Standards: Data Classifications
This document addresses the minimum standards required under data categorization and ensure the confidentiality, integrity, and availability of university data and technology resources. If at any time you are having troubles viewing the information on this page you can download a PDF copy below.
ITS Security Standards APM 30.11 - August 2016
These Standards are the minimum baseline for all university faculty, staff, students, and affiliates who are accessing, storing, and processing UI data or using UI technology resources at the Low, Moderate, or High risk levels.
Effective date: August 20, 2016.
|Access Control||Use separate privileged accounts for administrative or security access, and audit the use of privileged access.
||Require authentication (or verify identity) to access non-public information and limit information access to authorized users and processes.
||Require ITS-approved and centrally logged authentication for access to data.
||Store data only on the ITS shared drive or ITS-approved locations.
||Limit unsuccessful logon attempts by locking accounts after 20 unsuccessful attempts in 10 minutes.
|Access Timeout||Lock workstation or session after 5 minutes of inactivity. Automatically terminate session when appropriate.
|Access Timeout||Lock workstation or session after 15 minutes of inactivity. Automatically terminate session when appropriate.
|Antivirus||All systems capable of running Antivirus must install and run with up-to-date definitions and periodic scans.||X||X
|Antivirus||Installed antivirus must be managed or approved by the ITS Security Office (Sophos).||X||3.14.6|
|Audit||Log system access to enable analysis, investigation, and reporting of unlawful or unauthorized activity, and ensure individual users can be uniquely identified.
|Audit||Ensure logs for data and systems access is centrally logged for at least 1 year. All systems should be time synchronized to assure accuracy. Logs must be protected from unauthorized access or modification, and access changes limited to a subset of privileged users.||X||3.3.7,3.3.9
|Configuration Management||Establish baseline configuration and hardware and software inventory through ITS configuration management. Baseline configuration must establish and enforce security settings. Inventory, control, and monitor user software.||X||X
||Establish least functionality, by disabling unneeded access, services, or functionality. Restrict local admin rights on workstations.
|DNS||All systems must use ITS-approved Domain Name System (DNS) servers.||X||X
|Encryption||All data must be encrypted in transport, and at rest. Endpoint or mobile devices must be encrypted with ITS-managed encryption.||X||3.8.6,3.13.10,
|Encryption||All authentication must happen over encrypted transport mechanisms.||X
|Firewall||All systems capable of running a host-based firewall, must have it turned on and configured consistent with the principles of least privilege.||X||X
|Identification and Authentication||Identify users, user processes, or devices accessing data or systems. Require authentication before system or data modification.||X||X
|Incident Response||Report all suspected technology security incidents to the ITS Security Office and cooperate with assigned investigators. All reports will be categorized, tracked, and reported per the Technology Security Incident Response Plan.||X||X
|Inventory||All networked devices, except on designated and restricted guest networks, must be registered in the ITS Network Management System.||X
|Logon Banner||Where possible, provide an approved system use notification at every logon to university controlled systems.||X||X
|Maintenance||Limit maintenance on information systems to authorized personnel. Sanitize media of university data before any off-site maintenance is performed.||X||X||3.7.1,3.7.2|
|Media Protection||Protect paper and digital media from physical access except by authorized users.||X||X
|Media Sanitization||Sanitize or destroy by an approved method (DBAN or similar) any media with university data, before media is disposed or reused.|| X
|Multifactor Authentication||Use multi-factor authentication for local and network access to privileged accounts, and network access to non-privileged accounts.||Target for 2017||3.5.3|
|Patching||Only run operating systems which are currently supported and patched. Apply security patches to address flaws in systems and applications automatically, or within 10 days. Alternatively, patches may be applied in a timeframe approved through a risk-based vulnerability assessment process approved by the ITS Security Office and all affected data and system owners.||X||X||X||3.14.1|
|Physical Protection||All university data centers must be limited in access, that access be logged and monitored, and all visitors escorted and logged.||X||X
|Public Data||Information to be published external to the university must be approved by an appropriate authority or process.||X||X||X
|Remote Access||Monitor and control remote workstation access, and limit to access via ITS-managed VPN.||X||X||3.1.12,3.1.14,
|Removable Media||Removable media or storage devices which may contain university data must be restricted from external use by mandating ITS-managed encryption.||X||3.1.21,3.8.6|
|Risk Assessment||All devices on the university network are subject to vulnerability scanning, and proactive measures taken (APM 30.14) by the Computer Security Incident Response Team in accordance with assessment of risk.||X||X||X||3.11.2,3.11.3
|Security Assessment||Security controls must be periodically assessed and action plans implemented to address any vulnerabilities and to ensure continued effectiveness.||X||X||3.12.1,2,3
|Security Awareness||All users shall receive routine security awareness training appropriate for their role.||X||X||3.2.1,2,3|
|System and Communication Protection
||Incoming and outgoing communications must be monitored, controlled, and protected where it enters and leaves university controlled systems. Architecture and design shall promote effective information security. This includes email as well as interfaces with external vendors.||X||X||X||3.13.1,3.13.2|
|System and Communication Protection||Publicly accessible systems shall be on separate networks from internal-only systems.||X||X||X||3.13.5|
|Vendor Security Assessments
||A Risk Assessment must be completed by the ITS Information Security Office before the University acquires or utilizes external information systems.||X||X||X||NFO SA-9|
||Limit access to university systems and data to approved wireless network that use encryption and authentication (AirVandalGold).||X||X||3.1.17|
|Data at Rest||For the terms of this standard, "at rest" data will be considered to be data outside of the ITS-managed or approved data centers.|
|Privileged Access||Authorized access to perform security-relevant functions that ordinary users are not allowed to perform.|
|Remote Access||Access to an information system communicating through an external network (Internet).|
|Local Access||Access to an information system directly and not through a network.|
|Multifactor Authentication||Two or more factors to achieve authentication, including something you know (password); something you have (cryptographic device, hardware or software token); or something you are (biometric).|
|Security Functions||Hardware and software of an information system responsible for enforcing system security controls or policy and supporting the isolation of code and data.|
*For further glossary clarification, refer to NIST SP800-171.
UI Information Technology Services (ITS) is responsible for the content and management of these standards.