Systems & Applications

Requirements

The following are the minimum security requirements that must be followed for each DCL. These requirements also apply to 3rd party provided or hosted applications and systems.

Systems

All electronically stored data residing within server-based systems must be evaluated and assigned the appropriate DCL. Each system must be managed according to the standards required for the highest data classification level of all the information residing on that system. The system may be managed at a higher level if deemed necessary due to the value or criticality of the information asset. For servers utilizing a database, the data residing in the database must be considered as part of the overall system for classification purposes.

Applications

Applications, whether provided by a vendor or developed internally, must meet the application security requirements established for each DCL. Many of these standards can be found at the Open Web Application Security Project (OWASP).

These standards do not cover office productivity software, such as Microsoft Office, or other software packages installed for use only on individual workstations.

Click to expand all categories.

UM Data Classification System
Systems & Applications
Systems Management
Level 1: Public Data Systems must be managed according to manufacturer and/or industry best practices. Systems must be managed by an IT-approved and titled system administrator. All systems must be registered with the central IT department at each University business unit. All administrator tasks must be performed through secure means. Host-based firewalls must be enabled. Non-critical OS patches must be applied within 60 days. Critical patches must be applied within 30 days. Anti-virus protection must be installed and kept current with daily definition updates. All exceptions must be approved and documented by the appropriate campus security team. Systems must have logging enabled. Logs (e.g., authentication, application, database and system) should be retained for no more than 12 months. Products that no longer receive security updates from the vendor are not authorized for use on UM networks.	Level 2: Sensitive Data Must comply with DCL1 requirements. End-user access must be authenticated.	Level 3: Restricted Data Must comply with DCL1 and DCL2 requirements. Original/primary locations of data at this level must be maintained on a server-class machine even if access to such information is intended for a single person. Databases must be segregated from front-end systems (e.g., web and application servers). Systems must ensure that data flows between systems, devices or from the system to an authorized user are transmitted securely. Must comply with University change management procedures. System changes should be evaluated prior to being applied in a production environment whenever possible.	Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements. For export-controlled data, system administrators must be U.S. persons. All logs must be forwarded to the University-provided centralized logging service and vendor-hosted solutions must use log processing systems. All exceptions must be approved and documented by the appropriate ISO. Per the Logging Standard, logs will be retained for a minimum of 12 months.
Granting & Revoking Access
Level 1: Public Data No restrictions for viewing. Administrator access must be granted through a documented approval process that applies the principle of least privilege.	Level 2: Sensitive Data Must comply with DCL1 requirements. Access granted to end-users must be made using: A standing definition of the end-user community authorized to access the system(s) or, a documented approval process. Access granted to privileged users must be made using a documented approval process that applies the principle of least privilege. Access must be reviewed at least quarterly for appropriateness. Access must be revoked as soon as is reasonably possible when employees leave the University or custodial department.	Level 3: Restricted Data Must comply with DCL1 and DCL2 requirements. Administrator and privileged user authorization must include a two-tier process. Typically this process would include an authorization from the employee's supervisor and the data steward (or their delegate). All privileged users must sign a confidentiality agreement. Access privileges must be reviewed monthly for appropriateness. Access must be revoked immediately when employees leave the university or the custodial department.	Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements.
Authentication
Level 1: Public Data User authentication is not required, however, if it is used, the following requirements must be met: A unique ID must be assigned for each user and administrator. All authentication activities must be performed over secure channels. Must comply with the Password Standard.	Level 2: Sensitive Data Must comply with DCL1 requirements. Authentication is required. Authentication activities performed by UM-hosted systems/applications must be integrated with an approved centrally managed authentication service (e.g., Active Directory.) The ISO must be consulted on authentication activities performed by vendor-hosted systems/applications to determine if integration with an approved centrally managed authentication service (e.g., Active Directory) is necessary.	Level 3: Restricted Data Must comply with DCL1 and DCL2 requirements.	Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements.
Network Security
Level 1: Public Data At a minimum, systems must be behind a shared enterprise firewall. Firewall configuration must initially be implemented with a "default deny" policy and only allow access to the necessary services. Perimeter IPS or IDS is required.	Level 2: Sensitive Data Must comply with DCL1 requirements.	Level 3: Restricted Data Must comply with DCL1 and DCL2 requirements. Systems must be isolated from other systems through the use of a dedicated hardware-based firewall or a virtual firewall. Inbound Internet access will not be allowed except through an approved exception.	Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements.
Remote Access Security
Level 1: Public Data All administrator tasks must be performed through secure means. System administrators must use a unique administrator account for login.	Level 2: Sensitive Data Must comply with DCL1 requirements. Data and system administrators should consider the use of VPN or similar technology for end-user access.	Level 3: Restricted Data Must comply with DCL1 and DCL2 requirements. End-user access must be through the use of VPN or similar technology. Administrator access must be conducted using a separate VPN pool (or other technology) specifically for and limited to the system being administered. Third party access (i.e., vendor support) must be conducted using supervised, just-in-time methods such as a WebEx session. Access must be limited to the duration of an incident or support request and may not persist outside of the active issue remediation.	Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements. Remote access to export controlled data is not permitted.
Database
Level 1: Public Data All databases must have a designated data steward, database administrator, and system administrator. The data steward must be different than the system administrator.	Level 2: Sensitive Data Must comply with DCL1 requirements.	Level 3: Restricted Data Must comply with DCL1 and DCL2 requirements. All DCL3 databases must be registered with the central IT department at each university business unit. Databases must be segregated from front-end systems (e.g., web and application servers). All databases must have a designated data steward, database administrator, and system administrator. These roles cannot be fulfilled by the same individual.	Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements. When technically feasible, as determined by consultation with the appropriate ISO, data at rest must be encrypted.
Backups
Level 1: Public Data No requirements	Level 2: Sensitive Data DCL3/DCL4 standard should be applied whenever possible.	Level 3: Restricted Data System administrators must establish and follow a procedure to carry out regular system backups.	Level 4: Highly Restricted Data Must comply with all DCL3 requirements.
Physical Security
Level 1: Public Data Servers must be housed in a data center managed by the central IT department at each university business unit. All exceptions must be approved and documented by the appropriate ISO	Level 2: Sensitive Data Must comply with DCL1 requirements.	Level 3: Restricted Data Must comply with DCL1 and DCL2 requirements.	Level 4: Highly Restricted Data Must comply with all DCL1, DCL2 and DCL3 requirements. Only authorized persons may have physical access to any system, machine, or server storing University-owned intellectual property or export-controlled data. Physical security requirements must prevent the physical removal of a machine or the data it stores.
System & Application Assessments
Level 1: Public Data Security assessment is not required.	Level 2: Sensitive Data Security assessment performed upon request of the system or application owner.	Level 3: Restricted Data Security assessment may be required before any new system goes into production. Periodic re-assessment of systems and applications (i.e., web applications) security may be required.	Level 4: Highly Restricted Data Security assessment is required before any new system goes into production. Periodic re-assessment of systems and applications (i.e., web applications) security is required.
System vulnerability scans must be conducted in accordance with the requirements of the Enterprise Vulnerability Scanning (EVS) standard.
Business Continuity
Business continuity testing and validation must be performed in accordance with the System Business Continuity Classification (SBCC) regardless of DCL.
Transmission of Data
Level 1: Public Data No requirements.	Level 2: Sensitive Data DCL3/DCL4 standard should be applied whenever possible.	Level 3: Restricted Data Must comply with the Transmission/Transfer of DCL3 and DCL4 Data Standard.	Level 4: Highly Restricted Data Must comply with DCL3 requirements.
Data Disposal
Level 1: Public Data All systems that are surplused or otherwise disposed of must follow University surplus property and data disposal policies. Format hard drive.	Level 2: Sensitive Data Must comply with DCL1 requirements. Utilize software that writes over all sectors of the hard drive.	Level 3: Restricted Data Must comply with DCL1 requirements. Must ensure hard drives are completely destroyed.	Level 4: Highly Restricted Data Must comply with DCL3 requirements.
Training
Level 1: Public Data IT professionals must be trained on the technologies and security methods specific to the environment(s) they manage.	Level 2: Sensitive Data Must comply with DCL1 requirements.	Level 3: Restricted Data Must comply with DCL1 and DCL2 requirements. Annual information security awareness training is required for privileged users, data stewards and administrators (system, database and application).	Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements.

UM Data Classification System

Systems Management

Level 1:
Public Data

Systems must be managed according to manufacturer and/or industry best practices.

Systems must be managed by an IT-approved and titled system administrator.

All systems must be registered with the central IT department at each University business unit.

All administrator tasks must be performed through secure means.

Host-based firewalls must be enabled.

Non-critical OS patches must be applied within 60 days. Critical patches must be applied within 30 days.

Anti-virus protection must be installed and kept current with daily definition updates. All exceptions must be approved and documented by the appropriate campus security team.

Systems must have logging enabled. Logs (e.g., authentication, application, database and system) should be retained for no more than 12 months.

Products that no longer receive security updates from the vendor are not authorized for use on UM networks.

Level 2:
Sensitive Data

Must comply with DCL1 requirements.

End-user access must be authenticated.

Level 3:
Restricted Data

Must comply with DCL1 and DCL2 requirements.

Original/primary locations of data at this level must be maintained on a server-class machine even if access to such information is intended for a single person.

Databases must be segregated from front-end systems (e.g., web and application servers).

Systems must ensure that data flows between systems, devices or from the system to an authorized user are transmitted securely.

Must comply with University change management procedures. System changes should be evaluated prior to being applied in a production environment whenever possible.

Level 4: Highly Restricted Data

Must comply with DCL1, DCL2 and DCL3 requirements.

For export-controlled data, system administrators must be U.S. persons.

All logs must be forwarded to the University-provided centralized logging service and vendor-hosted solutions must use log processing systems. All exceptions must be approved and documented by the appropriate ISO.

Per the Logging Standard, logs will be retained for a minimum of 12 months.

Granting & Revoking Access

Level 1:
Public Data

No restrictions for viewing.

Administrator access must be granted through a documented approval process that applies the principle of least privilege.

Level 2:
Sensitive Data

Must comply with DCL1 requirements.

Access granted to end-users must be made using:

A standing definition of the end-user community authorized to access the system(s) or,
a documented approval process.

Access granted to privileged users must be made using a documented approval process that applies the principle of least privilege.

Access must be reviewed at least quarterly for appropriateness.

Access must be revoked as soon as is reasonably possible when employees leave the University or custodial department.

Level 3:
Restricted Data

Must comply with DCL1 and DCL2 requirements.

Administrator and privileged user authorization must include a two-tier process. Typically this process would include an authorization from the employee's supervisor and the data steward (or their delegate).

All privileged users must sign a confidentiality agreement.

Access privileges must be reviewed monthly for appropriateness.

Access must be revoked immediately when employees leave the university or the custodial department.

Level 4: Highly Restricted Data

Must comply with DCL1, DCL2 and DCL3 requirements.

Authentication

Level 1:
Public Data

User authentication is not required, however, if it is used, the following requirements must be met:

A unique ID must be assigned for each user and administrator.
All authentication activities must be performed over secure channels.
Must comply with the Password Standard.

Level 2:
Sensitive Data

Must comply with DCL1 requirements.

Authentication is required.

Authentication activities performed by UM-hosted systems/applications must be integrated with an approved centrally managed authentication service (e.g., Active Directory.)

The ISO must be consulted on authentication activities performed by vendor-hosted systems/applications to determine if integration with an approved centrally managed authentication service (e.g., Active Directory) is necessary.

Level 3:
Restricted Data

Must comply with DCL1 and DCL2 requirements.

Level 4: Highly Restricted Data

Must comply with DCL1, DCL2 and DCL3 requirements.

Network Security

Level 1:
Public Data

At a minimum, systems must be behind a shared enterprise firewall.

Firewall configuration must initially be implemented with a "default deny" policy and only allow access to the necessary services.

Perimeter IPS or IDS is required.

Level 2:
Sensitive Data

Must comply with DCL1 requirements.

Level 3:
Restricted Data

Must comply with DCL1 and DCL2 requirements.

Systems must be isolated from other systems through the use of a dedicated hardware-based firewall or a virtual firewall.

Inbound Internet access will not be allowed except through an approved exception.

Level 4: Highly Restricted Data

Must comply with DCL1, DCL2 and DCL3 requirements.

Remote Access Security

Level 1:
Public Data

All administrator tasks must be performed through secure means.

System administrators must use a unique administrator account for login.

Level 2:
Sensitive Data

Must comply with DCL1 requirements.

Data and system administrators should consider the use of VPN or similar technology for end-user access.

Level 3:
Restricted Data

Must comply with DCL1 and DCL2 requirements.

End-user access must be through the use of VPN or similar technology.

Administrator access must be conducted using a separate VPN pool (or other technology) specifically for and limited to the system being administered.

Third party access (i.e., vendor support) must be conducted using supervised, just-in-time methods such as a WebEx session. Access must be limited to the duration of an incident or support request and may not persist outside of the active issue remediation.

Level 4: Highly Restricted Data

Must comply with DCL1, DCL2 and DCL3 requirements.

Remote access to export controlled data is not permitted.

Database

Level 1:
Public Data

All databases must have a designated data steward, database administrator, and system administrator. The data steward must be different than the system administrator.

Level 2:
Sensitive Data

Must comply with DCL1 requirements.

Level 3:
Restricted Data

Must comply with DCL1 and DCL2 requirements.

All DCL3 databases must be registered with the central IT department at each university business unit.

Databases must be segregated from front-end systems (e.g., web and application servers).

All databases must have a designated data steward, database administrator, and system administrator. These roles cannot be fulfilled by the same individual.

Level 4: Highly Restricted Data

Must comply with DCL1, DCL2 and DCL3 requirements.

When technically feasible, as determined by consultation with the appropriate ISO, data at rest must be encrypted.

Backups

Level 1:
Public Data

No requirements

Level 2:
Sensitive Data

DCL3/DCL4 standard should be applied whenever possible.

Level 3:
Restricted Data

System administrators must establish and follow a procedure to carry out regular system backups.

Level 4: Highly Restricted Data

Must comply with all DCL3 requirements.

Physical Security

Level 1:
Public Data

Servers must be housed in a data center managed by the central IT department at each university business unit. All exceptions must be approved and documented by the appropriate ISO

Level 2:
Sensitive Data

Must comply with DCL1 requirements.

Level 3:
Restricted Data

Must comply with DCL1 and DCL2 requirements.

Level 4: Highly Restricted Data

Must comply with all DCL1, DCL2 and DCL3 requirements.

Only authorized persons may have physical access to any system, machine, or server storing University-owned intellectual property or export-controlled data. Physical security requirements must prevent the physical removal of a machine or the data it stores.

System & Application Assessments

Level 1:
Public Data

Security assessment is not required.

Level 2:
Sensitive Data

Security assessment performed upon request of the system or application owner.

Level 3:
Restricted Data

Security assessment may be required before any new system goes into production.

Periodic re-assessment of systems and applications (i.e., web applications) security may be required.

Level 4: Highly Restricted Data

Security assessment is required before any new system goes into production.

Periodic re-assessment of systems and applications (i.e., web applications) security is required.

System vulnerability scans must be conducted in accordance with the requirements of the Enterprise Vulnerability Scanning (EVS) standard.

Business Continuity

Business continuity testing and validation must be performed in accordance with the System Business Continuity Classification (SBCC) regardless of DCL.

Transmission of Data

Level 1:
Public Data

No requirements.

Level 2:
Sensitive Data

DCL3/DCL4 standard should be applied whenever possible.

Level 3:
Restricted Data

Must comply with the Transmission/Transfer of DCL3 and DCL4 Data Standard.

Level 4: Highly Restricted Data

Must comply with DCL3 requirements.

Data Disposal

Level 1:
Public Data

All systems that are surplused or otherwise disposed of must follow University surplus property and data disposal policies.

Format hard drive.

Level 2:
Sensitive Data

Must comply with DCL1 requirements.

Utilize software that writes over all sectors of the hard drive.

Level 3:
Restricted Data

Must comply with DCL1 requirements.

Must ensure hard drives are completely destroyed.

Level 4: Highly Restricted Data

Must comply with DCL3 requirements.

Training

Level 1:
Public Data

IT professionals must be trained on the technologies and security methods specific to the environment(s) they manage.

Level 2:
Sensitive Data

Must comply with DCL1 requirements.

Level 3:
Restricted Data

Must comply with DCL1 and DCL2 requirements.

Annual information security awareness training is required for privileged users, data stewards and administrators (system, database and application).

Level 4: Highly Restricted Data

Must comply with DCL1, DCL2 and DCL3 requirements.

Reviewed 2025-05-05

Tools

Systems & Applications

Requirements

Systems

Applications

UM Data Classification System

Systems & Applications

Sections