Systems & Applications Data Classification

Systems must be managed according to manufacturer and/or industry best practices.

Systems must be managed by an IT-approved and titled system administrator.

All systems must be registered with the central IT department at each University business unit.

All administrator tasks must be performed through secure means.

Host-based firewalls must be enabled.

Non-critical OS patches must be applied within 60 days. Critical patches must be applied within 30 days.

Anti-virus protection must be installed and kept current with daily definition updates. All exceptions must be approved and documented by the appropriate campus security team.

Systems must have logging enabled. Logs (e.g., authentication, application, database and system) should be retained for no more than 12 months.

Products that no longer receive security updates from the vendor are not authorized for use on UM networks.

Must comply with DCL1 requirements.

End-user access must be authenticated.

Must comply with DCL1 and DCL2 requirements.

Original/primary locations of data at this level must be maintained on a server-class machine even if access to such information is intended for a single person.

Databases must be segregated from front-end systems (e.g., web and application servers).

Systems must ensure that data flows between systems, devices or from the system to an authorized user are transmitted securely.

Must comply with University change management procedures. System changes should be evaluated prior to being applied in a production environment whenever possible.

Must comply with DCL1, DCL2 and DCL3 requirements.

For export-controlled data, system administrators must be U.S. persons.

All logs must be forwarded to the University-provided centralized logging service and vendor-hosted solutions must use log processing systems. All exceptions must be approved and documented by the appropriate ISO.

Per the Logging Standard, logs will be retained for a minimum of 12 months.

No restrictions for viewing.

Administrator access must be granted through a documented approval process that applies the principle of least privilege.

Must comply with DCL1 requirements.

Access granted to end-users must be made using:

1. A standing definition of the end-user community authorized to access the system(s) or,
2. a documented approval process.

Access granted to privileged users must be made using a documented approval process that applies the principle of least privilege.

Access must be reviewed at least quarterly for appropriateness.

Access must be revoked as soon as is reasonably possible when employees leave the University or custodial department.

Must comply with DCL1 and DCL2 requirements.

Administrator and privileged user authorization must include a two-tier process. Typically this process would include an authorization from the employee's supervisor and the data steward (or their delegate).

All privileged users must sign a confidentiality agreement.

Access privileges must be reviewed monthly for appropriateness.

Access must be revoked immediately when employees leave the university or the custodial department.

User authentication is not required, however, if it is used, the following requirements must be met:

1. A unique ID must be assigned for each user and administrator.
2. All authentication activities must be performed over secure channels.
3. Must comply with the Password Standard.

Must comply with DCL1 requirements.

Authentication is required.

Authentication activities performed by UM-hosted systems/applications must be integrated with an approved centrally managed authentication service (e.g., Active Directory.)

The ISO must be consulted on authentication activities performed by vendor-hosted systems/applications to determine if integration with an approved centrally managed authentication service (e.g., Active Directory) is necessary.

At a minimum, systems must be behind a shared enterprise firewall.

Firewall configuration must initially be implemented with a "default deny" policy and only allow access to the necessary services.

Perimeter IPS or IDS is required.

Must comply with DCL1 and DCL2 requirements.

Systems must be isolated from other systems through the use of a dedicated hardware-based firewall or a virtual firewall.

Inbound Internet access will not be allowed except through an approved exception.

All administrator tasks must be performed through secure means.

System administrators must use a unique administrator account for login.

Must comply with DCL1 requirements.

Data and system administrators should consider the use of VPN or similar technology for end-user access.

Must comply with DCL1 and DCL2 requirements.

End-user access must be through the use of VPN or similar technology.

Administrator access must be conducted using a separate VPN pool (or other technology) specifically for and limited to the system being administered.

Third party access (i.e., vendor support) must be conducted using supervised, just-in-time methods such as a WebEx session. Access must be limited to the duration of an incident or support request and may not persist outside of the active issue remediation.

Must comply with DCL1, DCL2 and DCL3 requirements.

Remote access to export controlled data is not per

Must comply with DCL1 and DCL2 requirements.

All DCL3 databases must be registered with the central IT department at each university business unit.

Databases must be segregated from front-end systems (e.g., web and application servers).

All databases must have a designated data steward, database administrator, and system administrator. These roles cannot be fulfilled by the same individual.

Must comply with DCL1, DCL2 and DCL3 requirements.

When technically feasible, as determined by consultation with the appropriate ISO, data at rest must be encrypted.

Must comply with all DCL1, DCL2 and DCL3 requirements.

Only authorized persons may have physical access to any system, machine, or server storing University-owned intellectual property or export-controlled data. Physical security requirements must prevent the physical removal of a machine or the data it stores.

Security assessment may be required before any new system goes into production.

Periodic re-assessment of systems and applications (i.e., web applications) security may be required.

Security assessment is required before any new system goes into production.

Periodic re-assessment of systems and applications (i.e., web applications) security is required.

All systems that are surplused or otherwise disposed of must follow University surplus property and data disposal policies.

Format hard drive.

Must comply with DCL1 requirements.

Utilize software that writes over all sectors of the hard drive.

Must comply with DCL1 requirements.

Must ensure hard drives are completely destroyed.

Must comply with DCL1 and DCL2 requirements.

Annual information security awareness training is required for privileged users, data stewards and administrators (system, database and application).