56.50 - Sanctions Policy (SN)
Policy Statement
TTUHSC El Paso shall implement a comprehensive means of sanctions for policy violations,
misuse of information resources, and/or attempts to disregard complying with Information
Technology (IT) safeguards as required by state and federal legislation.
Reason for Policy
The purpose of the Sanctions Policy is to ensure that TTUHSC El Paso information resources
are protected. This policy is in place to ensure faculty, staff, students, end users,
data owners and data custodians operate within a framework of confidentiality, integrity,
and privacy as directed in state and federal legislative mandates. IT policies,
procedures and guidelines have been established to align with TAC 202, NIST 800-53
and other governing entities. Information resources are valuable assets to TTUHSC
El Paso and regulating use is a priority of TTUHSC El Paso in the best interests of
the institution.
Entities Affected by this Policy are any and all users of Information Resources at TTUHSC El Paso.
What is covered in this Policy?
The overall policy addresses the institutional stance as it applies to TTUHSC El Paso
in the areas of: accountability, responsible use of information resources, sanctions
for policy violation, and prevention of state and federal governing standards violations.
This policy is based on consideration according to Data Classification, Incident Response,
Employee Conduct and Performance, and Compliance.
As an employee, faculty, staff member of TTUHSC El Paso, all information resources
are owned, monitored, and regulated by TTUHSC El Paso. No rights to privacy are assumed
by any member employed, contracted, or working in collaboration with the institution.
Who Should Read this Policy?
All individuals accessing, storing, viewing, and/or utilizing or consuming any TTUHSC
El Paso information resources.
What happens if I violate this policy?
Any person(s) violating TTUHSC El Paso Information Technology policies are subject
to sanctions as outlined in this policy, and according to the policy rating scale
below. In addition to departmental disciplinary action, violations may be subject
to penalty under federal, state, and local legislation.
Policy Violation as applied
All employees are expected to maintain professional decorum and adhere to professionalism
standards as outlined in HSCEP OP 70.31, Employee Conduct, Discipline and Separation of Employees. Standards and requirements
for use of Information resources are outlined in the Acceptable Use of Information Resources Policy at TTUHSC El Paso, and on the TTUHSC El Paso Information Technology policies webpage.
In the event of a violation, employees, faculty, and staff are expected to report
violations that occur in their purview.
Policy violations will be classified according to policy ratings based on violation formula listed. This formula will be applied per policy violation.
Policy Rating
The following formula will be applied to IT Security-related policy violations. Scores
can range from 1 to 208.
Occurrences * Previous Violations * Data Classification Score * Impact Score
- The number of occurrences will be multiplied by the previous violation metrics, data classification score, and the impact score.
Variables
- Occurrences – A single occurrence is rated as a “1”, multiple occurrences are rated as a “2”.
- Previous Violations – No previous violations is rated as a “1”, previous Information Security policy violations are rated as a “2”.
- Data Classification Score – The information resource scoring table is shown below.
- Impact Score – The impact score table is shown below.
Per Compliance policy HSCEP OP 52.04 on internal investigation of alleged violations, each incident that is reported will follow thorough investigative procedure.
Data Classification Score Table
| Score | Data Types |
|---|---|
| 1 | N/A (no data accessed/affected) |
| 1 | Public |
| 2 | Internal |
| 3 | Confidential\Sensitive |
| 4 | Restricted\Regulated |
Impact Score Table
| Score | Data Types |
|---|---|
| 1 | Small – Medium Incident |
| 2 | Legal |
| 2 | Financial |
| 2 | Outage/Disaster |
| 3 | Large Incident |
| 3 | Reputational damage |
*Impact score is the sum of all data types involved.
According to HSC Op 52.14, extension of these recommended sanctions, also adhere to recourse covered in the HIPAA Sanctions Process.
Non-TTUHSC information resources consumers are subject to state and federal persecution per violation attempts.
All other IT Policies can be found at https://ttuhscep.edu/it/policies/
- TAC 202.74
- TAC 202.75
- TAC 202.72