Requirements
The following are the minimum security requirements that must be followed for each DCL. These requirements also apply to 3rd party provided or hosted applications and systems.
Systems
All electronically stored data residing within server-based systems must be evaluated and assigned the appropriate DCL. Each system must be managed according to the standards required for the highest data classification level of all the information residing on that system. The system may be managed at a higher level if deemed necessary due to the value or criticality of the information asset. For servers utilizing a database, the data residing in the database must be considered as part of the overall system for classification purposes.
Applications
Applications, whether provided by a vendor or developed internally, must meet the application security requirements established for each DCL. Many of these standards can be found at the Open Web Application Security Project (OWASP).
These standards do not cover office productivity software, such as Microsoft Office, or other software packages installed for use only on individual workstations.
Click to expand all categories.
UM Data Classification System |
|||
|---|---|---|---|
Systems & Applications |
|||
| Systems Management | |||
|
Level 1: Systems must be managed according to manufacturer and/or industry best practices. Systems must be managed by an IT-approved and titled system administrator. All systems must be registered with the central IT department at each University business unit. All administrator tasks must be performed through secure means. Host-based firewalls must be enabled. Non-critical OS patches must be applied within 60 days. Critical patches must be applied within 30 days. Anti-virus protection must be installed and kept current with daily definition updates. All exceptions must be approved and documented by the appropriate campus security team. Systems must have logging enabled. Logs (e.g., authentication, application, database and system) should be retained for no more than 12 months. Products that no longer receive security updates from the vendor are not authorized for use on UM networks.
|
Level 2: Must comply with DCL1 requirements. End-user access must be authenticated. |
Level 3: Must comply with DCL1 and DCL2 requirements. Original/primary locations of data at this level must be maintained on a server-class machine even if access to such information is intended for a single person. Databases must be segregated from front-end systems (e.g., web and application servers). Systems must ensure that data flows between systems, devices or from the system to an authorized user are transmitted securely. Must comply with University change management procedures. System changes should be evaluated prior to being applied in a production environment whenever possible. |
Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements. For export-controlled data, system administrators must be U.S. persons. All logs must be forwarded to the University-provided centralized logging service and vendor-hosted solutions must use log processing systems. All exceptions must be approved and documented by the appropriate ISO. Per the Logging Standard, logs will be retained for a minimum of 12 months. |
| Granting & Revoking Access | |||
|
Level 1: No restrictions for viewing. Administrator access must be granted through a documented approval process that applies the principle of least privilege. |
Level 2: Must comply with DCL1 requirements. Access granted to end-users must be made using:
Access granted to privileged users must be made using a documented approval process that applies the principle of least privilege. Access must be reviewed at least quarterly for appropriateness. Access must be revoked as soon as is reasonably possible when employees leave the University or custodial department. |
Level 3: Must comply with DCL1 and DCL2 requirements. Administrator and privileged user authorization must include a two-tier process. Typically this process would include an authorization from the employee's supervisor and the data steward (or their delegate). All privileged users must sign a confidentiality agreement. Access privileges must be reviewed monthly for appropriateness. Access must be revoked immediately when employees leave the university or the custodial department. |
Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements. |
| Authentication | |||
|
Level 1: User authentication is not required, however, if it is used, the following requirements must be met:
|
Level 2: Must comply with DCL1 requirements. Authentication is required. Authentication activities performed by UM-hosted systems/applications must be integrated with an approved centrally managed authentication service (e.g., Active Directory.) The ISO must be consulted on authentication activities performed by vendor-hosted systems/applications to determine if integration with an approved centrally managed authentication service (e.g., Active Directory) is necessary. |
Level 3: Must comply with DCL1 and DCL2 requirements. |
Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements. |
| Network Security | |||
|
Level 1: At a minimum, systems must be behind a shared enterprise firewall. Firewall configuration must initially be implemented with a "default deny" policy and only allow access to the necessary services. Perimeter IPS or IDS is required. |
Level 2: Must comply with DCL1 requirements. |
Level 3: Must comply with DCL1 and DCL2 requirements. Systems must be isolated from other systems through the use of a dedicated hardware-based firewall or a virtual firewall. Inbound Internet access will not be allowed except through an approved exception. |
Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements. |
| Remote Access Security | |||
|
Level 1: All administrator tasks must be performed through secure means. System administrators must use a unique administrator account for login. |
Level 2: Must comply with DCL1 requirements. Data and system administrators should consider the use of VPN or similar technology for end-user access. |
Level 3: Must comply with DCL1 and DCL2 requirements. End-user access must be through the use of VPN or similar technology. Administrator access must be conducted using a separate VPN pool (or other technology) specifically for and limited to the system being administered. Third party access (i.e., vendor support) must be conducted using supervised, just-in-time methods such as a WebEx session. Access must be limited to the duration of an incident or support request and may not persist outside of the active issue remediation. |
Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements. Remote access to export controlled data is not permitted. |
| Database | |||
|
Level 1: All databases must have a designated data steward, database administrator, and system administrator. The data steward must be different than the system administrator. |
Level 2: Must comply with DCL1 requirements. |
Level 3: Must comply with DCL1 and DCL2 requirements. All DCL3 databases must be registered with the central IT department at each university business unit. Databases must be segregated from front-end systems (e.g., web and application servers). All databases must have a designated data steward, database administrator, and system administrator. These roles cannot be fulfilled by the same individual. |
Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements. When technically feasible, as determined by consultation with the appropriate ISO, data at rest must be encrypted. |
| Backups | |||
|
Level 1: No requirements |
Level 2: DCL3/DCL4 standard should be applied whenever possible. |
Level 3: System administrators must establish and follow a procedure to carry out regular system backups. |
Level 4: Highly Restricted Data Must comply with all DCL3 requirements. |
| Physical Security | |||
|
Level 1: Servers must be housed in a data center managed by the central IT department at each university business unit. All exceptions must be approved and documented by the appropriate ISO |
Level 2: Must comply with DCL1 requirements. |
Level 3: Must comply with DCL1 and DCL2 requirements. |
Level 4: Highly Restricted Data Must comply with all DCL1, DCL2 and DCL3 requirements. Only authorized persons may have physical access to any system, machine, or server storing University-owned intellectual property or export-controlled data. Physical security requirements must prevent the physical removal of a machine or the data it stores. |
| System & Application Assessments | |||
|
Level 1: Security assessment is not required. |
Level 2: Security assessment performed upon request of the system or application owner. |
Level 3: Security assessment may be required before any new system goes into production. Periodic re-assessment of systems and applications (i.e., web applications) security may be required. |
Level 4: Highly Restricted Data Security assessment is required before any new system goes into production. Periodic re-assessment of systems and applications (i.e., web applications) security is required. |
| System vulnerability scans must be conducted in accordance with the requirements of the Enterprise Vulnerability Scanning (EVS) standard. | |||
| Business Continuity | |||
| Business continuity testing and validation must be performed in accordance with the System Business Continuity Classification (SBCC) regardless of DCL. | |||
| Transmission of Data | |||
|
Level 1: No requirements. |
Level 2: DCL3/DCL4 standard should be applied whenever possible. |
Level 3: Must comply with the Transmission/Transfer of DCL3 and DCL4 Data Standard. |
Level 4: Highly Restricted Data Must comply with DCL3 requirements. |
| Data Disposal | |||
|
Level 1: All systems that are surplused or otherwise disposed of must follow University surplus property and data disposal policies. Format hard drive. |
Level 2: Must comply with DCL1 requirements. Utilize software that writes over all sectors of the hard drive. |
Level 3: Must comply with DCL1 requirements. Must ensure hard drives are completely destroyed. |
Level 4: Highly Restricted Data Must comply with DCL3 requirements. |
| Training | |||
|
Level 1: IT professionals must be trained on the technologies and security methods specific to the environment(s) they manage. |
Level 2: Must comply with DCL1 requirements. |
Level 3: Must comply with DCL1 and DCL2 requirements. Annual information security awareness training is required for privileged users, data stewards and administrators (system, database and application). |
Level 4: Highly Restricted Data Must comply with DCL1, DCL2 and DCL3 requirements. |
Reviewed 2023-06-12