Date Approved: October 4, 2016
Effective Date: October 4, 2016
Responsible Official: Chief Information Security Officer
Responsible Office: [U]Tech Information Security Office
Revision History: Version 2.0; dated October 4, 2016
Related legislation and University policies:
- Policy I-1 Acceptable Use of Information Technology (AUP)
- The CWRU Information Technology Strategic Plan 2016
Review Period: 5 Years
Date of Last Review: October 4, 2016
Related to: Faculty, Staff, Students, Alumni, affiliate account holders
The purpose of this standard is to assist CWRU users (persons assigned with data stewardship, ownership, and custodial duties) with the determination of the baseline security requirements based upon information tier level. Each category of information will have an assigned set of baseline numerically increasing tiers of security standards to apply as part of the risk management program in addressing confidentiality, integrity, and availability.
This policy applies to all CWRU Western Reserve University information. Many of the security requirements are targeted at networked information technology systems.
Three Category Standard Information Taxonomy
CWRU uses a 3-tier system to categorize information types and sensitivity. Each of the three categories is determined based upon risk to the University in the areas of confidentiality, integrity, and availability of data in support of the University's mission. Information (or data) owners are responsible for determining the impact levels of their information and managing risk to such information through the implementation of applicable control tiers.
These categories are derived from the Federal Information Processing Standard 199 (FIPS-199)
Case Western Reserve University will not use the terms 'confidential, secret, top secret' unless they accurately describe information so categorized by the U.S. Government in the OMB Circular A-130 as pertaining to national security information. In general, none of the information at that level will appear in the CWRU academic, administrative, research, and [U]Tech environment.
Information Management Requirements
Information shall be segregated into technical or administrative categories such that controls can be applied to ensure risk to confidentiality, integrity, and availability are effectively managed. The most sensitive information will have the strongest set of controls. A determination of Information Category is a requirement for all information technology management and risk management decisions.
The significant majority of information in use at CWRU is Public. Information systems that store, process, or manage Public information apply the minimum security configuration and management standards. These standards have been approved for use in all CWRU IT environments, at a minimum, and may be enhanced to more stringent controls as deemed appropriate by the information owner. Controls and security standards for Public information include basic hardening of network hosts, automated updates of systems software, anti-virus (and anti-spyware) software installed and automatically updated, and appropriate data backups.
- See examples of Public Information.
- See Public Information Basic Security Controls (Procedure III-1c Standard network host configurations for Public Information.
Internal Use Only Information
Information systems that store, process, or manage Internal Use Only information apply the minimum security standards, and enhance with an additional set of host configurations to reduce the risk of host compromise via networking, or from data disclosure/loss in the event of theft or loss of the system. These Internal Use Only controls and security standards include network authentication, user access controls, enhanced system hardening, auditing, data backup, system disaster recovery planning, and regular risk evaluations. In general, any disclosure of information is of concern, but is expected to have minimal impact on university operations.
- See examples of Internal Use Only Information.
- See Internal Use Only Basic Security Controls (Procedure III-1d Standard network host configurations for Internal Use Only information.
Information systems that store, process, or manage Restricted information are to apply the aforementioned controls and security standards, as well as the most stringent controls in the university environment to address confidentiality issues. These are known as the Restricted Information controls and security standards.
- See examples of Restricted Information.
- See Restricted Information Basic Security Controls (Procedure III-1e Standard network host configurations for Restricted Information. (includes guidance for handling of SSNs, which are Restricted information)
Multi-tiered systems conflict- when an information system processed more than one tier of information, the requirements for the highest level will be applied.
CWRU [U]Tech Services will define basic protection controls for systems and workflow designed to protect in a managed risk manner, each information category.
Information Owner: A University official (University faculty or staff) who is responsible for the security of information in a given school or department. This official often has management authority for directing administrative procedures or purchasing/budget authority for dealing with consequences of information interruption of service, loss/destruction, disclosure, or modification.
Confidentiality: The property that data or information is not made available or disclosed to unauthorized persons or processes
Integrity: The property that data or information have not been altered or destroyed in an unauthorized manner.
Availability: The property that data or information is accessible and usable upon demand by an authorized person.
Note: As of May 15 2009, information categories were changed to the Tier I, II, III nomenclature (public, internal use only, restricted).
As of October, 2016, Information tier numbers with roman numerals are removed, in favor of the descriptive categories (Public, Internal Use, Restricted) now used in reference to the control standards.
Standards Review Cycle
This standard will be reviewed every two years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.