The following are the minimum security requirements that must be followed for each DCL. These requirements also apply to 3rd party provided or hosted applications and systems.
All electronically stored data residing within server-based systems must be evaluated and assigned the appropriate DCL. Each system must be managed according to the standards required for the highest data classification level of all the information residing on that system. The system may be managed at a higher level if deemed necessary due to the value or criticality of the information asset. For servers utilizing a database, the data residing in the database must be considered as part of the overall system for classification purposes.
Applications, whether provided by a vendor or developed internally, must meet the application security requirements established for each DCL. Many of these standards can be found at the Open Web Application Security Project (OWASP).
These standards do not cover office productivity software, such as Microsoft Office, or other software packages installed for use only on individual workstations.
UM Data Classification System
Systems & Applications
|Granting & Revoking Access|
|Remote Access Security|
|System & Application Assessments|
|Transmission of Data|