University of Idaho - I Banner
A student works at a computer

VandalStar

U of I's web-based retention and advising tool provides an efficient way to guide and support students on their road to graduation. Login to VandalStar.

IT Data Classification Standards (Deprecated)

NOTE: This standard is deprecated and is not the most recent standard. Please refer to the other standards listed at Data Security and Records.

This document addresses the minimum standards required under each data categorization in order to ensure the confidentiality, integrity, and availability of university data and technology resources.

Data Classification

The APM (30.11 - Data Classification and Standards) defines the characteristics of each classification of data (high, moderate and low risk).

Scope

These Standards are the minimum baseline for all university faculty, staff, students, and affiliates who are accessing, storing, and processing U of I data or using U of I technology resources at the Low, Moderate, or High risk levels.

Download a PDF copy of the Standards by Data Classification table below.

* Data classified as Moderate or High Risk must also comply with any lower risk classification standards

Access Control
Low Risk Require authentication (or verify identity) to access non-public information and limit information access to authorized users and processes.
Moderate Risk* Use separate privileged accounts for administrative or security access, and audit the use of privileged access.
High Risk*
  • Require ITS-approved and centrally logged authentication for access to data.
  • Store data only on the ITS shared drive or ITS-approved locations.
Access Locks
Low Risk Limit unsuccessful logon attempts by locking accounts after 20 unsuccessful attempts in 10 minutes.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Access Timeout
Low Risk No special consideration
Moderate Risk* Lock workstation or session after 15 minutes of inactivity. Automatically terminate session when appropriate.
High Risk* Lock workstation or session after 5 minutes of inactivity. Automatically terminate session when appropriate.
Antivirus
Low Risk All systems capable of running Antivirus must install and run with up-to-date definitions and periodic scans.
Moderate Risk* No additional considerations
High Risk* Installed antivirus must be managed or approved by the ITS Security Office (Sophos).
Audit
Low Risk Log system access to enable analysis, investigation, and reporting of unlawful or unauthorized activity, and ensure individual users can be uniquely identified.
Moderate Risk* No additional considerations
High Risk* Ensure logs for data and systems access is centrally logged for at least 1 year. All systems should be time synchronized to assure accuracy. Logs must be protected from unauthorized access or modification, and access changes limited to a subset of privileged users.
Configuration Management
Low Risk No special consideration
Moderate Risk*
  • Establish baseline configuration and hardware and software inventory through ITS configuration management. Baseline configuration must establish and enforce security settings. Inventory, control, and monitor user software.
  • Establish least functionality, by disabling unneeded access, services, or functionality. Restrict local admin rights on workstations.
High Risk* No additional considerations
Domain Name Service (DNS)
Low Risk All systems must use ITS-approved Domain Name System (DNS) servers.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Encryption
Low Risk No special consideration
Moderate Risk* All authentication must happen over encrypted transport mechanisms.
High Risk* All data must be encrypted in transport, and at rest. Endpoint or mobile devices must be encrypted with ITS-managed encryption.
Firewall
Low Risk All systems capable of running a host-based firewall, must have it turned on and configured consistent with the principles of least privilege.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Identification and Authentication
Low Risk Identify users, user processes, or devices accessing data or systems. Require authentication before system or data modification.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Incident Response
Low Risk Report all suspected technology security incidents to the ITS Security Office and cooperate with assigned investigators. All reports will be categorized, tracked, and reported per the Technology Security Incident Response Plan.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Inventory
Low Risk All networked devices, except on designated and restricted guest networks, must be registered in the ITS Network Management System.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Logon Banner
Low Risk Where possible, provide an approved system use notification at every logon to university controlled systems.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Maintenance
Low Risk No special consideration
Moderate Risk* Limit maintenance on information systems to authorized personnel. Sanitize media of university data before any off-site maintenance is performed.
High Risk* No additional considerations
Media Protection
Low Risk No special consideration
Moderate Risk* Protect paper and digital media from physical access except by authorized users.
High Risk* No additional considerations
Media Sanitization
Low Risk Sanitize or destroy by an approved method (DBAN or similar) any media with university data, before media is disposed or reused.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Multifactor Authentication
Low Risk Target for 2017
Moderate Risk* Target for 2017
High Risk* Target for 2017
Patching
Low Risk Only run operating systems which are currently supported and patched. Apply security patches to address flaws in systems and applications automatically, or within 10 days. Alternatively, patches may be applied in a timeframe approved through a risk-based vulnerability assessment process approved by the ITS Security Office and all affected data and system owners.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Physical Protection
Low Risk All university data centers must be limited in access, that access be logged and monitored, and all visitors escorted and logged.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Public Data
Low Risk Information to be published external to the university must be approved by an appropriate authority or process.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Remote Access
Low Risk No special consideration
Moderate Risk* Monitor and control remote workstation access, and limit to access via ITS-managed VPN.
High Risk* No additional considerations
Removable Media
Low Risk No special consideration
Moderate Risk* No special consideration
High Risk* Removable media or storage devices which may contain university data must be restricted from external use by mandating ITS-managed encryption.
Risk Assessment
Low Risk All devices on the university network are subject to vulnerability scanning, and proactive measures taken (APM 30.14) by the Computer Security Incident Response Team in accordance with assessment of risk.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Security Assessment
Low Risk No special consideration
Moderate Risk* Security controls must be periodically assessed and action plans implemented to address any vulnerabilities and to ensure continued effectiveness.
High Risk* No additional considerations
Security Awareness
Low Risk No special consideration
Moderate Risk* All users shall receive routine security awareness training appropriate for their role.
High Risk* No additional considerations
System and Communication Protection
Low Risk
  • Incoming and outgoing communications must be monitored, controlled, and protected where it enters and leaves university controlled systems. Architecture and design shall promote effective information security. This includes email as well as interfaces with external vendors.
  • Publicly accessible systems shall be on separate networks from internal-only systems.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Vendor Security Assessments
Low Risk A Risk Assessment must be completed by the ITS Information Security Office before the University acquires or utilizes external information systems.
Moderate Risk* No additional considerations
High Risk* No additional considerations
Wireless Access
Low Risk No special consideration
Moderate Risk* Limit access to university systems and data to approved wireless network that use encryption and authentication (AirVandalGold).
High Risk* No additional considerations

* Data classified as Moderate or High Risk must also comply with any lower risk classification standards

Physical Address:

Teaching Learning Center Room 128

Office Hours:

Monday - Friday
8 a.m. to 5 p.m.

Summer Hours:

Monday - Friday
7:30 a.m. to 4:30p.m.

Phone: 208-885-4357 (HELP)

Email: support@uidaho.edu

Map