Systems & Applications
|
Level 1:
Public Data
Systems must be managed according to manufacturer and/or industry best practices.
Systems must be managed by a qualified IT professional.
All systems must be registered with the central IT department at each University business unit.
All administrator tasks must be performed through secure means.
Host-based firewalls must be enabled.
Non-critical OS patches must be applied within 30 days. Critical patches must be applied within 15 days.
Anti-virus protection must be installed and kept current.
Systems must have logging enabled. Logs (e.g., authentication, application, database and system) should be retained for no more than 12 months.
|
Level 2:
Sensitive Data
Must comply with DCL1 requirements.
End-user access must be authenticated.
|
Level 3:
Restricted Data
Must comply with DCL1 and DCL2 requirements.
Original/primary locations of data at this level must be maintained on a server-class machine even if access to such information is intended for a single person.
Databases must be segregated from front-end systems (e.g., web and application servers).
Systems must ensure that data flows between systems, devices or from the system to an authorized user are transmitted securely.
It is strongly recommended that University logs be forwarded to the University-provided centralized logging service and that vendor-hosted solutions use log processing systems.
|
Level 4: Highly Restricted Data
Must comply with DCL1, DCL2 and DCL3 requirements.
For export-controlled data, system administrators must be U.S. persons.
All logs must be forwarded to the University-provided centralized logging service and vendor-hosted solutions must use log processing systems. All exceptions must be approved and documented by the appropriate ISO.
Per the Logging Standard, logs will be retained for a minimum of 12 months.
|
Level 1:
Public Data
No restrictions for viewing.
Administrator access must be granted through a documented approval process that applies the principle of least privilege.
|
Level 2:
Sensitive Data
Must comply with DCL1 requirements.
Access granted to end-users must be made using:
- A standing definition of the end-user community authorized to access the system(s) or,
- a documented approval process.
Access granted to privileged users must be made using a documented approval process that applies the principle of least privilege.
Access must be reviewed at least quarterly for appropriateness.
Access must be revoked as soon as is reasonably possible when employees leave the University or custodial department.
|
Level 3:
Restricted Data
Must comply with DCL1 and DCL2 requirements.
Administrator and privileged user authorization must include a two-tier process. Typically this process would include an authorization from the employee's supervisor and the data steward (or their delegate).
All privileged users must sign a confidentiality agreement.
Access privileges must be reviewed monthly for appropriateness.
Access must be revoked immediately when employees leave the university or the custodial department.
|
Level 4: Highly Restricted Data
Must comply with DCL1, DCL2 and DCL3 requirements.
|
Level 1:
Public Data
User authentication is not required, however, if it is used, the following requirements must be met:
- A unique ID must be assigned for each user and administrator.
- All authentication activities must be performed over secure channels.
- Must comply with the Password Standard.
|
Level 2:
Sensitive Data
Must comply with DCL1 requirements.
Authentication is required.
Authentication activities performed by UM-hosted systems/applications must be integrated with an approved centrally managed authentication service (e.g., Active Directory.)
The ISO must be consulted on authentication activities performed by vendor-hosted systems/applications to determine if integration with an approved centrally managed authentication service (e.g., Active Directory) is necessary.
|
Level 3:
Restricted Data
Must comply with DCL1 and DCL2 requirements.
|
Level 4: Highly Restricted Data
Must comply with DCL1, DCL2 and DCL3 requirements.
|
Level 1:
Public Data
At a minimum, systems must be behind a shared enterprise firewall.
Firewall configuration must initially be implemented with a "default deny" policy and only allow access to the necessary services.
Perimeter IPS or IDS is required.
|
Level 2:
Sensitive Data
Must comply with DCL1 requirements.
|
Level 3:
Restricted Data
Must comply with DCL1 and DCL2 requirements.
Systems must be isolated from other systems through the use of a dedicated hardware-based firewall or a virtual firewall.
Inbound Internet access will not be allowed except through an approved exception.
|
Level 4: Highly Restricted Data
Must comply with DCL1, DCL2 and DCL3 requirements.
|
Level 1:
Public Data
All administrator tasks must be performed through secure means.
|
Level 2:
Sensitive Data
Must comply with DCL1 requirements.
Data and system administrators should consider the use of VPN or similar technology for end-user access.
|
Level 3:
Restricted Data
Must comply with DCL1 and DCL2 requirements.
End-user access must be through the use of VPN or similar technology.
Administrator access must be conducted using a separate VPN pool (or other technology) specifically for and limited to the system being administered.
Third party access (i.e., vendor support) must be conducted using supervised, just-in-time methods such as a WebEx session. Access must be limited to the duration of an incident or support request and may not persist outside of the active issue remediation.
|
Level 4: Highly Restricted Data
Must comply with DCL1, DCL2 and DCL3 requirements.
Remote access to export controlled data is not permitted.
|
Level 1:
Public Data
All databases must have a designated data steward, database administrator, and system administrator. The data steward must be different than the system administrator.
|
Level 2:
Sensitive Data
Must comply with DCL1 requirements.
|
Level 3:
Restricted Data
Must comply with DCL1 and DCL2 requirements.
All DCL3 databases must be registered with the central IT department at each university business unit.
Databases must be segregated from front-end systems (e.g., web and application servers).
All databases must have a designated data steward, database administrator, and system administrator. These roles cannot be fulfilled by the same individual.
|
Level 4: Highly Restricted Data
Must comply with DCL1, DCL2 and DCL3 requirements.
When technically feasible, as determined by consultation with the appropriate ISO, data at rest must be encrypted.
|
Level 1:
Public Data
Servers must be housed in a secure room with access available to a limited number of individuals.
|
Level 2:
Sensitive Data
Must comply with DCL1 requirements.
|
Level 3:
Restricted Data
Must comply with DCL1 and DCL2 requirements.
Servers must be housed in a data center managed by the central IT department at each university business unit.
|
Level 4: Highly Restricted Data
Must comply with all DCL1, DCL2 and DCL3 requirements.
Only U.S. persons may have physical access to any system, machine, or server storing export-controlled data. Physical security requirements must prevent the physical removal of a machine or the data it stores.
|
Level 1:
Public Data
Security assessment is not required.
|
Level 2:
Sensitive Data
Security assessment performed upon request of the system or application owner.
|
Level 3:
Restricted Data
Security assessment may be required before any new system goes into production.
Periodic re-assessment of systems and applications (i.e., web applications) security may be required.
|
Level 4: Highly Restricted Data
Security assessment is required before any new system goes into production.
Periodic re-assessment of systems and applications (i.e., web applications) security is required.
|
System vulnerability scans must be conducted in accordance with the requirements of the Enterprise Vulnerability Scanning (EVS) standard. |
Business continuity testing and validation must be performed in accordance with the System Business Continuity Classification (SBCC) regardless of DCL. |
Level 1:
Public Data
No requirements.
|
Level 2:
Sensitive Data
DCL3/DCL4 standard should be applied whenever possible.
|
Level 3:
Restricted Data
Must comply with the Transmission/Transfer of DCL3 and DCL4 Data Standard.
|
Level 4: Highly Restricted Data
Must comply with DCL3 requirements.
|
Level 1:
Public Data
All systems that are surplused or otherwise disposed of must follow University surplus property and data disposal policies.
Format hard drive.
|
Level 2:
Sensitive Data
Must comply with DCL1 requirements.
Utilize software that writes over all sectors of the hard drive.
|
Level 3:
Restricted Data
Must comply with DCL1 and DCL2 requirements or ensure hard drives are completely destroyed.
|
Level 4: Highly Restricted Data
Must comply with DCL1, DCL2 and DCL3 requirements.
|
Level 1:
Public Data
IT professionals must be trained on the technologies and security methods specific to the environment(s) they manage.
|
Level 2:
Sensitive Data
Must comply with DCL1 requirements.
|
Level 3:
Restricted Data
Must comply with DCL1 and DCL2 requirements.
Annual information security awareness training is required for privileged users, data stewards and administrators (system, database and application).
|
Level 4: Highly Restricted Data
Must comply with DCL1, DCL2 and DCL3 requirements.
|