Information Security Program
Data Classification: Systems & Applications
Purpose
In order to apply security measures in the most appropriate and cost effective manner, data stored electronically must be evaluated and assigned a Data Classification Level (DCL) of 1, 2, 3, or 4. The DCL of the data establishes the extent and type of information security measures that must be implemented.
This Information Security Program element is not intended to cover personal computers (desktops or laptops) or other portable storage devices such as flash drives or smart phones.
Asset Classification
Information assets should be classified at the level appropriate for the value or criticality of the asset. It is possible that a system may hold data that is only classified at DCL1 but concerns about data integrity or the value of the asset to the University may cause the asset to be managed at a higher DCL. Data custodians and data owners should work together to classify and manage the information technology assets for which they are responsible based on a thorough understanding of the overall value of the asset. When DCL and asset values are classified differently, the higher level must be used to secure the system.
Data Classification
The security requirements set forth in this document are high level requirements that establish the minimum standards necessary for each DCL. In order to be effective, these requirements must be used in conjunction with other university and industry standards and best practices. These standards and best practices are available in the university's Information Security Program manual.
Systems
All server-based systems, including personal computers when configured as a server, must be administered by a qualified information technology professional and meet the security guidelines established for each data classification level. Each system must be classified at the highest data classification level of the information residing on a given system. For servers utilizing a database, the data residing in the database must be considered as part of the overall system for classification purposes.
Applications
For the purpose of this document, an application is a browser-based or proprietary application typically used to allow multiple users to read, access, share, modify, input or retrieve data, from a server-based system. Applications, whether provided by a vendor or developed internally, must meet the application security requirements established for each DCL. These standards can be found at http://doit.missouri.edu/security/applications/.
The standards in this document do not cover office productivity software, such as Microsoft Office, or other software packages installed for use only on individual workstations.
Exceptions
Due to budget, functional and technology limitations, exceptions to the standards in this document may be required. Exceptions must be approved and documented by the Information Security Office at each business unit. Exceptions must also be eliminated as soon as is reasonably possible.
DCL Definitions
DCL 1--Public
Public data has been explicitly approved for distribution to the public by the data owner or through some other valid authority. Disclosure of public data requires no authorization and may be freely disseminated without potential harm to the University or its affiliates.
Examples: Advertising, product and service information, directory listings, published research, presentations or papers, job postings, press releases, instructions, training manuals.
DCL 2--Sensitive
While some forms of sensitive data are available to the public, the distinction between public and sensitive data for the purpose of this DCS is in how the information is made available. For example, salaries of University employees are public information under Missouri's Sunshine Law. However, salaries should not be posted on University Web pages or distributed by University employees without a specific and legitimate request. Therefore, sensitive data must be protected by authentication or identity verification and includes information that would not be openly shared with the general public. Sensitive data is intended for use within the University or within a specific workgroup, department or group of individuals with a legitimate need-to-know. Unauthorized disclosure of this information could adversely impact the University, individuals or affiliates.
Examples: Budget and salary information, personal pager or cell phone numbers, departmental policies and procedures, internal memos, incomplete or unpublished research.
DCL 3--Restricted
Restricted data is considered to be highly sensitive business or personal information. It is intended for a very specific use and should not be disclosed except to those who have explicit authorization to review such data, even within a workgroup or department. Unauthorized disclosure of this information could have a serious adverse impact on the university, individuals or affiliates. Examples: Social Security Numbers, credit card numbers, medical records, student data that is not considered directory information, information protected by non-disclosure agreements, confidential research.
The types of regulations and laws that affect data in DCL 3 are: HIPAA, FERPA, GLBA. Because of the strict technology requirements for DCL 3 data, consultations with central IT departments will almost always be required when establishing the security controls for this type of data.
E-Commerce
Electronic commerce data is subject to rigorous security requirements dictated by the payment card industry (PCI). All e-commerce applications have to first be approved by the UM Treasurer's Office and can only be implemented in conjunction with the central IT office at each University business unit. The necessary security requirements will be determined at the time of implementation.
DCL 4--National Security Interest (NSI)
NSI data has been classified by a third party as having the potential to impact national security. Individuals managing or accessing NSI data must comply with all DCS Level 1, 2, and 3 requirements, as well as National Security Decision Directives and other Federal Government directives for DCL4 rated data including all information security procedures specified by the source agency.
Other Definitions
Administrator or Administrative Access - An individual or group of individuals with server or database administration rights on a given system or systems.
Application - A browser-based or other proprietary application used to allow one or more end-users to read, access, modify, input or retrieve data, from a server-based system.
Application Administrator - an individual with privileges to manage, maintain, modify or update an application hosted on a system or server.
Database Administrator - an individual responsible for understanding the platform on which the database runs, planning and coordinating security measures with network administrators, administering database management system software (including, but not limited to, managing user accounts), testing and coordinating modifications to the system, troubleshooting problems and ensuring the proper overall performance of the system.
Data Custodian - The IT support person(s) responsible for maintaining systems/servers and protecting specific sets of data.
Data Owner - The individual responsible for the creation or management of the data itself and who has overall responsibility for authorizing access and use of the data and who has significant responsibility for data protection. This role is usually assigned to a non-IT person.
End-User - an individual accessing or utilizing an application or system as a user only, not as an administrator or privileged user of the system.
FERPA - The Family Educational Rights & Privacy Act
GLBA - The Graham Leach Bliley Act
HIPAA - The Health Insurance Portability and Accountability Act
Named Administrator Account - A named account is an IT specific account that provides privileged access to systems and other IT resources that in some way represents the name of the individual using the account.
Privileged User - A user of a system who has higher system access privileges than an end-user but who is not an administrator of the system, the database or of the application. Typically these users are those who update content, correct database errors, transmit data to and from systems, or run reports.
Principle of Least Privilege - The process of establishing differentiated levels of system access that allow end-users or privileged users access to only the system resources they need to perform their jobs or tasks, no more and no less.
Qualified IT Professional - An individual, qualified by virtue of training and/or experience, working for the University, by employment or contract, in an information technology-related title appropriate for the work being performed.
Remote Access - Access to an information system residing on the University's network when away from the university's network.
Remote Administration - System, database or application administration activities when the "administrator" is away from the affected system, whether on the University's network or not.
Strong Encryption - A level of encryption that is dependent, to some extent, on encryption standards that exist at any given time. Consult the ISO at each business unit for current strong encryption standards.
System Administrator - An IT support person or persons responsible for one ore more systems which may hold and process data owned by one or more data owners.
System/Server - A hardware or virtual computing environment that is installed or configured to provide, share, store, or process information for multiple users or, that communicates with other systems to transmit data or process transactions.
Requirements
All electronically stored data residing within server-based systems must be evaluated and assigned the appropriate DCL. The following are the minimum security requirements for each DCL. These requirements also apply to 3rd party provided or hosted applications and systems. The requirements in this document are not intended to contradict, replace or supersede, any existing IT or Telecommunications policies, procedures and standards already in place within the University but rather are intended to be implemented in conjunction with existing measures. Consult your ISO to address apparent conflicts between these standards and other university policies.
| Level 1: Public Data |
Level 2: Sensitive Data |
Level 3: Restricted Data |
|
| System(s) Management |
Systems must be managed by a qualified IT professional. All systems must be registered with the central IT department at each University business unit. All administrator tasks must be performed through secure means. Host based firewalls must be enabled. Systems must have logging enabled. |
Must comply with all DCL 1 requirements. End-user access must be authenticated. All authentication activities must be integrated with an approved centrally managed authentication service (i.e., Active Directory). |
Must comply with all DCL 1 and DCL 2 requirements. Original/primary locations of data at this level must be maintained on a server class machine even if access to such information is intended for a single person. Databases must be segregated from front-end systems (i.e., Web and application servers). Systems must ensure that data flows between systems or from the system to an authorized user are transmitted securely. |
| Level 1: Public Data |
Level 2: Sensitive Data |
Level 3: Restricted Data |
|
| Granting & Revoking Access |
No restrictions for viewing. Administrator access must be granted through a documented approval process that applies the principle of least privilege. |
Must comply with all DCL 1 requirements. Access granted to end-users must be made using:
Access granted to privileged users must be made using a documented approval process that applies the principle of least privilege. Access must be reviewed at least quarterly for appropriateness. Access must be revoked as soon as is reasonably possible when employees leave the University or custodial department. |
Must comply with all DCL 1 and DCL 2 requirements. Administrator and privileged user authorization must include a two-tier process. Typically this process would include an authorization from the employee's supervisor and the data owner (or their delegate). All privileged users must sign a confidentiality agreement. Access privileges must be reviewed monthly for appropriateness. Access must be revoked immediately when employees leave the university or the custodial department. |
| Level 1: Public Data |
Level 2: Sensitive Data |
Level 3: Restricted Data |
|
| Network Security |
At a minimum, systems must be behind a shared enterprise firewall. Firewall configuration must initially be implemented with a "default deny" policy & only allow access to the necessary services. Perimeter IPS or IDS is required. |
Must comply with all DCL 1 requirements. |
Must comply with all DCL 1 and DCL 2 requirements. Systems must be isolated from other systems through the use of dedicated hardware-based firewall or a hardware-based virtual firewall. Internet access will not be allowed except through an approved exception. |
| Level 1: Public Data |
Level 2: Sensitive Data |
Level 3: Restricted Data |
|
| Remote Access |
All administrator tasks must be performed through secure means. |
Must comply with all DCL 1 requirements. Data and system administrators should consider the use of VPN or similar technology for end-user access. |
Must comply with all DCL 1 and DCL 2 requirements. End-user access must be through the use of VPN or similar technology. Administrator access must be conducted using a separate VPN pool (or other technology) specifically for and limited to the system being administered. Third party access (i.e. vendor support) must be conducted using supervised, just-in-time methods such as a WebEx session. Access must be limited to the duration of an incident or support request and may not persist outside of the active issue remediation. |
| Level 1: Public Data |
Level 2: Sensitive Data |
Level 3: Restricted Data |
|
| Database |
All databases must have a designated data owner, database administrator, and system administrator. The data owner must be different than the system administrator. |
Must comply with all DCL 1 requirements. |
Must comply with all DCL 1 and DCL 2 requirements. All DCL3 databases must be registered with the central IT department at each university business unit. Databases must be segregated from front-end systems (i.e., Web and application servers). All databases must have a designated data owner, database administrator, and system administrator. These roles cannot be fulfilled by the same individual. |
| Level 1: Public Data |
Level 2: Sensitive Data |
Level 3: Restricted Data |
|
| Physical Security |
Servers must be housed in a secure room with access available to a limited number of individuals. |
Must comply with all DCL 1 requirements. |
Servers must be housed in a data center managed by the central IT department at each university business unit. |
| Level 1: Public Data |
Level 2: Sensitive Data |
Level 3: Restricted Data |
|
| System & Application Auditing |
Security audits are not required. |
Security audits performed upon request of the system or application owner. |
Security audits of systems and applications (i.e. web applications) are required annually. |
| Level 1: Public Data |
Level 2: Sensitive Data |
Level 3: Restricted Data |
|
| Backup/Disaster Recovery |
Backups must be performed at least weekly. Daily backups are strongly recommended. |
Backups must be performed at least daily. Two versions of backup media should be kept and one copy should be stored in a secure off-site location. |
Backups must be performed at least daily. Because of the criticality of level 3 data, backups must be handled by the central IT departments at each University business unit. |
| Level 1: Public Data |
Level 2: Sensitive Data |
Level 3: Restricted Data |
|
| Data Disposal |
All systems that are surplused or otherwise disposed of must follow University surplus property and data disposal policies. Format hard drive. |
Must comply with all DCL 1 requirements. Utilize software that writes over all sectors of the hard drive. |
Must comply with all DCL 1 and DCL 2 requirements. Utilize software that writes over all sectors of the hard drive multiple times as defined by DOD standards or, ensure hard drives are completely destroyed. |
| Level 1: Public Data |
Level 2: Sensitive Data |
Level 3: Restricted Data |
|
| Training |
IT professionals must be trained on the technologies and security methods specific to the environment(s) they manage. |
Must comply with all DCL 1 requirements. |
Must comply with all DCL 1 and DCL 2 requirements. Annual information security awareness training is required for privileged users, data owners and administrators (system, database and application). |
Approved April 29, 2009