Medical University of
South Carolina
Information Services
Policy and Procedure
Subject: MUSC Partner Connection
Policy
Purpose:
To ensure that a secure method of connectivity is provided between the Medical University of South Carolina (MUSC) and all third party (partnering) companies and to provide a formalized method for the request, approval and tracking of such connections.
This policy applies to all new third party connection requests and any existing third party network connections. As used in this document and any and all related documents, the terms partner, partnership and partnering shall mean any contractor, sub-contractor or third party vendor or similar entity with whom MUSC enters into a network connectitvity agreement. In cases where existing third party network connections do not meet all of the guidelines and requirements outlined in this document, they will be re-engineered as needed.
Procedures:
A. Third-Party Connection Requests and ApprovalsAll connection requests should be logged in Remedy, and assigned to the appropriate OCIO-IS technical support team. The required information is outlined in the Information Requirements Document. All information requested on this form, including the designation of MUSC's Administrative and Technical Points of Contact (POCs) for the partner connection, must be completed prior to seeking approval.B. Services Provided
A OCIO-IS Director level signature is required for approval of all requests. In some cases approval may be granted at a lower level with pre-authorization from the appropriate Director.
As a part of the request and approval process, the Partner POC for the connection will be required to read and sign the MUSC Third Party Connection Acceptable Use Policy and to execute any additional agreements required by MUSC.
In general, services provided over the third party/partner connections shall be limited only to those services needed, and only to those devices (hosts, routers, etc.) needed. Blanket access shall not be provided for anyone. The default approach should be to deny all access and then only allow those specific services that are needed. In no case shall the partner connection to MUSC be used as the Internet connection for the partnering company. The standard set of allowable services are listed below:
- File exchange via ftp - Where possible, file exchange via ftp should take place on the existing MUSC ftp server (ftp.musc.edu).
- Electronic mail exchange - Business related email exchange between MUSC and the third party partners may be conducted over the partner connection as needed. Mail from the third party/partner sites to non-MUSC addresses will not be allowed over the partner network connection.
- Telnet Access - Telnet access will be provided to specific MUSC hosts as needed. Partnering companies accounts will only be given authorization for the specific MUSC hosts that are needed.
- Web Resource Access - Access to internal web resources will be provided on an as-needed basis. Access to MUSC's public web resources shall be accomplished via the normal Internet access for the partner company.
- Desktop Remote Control - Access may be provided to specific MUSC hosts if necessary. Partnering company accounts will only be given authorization for the specific MUSC hosts that are needed.
C. Protection of MUSC Private Information and Resources
The OCIO-IS technical support group responsible for installation and configuration of a specific partner connection will be responsible for ensuring that all possible measures have been taken to ensure the integrity and privacy of MUSC confidential information. At no time should MUSC be placed in a position of relying on access/authorization control mechanisms at the partner site to protect MUSC confidential information.D. Audit and Review of Third Party/Partner Connections
It shall not be MUSC's responsibility to ensure the protection of the partnering company's information. It is the partnering company's responsibility to provide the appropriate security measures to ensure protection of their private network and information.It is the responsibility of the MUSC Technical POC to implement procedures for regular monitoring of the third party partner connection. Monthly reports should be generated on the authenticating system showing detailed login activity. Each MUSC Administrative POC, and each Partner Company POC, will receive a copy of the monthly reports showing account activity associated with the partner connection.E. Connection Guidelines
All third party/partner connections will be reviewed on a quarterly basis and information regarding specific third party/partner connection will be updated as necessary. Obsolete partner connections should be terminated.Whenever possible, partner connections should be implemented using an approved mechanism. These mechanisms include dial-up access to MUSC's PPP service, dial-up access to a dedicated host modem, and Internet access.
If an Internet access mechanism is used, an authentication technique should be used which prevents cleartext transmission of any password(s) associated with the access account. If any MUSC information classified as confidential or private is transmitted over the partner connection, the transmission must be encrypted.
When setting up accounts for partner connections, individual accounts are preferred for each partner employee who will utilize the connection. When this is not possible, and group or role accounts are needed, a password aging policy must be implemented and enforced by the authenticating MUSC system.Effective Date: September 27, 2000
Revised Date: August 2002
Approval: Melissa S. Forinash, Controller, OCIO-IS
Author: Richard Gadsden