IT Data Classification Standards (Deprecated)
NOTE: This standard is deprecated and is not the most recent standard. Please refer to the other standards listed at Data Security and Records.
This document addresses the minimum standards required under each data categorization in order to ensure the confidentiality, integrity, and availability of university data and technology resources.
Data Classification
The APM (30.11 - Data Classification and Standards) defines the characteristics of each classification of data (high, moderate and low risk).
Scope
These Standards are the minimum baseline for all university faculty, staff, students, and affiliates who are accessing, storing, and processing U of I data or using U of I technology resources at the Low, Moderate, or High risk levels.
Download a PDF copy of the Standards by Data Classification table below.
* Data classified as Moderate or High Risk must also comply with any lower risk classification standards
| Access Control | |
|---|---|
| Low Risk | Require authentication (or verify identity) to access non-public information and limit information access to authorized users and processes. |
| Moderate Risk* | Use separate privileged accounts for administrative or security access, and audit the use of privileged access. |
| High Risk* |
|
| Access Locks | |
| Low Risk | Limit unsuccessful logon attempts by locking accounts after 20 unsuccessful attempts in 10 minutes. |
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Access Timeout | |
| Low Risk | No special consideration |
| Moderate Risk* | Lock workstation or session after 15 minutes of inactivity. Automatically terminate session when appropriate. |
| High Risk* | Lock workstation or session after 5 minutes of inactivity. Automatically terminate session when appropriate. |
| Antivirus | |
| Low Risk | All systems capable of running Antivirus must install and run with up-to-date definitions and periodic scans. |
| Moderate Risk* | No additional considerations |
| High Risk* | Installed antivirus must be managed or approved by the ITS Security Office (Sophos). |
| Audit | |
| Low Risk | Log system access to enable analysis, investigation, and reporting of unlawful or unauthorized activity, and ensure individual users can be uniquely identified. |
| Moderate Risk* | No additional considerations |
| High Risk* | Ensure logs for data and systems access is centrally logged for at least 1 year. All systems should be time synchronized to assure accuracy. Logs must be protected from unauthorized access or modification, and access changes limited to a subset of privileged users. |
| Configuration Management | |
| Low Risk | No special consideration |
| Moderate Risk* |
|
| High Risk* | No additional considerations |
| Domain Name Service (DNS) | |
| Low Risk | All systems must use ITS-approved Domain Name System (DNS) servers. |
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Encryption | |
| Low Risk | No special consideration |
| Moderate Risk* | All authentication must happen over encrypted transport mechanisms. |
| High Risk* | All data must be encrypted in transport, and at rest. Endpoint or mobile devices must be encrypted with ITS-managed encryption. |
| Firewall | |
| Low Risk | All systems capable of running a host-based firewall, must have it turned on and configured consistent with the principles of least privilege. |
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Identification and Authentication | |
| Low Risk | Identify users, user processes, or devices accessing data or systems. Require authentication before system or data modification. |
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Incident Response | |
| Low Risk | Report all suspected technology security incidents to the ITS Security Office and cooperate with assigned investigators. All reports will be categorized, tracked, and reported per the Technology Security Incident Response Plan. |
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Inventory | |
| Low Risk | All networked devices, except on designated and restricted guest networks, must be registered in the ITS Network Management System. |
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Logon Banner | |
| Low Risk | Where possible, provide an approved system use notification at every logon to university controlled systems. |
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Maintenance | |
| Low Risk | No special consideration |
| Moderate Risk* | Limit maintenance on information systems to authorized personnel. Sanitize media of university data before any off-site maintenance is performed. |
| High Risk* | No additional considerations |
| Media Protection | |
| Low Risk | No special consideration |
| Moderate Risk* | Protect paper and digital media from physical access except by authorized users. |
| High Risk* | No additional considerations |
| Media Sanitization | |
| Low Risk | Sanitize or destroy by an approved method (DBAN or similar) any media with university data, before media is disposed or reused. |
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Multifactor Authentication | |
| Low Risk | Target for 2017 |
| Moderate Risk* | Target for 2017 |
| High Risk* | Target for 2017 |
| Patching | |
| Low Risk | Only run operating systems which are currently supported and patched. Apply security patches to address flaws in systems and applications automatically, or within 10 days. Alternatively, patches may be applied in a timeframe approved through a risk-based vulnerability assessment process approved by the ITS Security Office and all affected data and system owners. |
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Physical Protection | |
| Low Risk | All university data centers must be limited in access, that access be logged and monitored, and all visitors escorted and logged. |
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Public Data | |
| Low Risk | Information to be published external to the university must be approved by an appropriate authority or process. |
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Remote Access | |
| Low Risk | No special consideration |
| Moderate Risk* | Monitor and control remote workstation access, and limit to access via ITS-managed VPN. |
| High Risk* | No additional considerations |
| Removable Media | |
| Low Risk | No special consideration |
| Moderate Risk* | No special consideration |
| High Risk* | Removable media or storage devices which may contain university data must be restricted from external use by mandating ITS-managed encryption. |
| Risk Assessment | |
| Low Risk | All devices on the university network are subject to vulnerability scanning, and proactive measures taken (APM 30.14) by the Computer Security Incident Response Team in accordance with assessment of risk. |
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Security Assessment | |
| Low Risk | No special consideration |
| Moderate Risk* | Security controls must be periodically assessed and action plans implemented to address any vulnerabilities and to ensure continued effectiveness. |
| High Risk* | No additional considerations |
| Security Awareness | |
| Low Risk | No special consideration |
| Moderate Risk* | All users shall receive routine security awareness training appropriate for their role. |
| High Risk* | No additional considerations |
| System and Communication Protection | |
| Low Risk |
|
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Vendor Security Assessments | |
| Low Risk | A Risk Assessment must be completed by the ITS Information Security Office before the University acquires or utilizes external information systems. |
| Moderate Risk* | No additional considerations |
| High Risk* | No additional considerations |
| Wireless Access | |
| Low Risk | No special consideration |
| Moderate Risk* | Limit access to university systems and data to approved wireless network that use encryption and authentication (AirVandalGold). |
| High Risk* | No additional considerations |
* Data classified as Moderate or High Risk must also comply with any lower risk classification standards