Responsible Office: Office of Cybersecurity	Last Review: 02/10/2021 Next Review: 02/10/2023
Contact: Chris Madeksho	Phone: 901.448.1579 Email: mmadeksh@uthsc.edu

Purpose

The University of Tennessee Health Science Center (UTHSC) offers electronic services to its computer users to perform work for the University in support of its mission and functions. During the course of business, legitimate business continuity reasons will arise that require access to information held on UTHSC IT Resources by third parties. The following Practice describes the process when a third-party requests access to this information.

Scope

All information held on UTHSC owned IT Resources, including individually assigned accounts, mailboxes, network space, storage devices, and/or backups.

Definitions

Third-Party – a company or entity that provides goods and/or services to UTHSC. The agreement between UTHSC and the third part should be a direct written contract.

Responsibilities

CIO has overall responsibility of the Identification & Authentication (IA) program at UTHSC and ensures that the program is developed, documented, and disseminated to appropriate UTHSC entities in accordance with University policies.

Chief Information Security Officer (CISO) is responsible for overseeing the Identification & Authentication program and consults with system owners to ensure effective procedures are implemented.

Data Owner, or designee will be responsible for approving requests for additions, changes, and deletions of access rights and privileges to data or information for individual users. The Data Owner will forward the approved requests to the system custodian for implementation.

System Custodian is responsible for implementing the approved requests using security controls.

Practice

1. Need – During the course of business, legitimate reasons will arise that require third party access to information held on UTHSC IT Resources including, but not limited to workstations, email accounts, documents, servers and/or peripherals. Should an individual user be unavailable or unable to provide permission to access these resources, or if circumstances supersede the right to privacy, University access without the individual’s permission can be provided with the documented approval of a data and/or system Owner.
2. Approval – All requests to access an individually assigned account by individuals who are not the account owner are made to the Chief Information Officer (CIO), the Chief Information Security Officer (CISO) or their delegate, who will obtain documented approval from the data or system owner, coordinate the request, and facilitate the specific and appropriate access as necessary.
   1. When legal needs require monitoring, preservation, and/or access to electronic information, the office of the General Council will request and guide the desired action.
   2. When business continuity requires access to electronic information, whether stored in an assigned mailbox, network space, on a hard drive, and/or backups, and
      • The employee is available to receive and respond to email and no urgent business needs require continuity of communication, the employee will facilitate access as needed.
      • The employee is unavailable to receive and respond to email and urgent business needs require continuity of communication, the employee’s supervisor requests access by seeking approval from an Authorized University Official.
        
        Examples of an employee’s inability to provide consent include, but are not limited to the following:
        
      • Administrative leave.
      • An employee leaves unexpectedly and ends up on a prolonged absence.
      • An employee is suddenly terminated.
      • An employee resignation.
      • An employee is incapacitated.
   3. When requests for access to electronic information, whether stored in an assigned mailbox, network space, on a hard drive, and/or backups, or other locations accessible by the UTHSC account (NetID and password) of a deceased individual, documented approval from the Office of the General Counsel and the appropriate representative from the Office of the Chancellor must be obtained.
3. Additional Safeguards – When access is afforded to data or information with a classification rating of 3 in any area per Standard-InfoSec-GP-002-Data & System Classification, separate documented approval must be obtained from the data owner(s) before this data can be disclosed.
4. Documentation – The CIO, CISO or their delegate works with data owners regarding monitoring, access, disclosure, and/or the preservation and archival of requested data, and will document the request, disclosure details, the name and title of the requestor, and the reason for the request*. 

* No confidential information is ever to be stored in the ITS Ticketing System. Requests must be modified to ensure confidentiality.

References

1. Standard-InfoSec-AC-001-Access Control
2. Standard-InfoSec-GP-003-Expectation of Privacy
3. Standard-InfoSec-GP-002-Data & System Classification
4. UTSA IT Policy IT0110 – Acceptable Use of Information Technology Resources