

modifications to hardware or software. IT will not initiate unrelated work without consultation with the

user. It may be possible to provide the user with a loaner computer in these cases. If a loaner is

unavailable, some alternative systems that could be used are:

a. Any of the College of Optometry student computing lab computers.

b. The computer in one of the small class/conference rooms

c. The IMC loaner laptop(s).

9. If a hard drive crash occurs, IT will perform all possible operations to retrieve the data. However, if

the data is unrecoverable, the user is responsible for all data that has not been stored on their U: drive.

If the data is deemed extremely important and must be recovered, arrangements will be made with a

professional recovery service. Payment arrangements for recovery services shall be made with funding

from your unit or grant.

10. In the event that a user or group needs a custom application developed by Information Technology,

detailed information as to the scope and functioning of the application shall be forwarded to the

College’s Director of IT. As IT time is limited in respect to these projects, the Director of IT will make

these decisions on a case-by-case basis.

11. Any users who are exempt from certain points of College policy and permitted to use non-College e-

mail systems (i.e. OIT e-mail), shall contact the OIT Help Desk at 688-HELP for support. Information

Technology cannot provide direct support for any system managed by OIT.

12. If a support issue has not been addressed to any user’s satisfaction, users shall contact the Director

of Information Technology outlining the nature of the computing issue and the problem the user is

having in dealing with IT Support to solve the issue. If the Director of Information Technology does not

address your complaint to your satisfaction, users are then encouraged to contact the Office of the

Dean.

13. Offices and work areas will be considered private. IT will enter these areas to perform any work only

with prior consent. The user shall specify the desire to be present during completion of work and

provide available times on the Help Desk ticket. Stating that there is no need to be present gives IT

permission to enter the work area to complete the ticket work request. Access to an office or work area

without the permission of the individual user, employee, or user's supervisor will occur only in situations

where there is clear and present need that such access is necessary to prevent imminent damage to the

integrity of College computing resources.

11

14. Once a ticket request is submitted, IT should only perform the work requested by the user. Removal

of a computing resource from a work area or making significant modifications to hardware or software

outside of the scope of the ticket request should only be done after communication with the user. Users

are reminded that the resolution of any problem may, in fact, require significant changes. The user will

be informed in the event a significant modification is needed.

15. Remote operation of a user’s computer should only be conducted with the prior consent of the user,

or user's supervisor unless there is a clear and present need that such action is necessary to prevent

imminent damage to the integrity of College computing resources.

16. Logging and monitoring of College computing activity is a necessary part of maintaining the network.

Monitoring will be conducted according to University policy. Logging will be conducted with due respect

for the sensitive and possibly confidential nature of the activities of individual users when possible, in

addition to all applicable laws and university regulations. Unauthorized monitoring or breaches of

confidentiality are considered by IT to be serious violations of both University and College policy and will

not be tolerated. Users should be aware that their uses of College computing resources are not

completely private. While the university or College does not routinely monitor individual usage of its

computing resources, the normal operation and maintenance of the College's computing resources

require the backup and caching of data and communications, the logging of activity, the monitoring of

general usage patterns, and other such activities that are necessary for the rendition of service. The

university may also specifically monitor the activity and accounts of individual users of university

computing resources without notice, when (a) the user has voluntarily made them accessible to the

public, as by posting to Usenet or a web page; (b) it reasonably appears necessary to do so to protect

the integrity, security, or functionality of university or other computing resources or to protect the

university from liability; (c) there is reasonable cause to believe that the user has violated, or is violating,

this policy; (d) an account appears to be engaged in unusual or unusually excessive activity, as indicated

by the monitoring of general activity and usage patterns; or (e) it is otherwise required or permitted by

law. Any such individual monitoring, other than that specified in "(a)", required by law, or necessary to

respond to perceived emergency situations, must be authorized in advance by the CIO or the CIO's

designees. Unauthorized monitoring or breaches of patient confidentiality would be considered

violations of both university and College policy. Users are directed to http://www.cio.ohio-

state.edu/policies/use_policy.html for the full text of the university "Policy on Responsible Use of

University Computing Resources.

12

Major Systems Acquisition, Development & Maintenance

This section will address procedures to be used when acquiring large new hardware or software

systems. Examples of such are computers, clinic database applications, etc.

Systems acquisition and development are a very important part of the College computing environment

and also greatly affect overall Information Technology policy. These systems affect the largest amount

of users and systems. The guidelines below have been established to ensure the best

systems/applications are purchased for each situation.

Systems Acquisition The first section of this policy shall deal with the acquisition of hardware systems, such as computers,

switching equipment, rack systems, and products relating to network wiring infrastructure.

When purchasing computers, Information Technology shall perform a needs analysis to determine the

minimum equipment needed to process data at the highest level of efficiency. Computers shall be

purchased with the thought in mind that they should last 3-5 years. Therefore, the best systems that

will fit within the budgetary constraints shall be purchased.

When Information Technology performs the needs analysis, the following information will be required:

• What software applications will be installed and operated on the system.

• Minimum amount of memory needed.

• Minimum amount of processing power required to operate installed applications.

In order to lower acquisition costs and support overhead, preference will always be given to University

Standard Configurations unless an adequate business justification is provided and approval is granted by

the Director of IT.

Application Development

When applications need to be developed internally or with the assistance of external consultants, the

following policies shall apply:

1. Information Technology shall do a needs assessment to record the essential requirements of the

application.

2. Information Technology shall also include non-essential requirements in the application needs

assessment.

13

3. Information Technology shall communicate with the targeted end users of the application and will

factor into the needs assessment all end user requirements and suggestions to the greatest extent

possible.

4. If the application is to be developed internally, Information Technology shall determine how best to

build the internals of the application, e.g. programming language, database setup, etc.

5. If the application is to be developed outside of the College, Information Technology will write up an

RFP (Request for Proposal) and submit it to Purchasing who will manage the RFP process.

6. Information Technology shall work with the vendor to guarantee that the new application integrates

with existing College computing resources to the highest extent possible.

7. When addressing the building or purchasing of applications that will be holding patient or other

confidential information, Information Technology shall use higher security standards (to be enumerated

at the time of purchase/development) in the needs assessment for such applications.

8. Internal application security shall be a part of system development in order to help maintain the

confidentiality of any information in the application.

9. For all applications, a beta-testing period shall be used to expose the application to a sampling of end-

users that will be using the product to ensure that end-user needs are being met. This beta-testing will,

preferably, be performed on Optometry computing systems to ensure they work in the environment in

which they will be used.

14

Application Maintenance

The following policies apply to the day-to-day maintenance of any computing applications that affect

several users, i.e. system-wide changes:

1. Any changes that need to be made to the system that will affect more than one user of the system

shall be reviewed by Information Technology to ensure that no damage will occur.

2. Any changes made to the system that will affect more than one user shall only be made by

Information Technology staff. At no time may end users of the application and/or system make system-

wide changes.

3. Security restrictions placed in the application shall restrict end users from making such changes to the

extent possible.

4. The internal security settings of such applications at no time will be accessible to the end users of the

application.

5. To the greatest extent possible, any changes to be made to the application shall be first tested on a

system dedicated to testing the application and any changes made to it. When it is not possible to test

the changes first, a backup will be performed immediately prior to making the changes.

6. When any changes are to be made to an application, the request shall be recorded.

7. Information Technology personnel, when making such changes, shall record any and all steps taken in

changing the application.

15

Policy on Protected Information

The age of the Internet has dramatically increased the availability and flow of information across

the globe. While this tool has revolutionized many industries, including higher education, it has also

presented complications such as identity theft. Identity theft can be very costly both to the individual

and to the university. Very little information is required for identity thieves to assume an individual’s

identity therefore it is our responsibility to ensure the data we store remains private. How do we keep

the information we want to keep private from becoming publicly available? The College of Optometry

takes all reasonable measures to adequately guard our protected information. However, technology

alone cannot keep all information secure, all of the time. A great deal of responsibility lies with the user

to ensure our protected data is not compromised.

What is protected information?

Protected information can be defined as any information which should not be disclosed to unauthorized

persons, intentionally or accidentally. This seems very simple, but becomes more complicated when we

consider how certain information must be handled. Certain information is not only sensitive, but

protected by federal and state laws. Information primarily used by the College of Optometry is

protected by the Federal Education Rights and Privacy Act (FERPA) and the Health Insurance Portability

and Accountability Act (HIPAA). Every employee of the College of Optometry is required to complete

FERPA and HIPAA training prior to accessing information protected by these federal laws, but the

university has several key guidelines which are helpful in maintaining compliance with FERPA:

• Grades must not be posted unless accompanied by an identifier that is unrecognizable by

anyone other than the student

• Rosters, etc. must not be left in public or semi-public areas

• References must not contain grade or grade-point information unless the student has given

prior written consent. Other protected information that should not be divulged includes

students' social security number, race or ethnicity, gender, nationality, academic

performance or disciplinary records

• For students 18 and over, written student consent is required before any information can be

shared with parents

For more information about protected information, please see the University’s Institutional Data Policy

located at http://cio.osu.edu/policies/institutional_data/.

Handling protected information.

The very best way to ensure protected data remains protected is never to store it at all. Unfortunately

in today’s world, this is not always possible. In the College of Optometry, as with any organization,

protected information must be handled in such a way as to prevent unauthorized access. Additionally,

http://cio.osu.edu/policies/institutional_data/

16

information must be stored in specific locations to ensure the proper technology is in place to protect

the data.

Protected information should always be stored in an encrypted format or protected location.

Protected information should always be stored on the college file servers, never on desktop or

laptop computers, not even temporarily.

University policy prohibits the storage of protected information on non-OSU owned devices

including USB flash drives, computers, etc.

Protected information should never be transmitted by e-mail.

Personal financial information is prohibited and should not be stored anywhere on the College

of Optometry network.

Devices containing protected information must be disposed of properly by the College IT staff

Remote access to protected information is prohibited

It is advisable that, wherever possible, protected information should be redacted from files. Thieves

cannot steal what we do not have. Removing social security numbers and other identifiable data from

files goes a long way toward preventing identity theft.

What happens if protected information is exposed?

Data exposures can be very costly for the university and the individual. The smallest data exposure can

cause significant embarrassment to the college and to the university and its negative impact can be felt

for a very long time as our faculty, staff, students and alums lose respect and trust in the organization.

The State of Ohio has passed legislation named House Bill 104 (HB 104) which requires the university to

notify the owners of the exposed information. The notification process begins when it is confirmed or

suspected that the following information has been exposed:

Any combination of an individual's name and any of the following:

social security number

driver's license number or state identification number

account number or credit card number or debit card number, in combination with any

of the following items that would permit access to the individual's financial account

required security code

access code

password

If a suspected breach of protected information occurs, the individual must immediately notify the

Director of Information Technology who will coordinate and initiate the investigation process as defined

in the University Policy on Disclosure or Exposure of Personal Information.

17

What is the university’s policy on protected information?

All employees of the College of Optometry must familiarize themselves with the university policies

surrounding protected and sensitive information. These can be found at the CIO’s Buckeye Secure

website located at http://cio.osu.edu/buckeyesecure/policies_index.html.

http://cio.osu.edu/buckeyesecure/policies_index.html

18

College of Optometry Password Policy

The College of Optometry has adopted a strong password policy in compliance with the OSU Minimum

Computer Security Standard (MCSS). Passwords must be 9 characters in length, and contain characters

from 3 out of the following 4 categories:

Uppercase letters (A-Z)

Lowercase letters (a-z)

Numbers (0-9)

Non-alphanumeric (for example, !, @, #, $...)

To change your password, press ctrl+alt+del once you are logged in and choose “Change Password” on

the lower left.

Passwords must be changed every 180 days.

When creating your new password:

Don’t get stuck in the mindset that your “password” actually has to be just one big word. You may use

several words or a phrase, as long as it contains the necessary characters. Spaces are also allowed.

Passwords do not need to be changed dramatically. Subtle changes to passwords can be easier to

remember than dramatic changes!

For more tips and guidelines, please refer to this article:

http://www.microsoft.com/athome/security/privacy/password.mspx

If there are any other issues concerning passwords, please contact Support at

[email protected]

http://www.microsoft.com/athome/security/privacy/password.mspx

19

College of Optometry Information Technology Change Management

Policy for Critical Systems

The College of Optometry, in an effort to coordinate changes to critical systems, has developed a change

management policy. The purpose of this policy is to minimize the risk, impact and efficiency of our

computing environment during the change process as well as to establish guidelines for adequate

documentation of system changes.

For the purposes of this policy, changes are defined by the following actions to any system with the

purpose of serving multiple end users:

Hardware – Installation, modification, removal or relocation of equipment

Software – Installation, patches, upgrades, configuration changes

Tasks outside of the scope of this policy:

Disaster Recovery/Backup

Changes to non-production equipment

Tasks required for day-to-day operations

Updates to the College or Clinic Websites

o Examples include Account Creation/Removal, Password Changes (except service

accounts)

Process:

Proposal and Approval

Changes to critical systems must undergo an approval process prior to implementation. The purpose of

this approval process is to not only prevent unauthorized changes to the systems, but to allow an

additional review of the proposed change for risk and possible business impact. Proposed changes

should be submitted to the help desk for ticketing and tracking; once approval has been granted via a

help desk response, the change can be scheduled and completed. In the event of vendor-implemented

changes, the system administrator, not the vendor, is responsible for obtaining approval and

documenting the change.

Elements which must be included in the request are listed below:

Proposed change

Detailed purpose (i.e. what issue does it resolve?)

Who requested the change, if not the submitter

Risk analysis (i.e. Worst case scenario, including business impact and action plan for recovery)

20

Intended date/time for change to take place

Who needs to be or has been notified of impending change

Changes without the above elements will not be approved.

Documentation

Documentation of changes is a critical step in the change management process which must be

completed thoroughly and accurately. A WIKI has been implemented to store documentation of critical

systems and is indexed by device. After a change is completed, documentation must be appended to

the WIKI page for the device involved. Documentation must include all elements from the approval

process in addition to any notes regarding the change procedure, particularly that which would aid in

future troubleshooting.

Blanket Approval for Routine Changes and Emergency Changes

Management recognizes the need for routine updates to systems to ensure the proper, secure

operation of said equipment. In these cases (i.e. Microsoft OS patches), management approval is

understood, but documentation must still take place. This does not apply to vendor-implemented

changes.

Changes of an urgent nature which need to take place to ensure security or reliability of the computing

environment do not require pre-approval and a well-documented debriefing of management will be

required after problem resolution.

Roles

The Director of Information Technology shall serve as the change management coordinator, except in

cases where change is implemented by the Director during which the Network Administrator will serve

as approver for system changes. Changes implemented by a vendor or clinic staff to the practice

management system shall be coordinated and approved by the Clinic Information System Coordinator,

except where the change is directly implemented by the Coordinator during which the Network

Administrator will serve as the approver for system changes. In the absence of any required approver,

the requestor shall consult with any member of the IS staff and, if the staff member concurs, this shall

deem the change approved.

THE OHIO STATE UNIVERSITY COLLEGE OF OPTOMETRY … · 3 Introduction The following document...

Documents

Transcript of THE OHIO STATE UNIVERSITY COLLEGE OF OPTOMETRY … · 3 Introduction The following document...