IT0311-HSC-A.02 Third-Party Access to Account and Data

Responsible Office: Office of Cybersecurity

Last Review: 03/01/2025

Next Review: 03/01/2027

Contact: Chris Madeksho

Phone: 901.448.1579

Email: mmadeksh@uthsc.edu

Purpose

The University of Tennessee Health Science Center (UTHSC) offers electronic services to its computer users to perform work for the University to support its mission and functions. During the course of business, legitimate business continuity reasons will arise that require access to information held on UTHSC IT Resources by third parties. The following Practice describes the process when a third party requests access to this information.

This practice is also designed to meet compliance requirements for data regulated by federal or state law. This includes, but is not limited to, security requirements and safeguards for the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA).

Scope

All information held on UTHSC-owned IT Resources, including individually assigned accounts, mailboxes, network space, storage devices, and/or backups.

Definitions

Authorized University Officials: include Office of the Chancellor, Office of the General Counsel for Litigation holds, Executive Vice Chancellor/Chief Operating Officer, or AVC for HR as a designee.

Level 2 Data – The effect on confidentiality and integrity of the Data is significant and includes compliance requirements. This Data is governed by federal or state compliance requirements, and unwarranted exposure can lead to compliance issues and/or fines. This includes all Data that contains personally identifiable information (PII), protected health information, student education records, and cardholder Data. This categorization level also includes lower-risk items that, when combined, represent increased risk. per IT0005-HSC-A-Data & System Categorization. Minimum security requirements are explained on the webpage https://uthsc.edu/its/cybersecurity/requirements.php.

Third-Party – a company or entity that provides goods and/or services to UTHSC. The agreement between UTHSC and the third party should be a direct written contract or business associate agreement.

UTHSC Information Technology (IT) Resource – a broad term for all things related to information technology from a holistic point of view and covers all University-owned or managed information technology services, including cloud-based services, that users have access to.

Responsibilities

Chief Information Security Officer (CISO) has the overall responsibility of the Identification & Access Management (IAM) program at UTHSC and ensures that the program is developed, documented, and disseminated to appropriate UTHSC entities in accordance with University policies.

IAM Analyst is responsible for building the IAM program and consulting with system owners to ensure effective procedures are implemented.

Data Owner, or designee, will be responsible for approving requests for additions, changes, and deletions of access rights and privileges to data or information for individual users. The Data Owner will forward the approved requests to the system custodian for implementation.

System Custodian is responsible for implementing the approved requests using security controls.

Practice

  1. Need – During the course of business, legitimate reasons will arise that require third-party access to information held on UTHSC IT Resources, including, but not limited to, workstations, email accounts, documents, servers, and/or peripherals. Should an individual user be unavailable or unable to provide permission to access these resources, or if circumstances supersede the right to privacy, University access without the individual’s permission can be provided with the documented approval of a data and/or system owner. Users’ expectation of privacy is outlined in IT0002-HSC-B-Expectation of Privacy.
  2. Approval – All requests to access an individually assigned account by individuals who are not the account owner are made to the CISO or their delegate, who will obtain documented approval from the data or system owner, coordinate the request, and facilitate specific and appropriate access as necessary. Access to data and accounts is limited to the scope of the request.
    1. When legal needs require monitoring, preservation, and/or access to electronic information, the office of the General Council will request and guide the desired action.
    2. When business continuity requires access to electronic information, whether stored in an assigned mailbox, network space, on a hard drive, and/or backups, and
      1. The employee is available to receive and respond to email and no urgent business needs require continuity of communication, the employee will facilitate access as needed.
      2. The employee is unavailable to receive and respond to email and urgent business needs require continuity of communication, the employee’s supervisor requests access by seeking approval from an Authorized University Official.
        Examples of an employee’s inability to provide consent include, but are not limited to the following:
        • Administrative leave
        • Unexpected leave that leads to prolonged absence
        • Sudden termination
        • Resignation
        • Incapacitation
    3. When requests for access to electronic information, whether stored in an assigned mailbox, network space, on a hard drive, and/or backups, or other locations accessible by the UTHSC account (NetID and password) of a deceased individual, documented approval from the Office of the General Counsel and the appropriate representative from the Office of the Chancellor must be obtained.
  3. Access – When the access required is by a party outside of the UTHSC organization, i.e., contractor or vendor, access is granted via an approved remote software application. Access is supervised, and the event is recorded by the data owners or system owners.
  4. Additional Safeguards – When access is afforded to data or information with a level 2 categorization per IT0005-HSC-A-Data & System Categorization, separate documented approval must be obtained from the data owner(s) before this data can be disclosed.
  5. Documentation – The CISO or their delegate works with data owners regarding monitoring, access, disclosure, and/or the preservation and archival of requested data and will document the request, disclosure details, the name and title of the requestor, and the reason for the request*. 

* No confidential information is ever to be stored in the ITS Ticketing System. Requests must be modified to ensure confidentiality.

Policy History

Version #
Effective Date
1
04/18/2016
2
0210/2021
3
05/13/2023
4
07/31/2023
5
03/01/2025 – new naming convention

References

  1. IT0002-Acceptable Use of Information Technology Resources
  2. IT0311-Information Technology Data Access, Management, and Recovery
  3. IT0002-HSC-B-Expectation of Privacy
  4. IT0005-HSC-A-Data & System Categorization
  5. IT0311-HSC-A-Access Control

IT0311-HSC-A.02 Third-Party Access to Account and Data
Version: 5 // Effective: 04/18/2016
PDF icon Downloadable PDF