• No results found

OIT OPERATIONAL PROCEDURE

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "OIT OPERATIONAL PROCEDURE"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Effective Date:

3/31/2014

Signature/Approval:

Data Classification Guidelines

Data Classification and Handling Procedure (9 10 Data Classification) specifies that data collected by the College must be assigned to one of the three categories; Restricted, Sensitive and Public. Data Owners are responsible for classifying the data in appropriate category.

Initial Classification of Data

The table below lists some of the data elements used by different departments within the college and have classification mandated due to federal or state laws. Data owners can use the table below for initial classification within their area of responsibility.

Data Category Data Owner Justification Social Security Numbers Restricted VP, Student Services FS 817.5681

Student records (non-directory) Restricted VP, Student Services FERPA

Credit card cardholder data Restricted VP, Business Services PCI, FS 817.5681

Driver License Number Restricted VP, Student Services FS 817.5681

Race/Gender Restricted VP, Student Services

Individually Identifiable Information Restricted VP, Student Services FS 817.5681

Disability Information Restricted VP, Student Services HIPAA

Patient Billing Records Restricted VP Academic Affairs HIPAA

Patient Medical Records Restricted VP, Academic Affairs HIPAA

Employee Information Sensitive Executive Director, HR Employee Privacy

College Directory Public

College Policies and Procedures Public

Course Catalog Public

(2)

Security Control Category

Tier 3-Public Data Classification

Tier 2-Sensitive

Tier 1-Restricted

Access Controls  Viewing - No restriction

 Modifications -Authorization by Data Owner or designee required

 Viewing and modification - Restricted to authorized individuals as needed for business-related roles; Data Owner or designee grants permission for access, plus approval from supervisor

 Authentication and authorization required for access

Viewing and modification - Restricted to authorized individuals as needed for business-related roles; Data Owner or designee grants permission for access, plus approval from supervisor

Authentication and authorization required for access

Confidentiality agreement required

Copying/Printing  No restrictions  Data should only be printed when there is a legitimate need

 Copies must be limited to individuals with a need to know

 Data should not be left unattended on a printer/fax

 May be sent via Campus Mail

 Data should only be printed when there is a legitimate need

 Copies must be limited to individuals authorized to access the data and have signed a confidentiality agreement

 Data should not be left unattended on a printer/fax

 Copies must be labeled “Confidential”; must be sent via Confidential envelope

(3)

Security Control Category

Tier 3-Public Data Classification

Tier 2-Sensitive

Tier 1-Restricted

Network Security  May reside on a public network; Protection with a firewall recommended

 Protection only with router ACLs acceptable

 Protection with a network firewall required

 Protection with router ACLs acceptable

 Servers hosting the data should not be visible to entire Internet, nor to unprotected subnets like guest wireless networks

 May be in a shared network server subnet with a common firewall ruleset for the set of servers

 Protection with a network firewall using "default deny" ruleset required

 Protection with router ACLs required

 Servers hosting the data cannot be visible to the entire Internet, nor to unprotected subnets like guest wireless networks

 Must have a firewall ruleset dedicated to the system

 The firewall ruleset should be reviewed periodically

System Security  Must follow general best practices for system management and security

 Host-based software firewall recommended

 Must follow OS-specific best practices for system management and security

 Host-based software firewall required.

 Host-based software IDS/IPS recommended

Must follow OS-specific best practices for system management and security

Host-based software firewall required; Host-based software IDS/IPS recommended

Virtual Environments

 May be hosted in a virtual server environment

 All other security controls apply to both the host and the guest virtual machines

 May be hosted in a virtual server environment

 All other security controls apply to both the host and the guest virtual machines

 Should not share the same virtual host environment with guest virtual servers of other security

classifications

 May be hosted in a virtual server environment

 All other security controls apply to both the host and the guest virtual machines

Cannot share the same virtual host environment with guest virtual servers of other security

(4)

Physical Security  System must be locked or logged out when

unattended

 System must be locked or logged out when

unattended

 Hosted in a secure location required; a Secure Data Center is recommended

 System must be locked or logged out when

unattended

 Hosted in a Secure Data Center required

 Physical access must be monitored, logged, and limited to authorized individuals 24x7

Remote Access to systems hosting

the data

 No restrictions  Access restricted to local network or VPN

 Remote access by third party for technical support limited to authenticated, Temporary access via secure protocols over the Internet

 Restricted to local network or secure VPN group

 Unsupervised remote access by third party for technical support not allowed

Two-factor authentication recommended

Data Storage  Storage on a secure server recommended

 Storage in a secure Data Center recommended

 Storage on a secure server recommended

 Storage in a secure Data Center recommended

 Should not store on an individual's workstation or a mobile device

Storage on a secure server required

 Storage in Secure Data Center required

 Should not store on an individual workstation or mobile device (e.g., a laptop computer); if stored on a workstation or mobile device, must use whole-disk encryption

 Encryption on backup media required

 Paper/hard copy: do not leave unattended where others may see it otherwise, it must be stored in a secure location

(5)

Security Control Category

Tier 3-Public Data Classification

Tier 2-Sensitive

Tier 1-Restricted

Transmission  No restrictions  No requirements  Encryption required (for example, via SSL or secure file transfer protocols)

 Cannot transmit via e-mail unless encrypted and secured with a digital signature

Backup/Disaster Recovery

 Backups required; daily backups recommended

 Daily backups required

 Off-site storage recommended

Daily backups required

Off-site storage in a secure location required

Media Sanitization and Disposal (hard drives, CDs, DVDs, tapes, paper, etc.)

 No restrictions  Recycle Reports.

 Wipe/erase media

Shred reports

Destruction of electronic media

Training  General security awareness training recommended

 General security awareness training required

 Data security training required

General security awareness training required

 Data security training required Applicable policy and regulation training required

Auditing  Not needed  Logins Logins, access and changes

Mobile Devices  Password protection recommended

 Locked when not in use recommended

 Password protection required

 Locked when not in use required

Password protection required.

Locked when not in use required

References

Download now ( PDF - 5 Page - 303.08 KB )

Related documents

Biometrics Technology seminar report by Pavan Kumar M.T.

Biometrics is that study of science that deals with personal human behavioral and physiological characteristics and such as fingerprints, handprints,

Rappahannock Community College Organization Chart

VP of Instruction & Student Development FA001 Dean of College Advancement FA009 VP of Finance & Administrative Services FA002 VP of Workforce & Community

Welcome to Information Security Training

Restricted information includes passwords and PINs, Social Security Numbers, credit card and financial account numbers, credit check information, FERPA-protected student

INTRODUCTION TO ATLAS... 3 ATLAS ACCESS LAB LOCATIONS AND HOURS...

Click on the “Student Services” tab at the top of the page Click on the “Student Services” or “Faculty Services” link Click on the “Registration, Records, and Financial

UNM Fact Book

PROVOST, VP FOR ACADEMIC AFFAIRS Brian Foster VP FOR STUDENT AFFAIRS Eliseo Torres VP FOR HEALTH SCIENCES Philip Eaton VP FOR BUSINESS & FINANCE Julie Weaks Gutierrez VP

North Linn Middle School Student/Parent Handbook

The following persons, agencies and organizations may have restricted access to student records without prior written consent of the parent or student over the age of 18 years. Any

Easter Seals Project ACTION - Review

The Accessible Pathways & Livable Communities Pocket Guide was developed with the support of the Federal Transit Administration, the National Complete Streets Coalition, and the

William R. Forstchen - Magic the Gathering - Arena

Garth, ignoring them, turned his back to the Grand Master and looked up to the top of the statue where Tulan stood.. "I came to join the House