OIT OPERATIONAL PROCEDURE

Transcription

1 OIT OPERATIONAL PROCEDURE Title: DATA CLASSIFICATION GUIDELINES Identification: OIT 1 Page: 1 of 5 Effective Date: 3/31/2014 Signature/Approval: Guidelines and Handling Procedure (9 10 ) specifies that data collected by the College must be assigned to one of the three categories; Restricted, Sensitive and. Data Owners are responsible for classifying the data in appropriate category. Initial Classification of Data The table below lists some of the data elements used by different departments within the college and have classification mandated due to federal or state laws. Data owners can use the table below for initial classification within their area of responsibility. Data Data Owner Justification Social Security Numbers Restricted VP, Student Services FS Student records (non-directory) Restricted VP, Student Services FERPA Credit card cardholder data Restricted VP, Business Services PCI, FS Driver License Number Restricted VP, Student Services FS Race/Gender Restricted VP, Student Services Individually Identifiable Information Restricted VP, Student Services FS Disability Information Restricted VP, Student Services HIPAA Patient Billing Records Restricted VP Academic Affairs HIPAA Patient Medical Records Restricted VP, Academic Affairs HIPAA Employee Information Sensitive Executive Director, HR Employee Privacy College Directory College Policies and Procedures Course Catalog Websites

2 Identification: OIT 1 Page: 2 of 5 Effective Date: 3/31/2014 Data Handling Requirements All users are responsible for following the controls based on classification of the data. The table below lists the controls for the data based on classification of data. Tier 3- Access Controls Viewing - No restriction Modifications - Authorization by Data Owner or designee Viewing and modification - Restricted to authorized individuals as needed for business-related roles; Data Owner or designee grants permission for access, plus approval from supervisor Authentication and authorization for access Viewing and modification - Restricted to authorized individuals as needed for business-related roles; Data Owner or designee grants permission for access, plus approval from supervisor Authentication and authorization for access Confidentiality agreement Copying/Printing No restrictions Data should only be printed when there is a legitimate need Copies must be limited to individuals with a need to know Data should not be left on a printer/fax May be sent via Campus Mail Data should only be printed when there is a legitimate need Copies must be limited to individuals authorized to access the data and have signed a confidentiality agreement Data should not be left on a printer/fax Copies must be labeled Confidential ; must be sent via Confidential envelope

3 Identification: OIT 1 Page: 3 of 5 Effective Date: 3/31/2014 Tier 3- Network Security May reside on a public network; Protection with a firewall Protection only with router ACLs acceptable Protection with a network firewall Protection with router ACLs acceptable Servers hosting the data should not be visible to entire Internet, nor to unprotected subnets like guest wireless networks May be in a shared network server subnet with a common firewall ruleset for the set of servers Protection with a network firewall using "default deny" ruleset Protection with router ACLs Servers hosting the data cannot be visible to the entire Internet, nor to unprotected subnets like guest wireless networks Must have a firewall ruleset dedicated to the system The firewall ruleset should be reviewed periodically System Security Must follow general best practices for system firewall Must follow OS-specific best practices for system firewall. IDS/IPS Must follow OS-specific best practices for system firewall ; Hostbased software IDS/IPS Virtual Environments Should not share the same virtual host environment with guest virtual servers of other security classifications Cannot share the same virtual host environment with guest virtual servers of other security classifications

4 Identification: OIT 1 Page: 4 of 5 Effective Date: 3/31/2014 Tier 3- Physical Security Hosted in a secure location ; a Secure Data Center is Hosted in a Secure Data Center Physical access must be monitored, logged, and limited to authorized individuals 24x7 Remote Access to systems hosting the data No restrictions Access restricted to local network or VPN Remote access by third party for technical support limited to authenticated, Temporary access via secure protocols over the Internet Restricted to local network or secure VPN group Unsupervised remote access by third party for technical support not allowed Two-factor authentication Data Storage Storage in a secure Data Center Storage in a secure Data Center Should not store on an individual's workstation or a mobile device Storage in Secure Data Center Should not store on an individual workstation or mobile device (e.g., a laptop computer); if stored on a workstation or mobile device, must use whole-disk encryption Encryption on backup media Paper/hard copy: do not leave where others may see it otherwise, it must be stored in a secure location

5 Identification: OIT 1 Page: 5 of 5 Effective Date: 3/31/2014 Tier 3- Transmission No restrictions No requirements Encryption (for example, via SSL or secure file transfer protocols) Cannot transmit via unless encrypted and secured with a digital signature Backup/Disaster Recovery Backups ; daily backups Daily backups Off-site storage Daily backups Off-site storage in a secure location Media Sanitization and Disposal (hard drives, CDs, DVDs, tapes, paper, etc.) No restrictions Recycle Reports. Wipe/erase media Shred reports Destruction of electronic media Training Data security training Data security training Applicable policy and regulation training Auditing Not needed Logins Logins, access and changes Mobile Devices. Encryption