Skip to main content

9.8.2 Procedure for Securing and Accessing Each Data/System Classification

I. Purpose

This document establishes the minimum controls to protect against theft, compromise, and inappropriate use based upon data classification. Procedures for classifying data and the data categories are provided in the 9.8.1 Data Classification Procedure.

II. Coverage/Applicability

Data resources are the discrete assets that store, process, transmit, or receive data. The data resources covered by this procedure include:

Data Resource Type Description
Non-Electronic Media Printed, hard-copy versions of information.
Electronic Media
University owned, maintained, or contracted servers Systems that the University has purchased, maintains, or has entered into a contract that provides services such as but not limited to: file sharing, web services, database services, print services.
University owned, maintained, or contracted workstations Systems that the University has purchased, maintains, or has entered into a contract that do not act as servers and are not considered mobile. Examples include but are not limited to: Dell Optiplex, Apple Mac Pro, HP Compaq
Personally owned workstations Systems that the University has not purchased, does not maintain, or has not entered into a contract that do not act as servers and are not mobile. Example include but are not limited to: Dell Optiplex, Apple Mac Pro, HP Compaq
University owned or maintained laptop computers

Systems that the University has purchased, maintains, or has entered into a contract that do not act as servers and are laptops. Examples include but are not limited to: Dell Inspiron, Apple MacBook, Lenovo ThinkPad.

Personally owned laptop computers Systems that the University has not purchased, does not maintain, or has not entered into a contract that do not act as servers and are laptops. Examples include but are not limited to: Dell Inspiron, Apple MacBook, Lenovo ThinkPad.
University owned or maintained mobile devices

Systems that the University has purchased, maintains, or has entered into a contract that do not act as servers, are not laptops, and are mobile. Examples include: Apple iPads, Samsung Galaxy, Blackberry PlayBook, Apple iPhones, Motorola Droid, BlackBerry smartphone.

Personally owned mobile devices Systems that the University has not purchased, does not maintain, or has not entered into a contract that do not act as servers, are not laptops, and are mobile. Examples include but are not limited to: Apple iPad, Samsung Galaxy, Apple iPhone, Motorola Droid, BlackBerry smartphone.

University owned, maintained, or contracted printers, scanners/faxes, multi-function devices, and electronic surveillance devices

Systems that the University has purchased, maintains, or has entered into a contract that performs printing,scanning, faxing, or electronic surveillance.

Personally owned, maintained, or contracted printers, scanners/faxes, and multi-function devices, and electronic surveillance devices

Systems that the University has purchased, maintains, or has entered into a contract that performs printing, scanning, faxing, or electronic surveillance.

III. Responsibility

Procedures addressing the minimum or baseline controls for securing data that is stored, processed, transmitted, or received by each data resource type are described below. The highest level of data classification being stored, processed, transmitted, or received by the resource determines the minimum level of controls required for the resource. For example, if a server or workstation is storing, processing, transmitting, or receiving data that is classified as Highly Restricted and it is also storing, processing, transmitting, or receiving data that classified as Restricted, the controls for Highly Restricted are required.

Individuals (as defined in Procedures 9.8.3 and 9.8.7) have varying responsibilities under this procedure. Data Stewards in conjunction with Unit Security Liaisons, Data Custodians, Functional Owners, Security Administrators, and System Administrators are responsible for implementing and administering these minimum controls. Data Stewards in conjunction with Unit Security Liaisons, Data Custodians, Functional Owners, Security Administrators, and System Administrators may develop requirements in addition to these minimum controls dependent upon regulatory, legal, or contractual requirements. Data users are also responsible for adhering to the established minimum controls. If you do not meet the minimum controls for the type of data you are using you are prohibited from using the data in that media format. For assistance, contact your Unit Security Liaison.

Security Review for Purchases or Development of Systems Handling Highly Restricted Data.

Departments evaluating the purchase or development of a data resource that would be storing, processing, transmitting, or receiving Highly Restricted data, must contact the Data Stewardship Committee prior to development or undertaking the purchasing process.

IV. Non-Compliance and Exceptions

Non-compliance with these standards will result in revocation of system or network access.

If any of the controls contained within this document cannot be met on data resources storing, processing, transmitting, or receiving Highly Restricted, Restricted, or Unrestricted data, an Exception Request must be initiated that includes reporting the non-compliance to the Data Stewardship Council via the Information Security Officer.

V. Non-Electronic Media

Non-Electronic Media
Control Number Control Highly Restricted Data Restricted Data Unrestricted Data
NEM-1 Access Access should be restricted based on roles and responsibility. Individuals who have been granted access should understand their responsibility and exercise care to ensure adequate protection.

Access should be restricted based on roles and responsibility. Individuals who have been granted access should understand their responsibility and exercise care to ensure adequate protection.

No requirement.
NEM-2

Documents

in use

Private, secure offices/workspaces where information is not in view of visitors.

Documents should be secure at all times and not left unattended.

Private, secure offices/workspaces where information is not in view of visitors.

Documents should be secure at all times and not left unattended.

No requirement.
NEM-3 Printing Only printed when there is a legitimate need.

Unattended printing is allowed if access controls are in place to prevent unauthorized viewing. Immediately retrieve and secure documents.

See additional controls under Printers/Scanners/Faxes/Multi-Function Devices.

Unattended printing is allowed if access controls are in place to prevent unauthorized viewing.

See additional controls under Printers/Scanners/Faxes/Multi-Function Devices

No requirement.

See additional controls under Printers/Scanners/Faxes/Multi-Function Devices.

NEM-4 Labeling

Certain documents must be labeled as "Confidential" regardless of internal or external use.

Documents approved for distribution should be labeled accordingly.

Certain documents must be labeled as "Confidential" regardless of internal or external use.

Documents approved for distribution should be labeled accordingly.

No requirement.
NEM-5 Transmission Data should not be transmitted in any manner unless for legitimate ISU business purpose. Recipients should be notified that the information is highly restricted and provided for specific business need. Recipients should be aware that they are responsible for the protection and destruction. Data should not be transmitted in any manner unless for legitimate ISU business purpose. Recipients should be notified that the information is highly restricted and provided for specific business need. Recipients should be aware that they are responsible for the protection and destruction. Data should not be transmitted in any manner unless for legitimate ISU business purpose. Recipients should be notified that the information is highly restricted and provided for specific business need. Recipients should be aware that they are responsible for the protection and destruction.
NEM-6 Mail Campus Mail; Envelope is marked confidential. Sealed in such a manner that tampering would be evident upon receipt.

External Mail Services; No markings required. Confirmation of receipt is required as legally mandated.

No requirement No requirement.
NEM-7 FAX

Send:

Double-check recipient fax numbers and security and privacy arrangements prior to sending.

Confirmation of receipt is required as legally mandated.

Data should not be left unattended on fax machines. Immediately retrieve or secure documents.

Receive:

Fax machines should be in secure, private locations.

Data should not be left unattended on fax machines. Immediately retrieve or secure documents.

See additional controls under Printers/Scanners/Faxes/Multi-Function Devices.

No requirement.

See additional controls under Printers/Scanners/Faxes/Multi-Function Devices

No requirement.

See additional controls under Printers/Scanners/Faxes/Multi-Function Devices.

NEM-8 Scan

Data should not be left unattended. Immediately retrieve or secure documents.

See additional controls under Printers/Scanners/Faxes/Multi-Function Devices.

No requirement.

See additional controls under Printers/Scanners/Faxes/Multi-Function Devices.

No requirement.

See additional controls under Printers/Scanners/Faxes/Multi-Function Devices.

NEM-9 Storage Stored in a secured location with restricted access based on role and responsibility. Documents critical to the conduct of University Business should be stored in fireproof cabinets. Stored out of sight when not in use. No requirement.
NEM-10 Disposal

Adhere to retention schedules. Cross shred within office or utilize confidential collection services of Facilities Management, by placing in locked, confidential recycle container. Prior to shredding container should be placed in private, secure office locations.

Adhere to retention schedules. Cross shred within office or utilize confidential collection services of Facilities Management, by placing in locked, confidential recycle container. Prior to shredding container should be placed in private, secure office locations.

Adhere to retention schedules. Utilize single-stream recycling containers.

NEM-11 Secondary Use Prohibited As authorized by Business Owner As authorized by Business Owner.
NEM-12 External Data Sharing As allowed by applicable laws and regulations. As allowed by applicable laws and regulations. No requirement.
NEM-13 Duplicating

Copies must be limited to individuals authorized to access the data within their roles and responsibilities. Receiver must not further distribute without permission.

Data should not be left unattended on fax machines. Immediately retrieve or secure documents.

See additional controls under Printers/Scanners/Faxes/Multi-Function Devices.

No requirement.

See additional controls under Printers/Scanners/Faxes/Multi-Function Devices.

No requirement.

See additional controls under Printers/Scanners/Faxes/Multi-Function Devices.

NEM-14 Verbal/Oral

Private offices or work areas where information cannot be overheard by the general public.

Private offices or work areas where information cannot be overheard by the general public.

No requirement.
NEM-15 Review Annually or as needed. Annually or as needed. Annually or as needed.

VI. Servers

Electronic Data - University Owned, Maintained, or Contracted Servers

Control Number Control Highly Restricted Date Restricted Data Unrestricted Data
S-1

Email on University email servers - Store on the email server, view, store locally, send, or receive.

Not Permitted Permitted Permitted
S-2

Email on non-University email servers - Store on the email server, view, store locally, send, or receive.

Not Permitted Not Permitted Permitted
S-3

Physical Access - Servers must be located in areas with restricted access.

Required Required Not Required
S-4

Logical Access – Data is captured, maintained, and disseminated in accordance with the Master Access Plan.

Required Required Required
S-5

Logical Access – Local and third party systems transferring and storing Enterprise Data Repository (EDR) data must adhere to the Procedures for Use of Enterprise Data in Local and Third-Party Systems.

Required Required Required
S-6

Logical Access - Servers must not be directly accessible from the Internet. Use of private internal network addressing required.

Required Required Not Required
S-7

Logical Access - Servers must be in a VLAN designated for servers.

Required Required Required
S-8 Logical Access - Access to non-public file system areas must require authentication. Required Required Required
S-9 Configure and manage in accordance to the Minimum Security Standard for Servers. Required Required Required
S-10

Configure and manage in accordance with the Account and Password Standard.

Required Required Required
S-11

Configure and manage in accordance with the Remote Access Standard.

Required Required Required
S-12

All Accounts - Disable or delete unused accounts

Required Required Required
S-13

All Accounts - Change default passwords.

Required Required Required
S-14

Secondary Use of Data - use of the data other than for the requested purpose.

Not permitted As authorized by Data Stewards As authorized by Data Steward
S-15 Backups - Establish and follow a procedure to carry out regular system backups. Required Required Recommended
S-16 Backups - Backups must be verified, either through automated verification, through customer restores, or through trial restores. Required Required Recommended
S-17

Backups - Maintain documented restoration procedures for systems and the data on those systems.

Required Required Recommended
S-18 Backups - Backup media must be secured from unauthorized physical access. If the backup media is stored off-site, it must be encrypted or have a documented process to prevent unauthorized access. Required Required Recommended
S-19

Disposal, End of Life, Surplus – Dispose in accordance with the University Data Disposal Process

Required Required Required
S-20

Reissue, Trade, RMA, Sold - Dispose in accordance with the University Data Disposal Process

Required Required Required
S-21

Lost or Stolen

Report to ISUPD Report to ISUPD Report to ISUPD

VII. Workstations

Electronic Data - ISU and Personal Workstations

Control Number Control Highly Restricted Data Restricted Data Unrestricted Data
ISU Owned

Personally Owned

Not Permitted

ISU Owned Personally Owned ISU Owned Personally Owned
W-1 Email on University email servers - Store on the email server, view, store locally, send, or receive. Not Permitted Permitted Permitted Permitted Permitted
W-2

Email on non-University email servers - Store on the email server, view, store locally, send, or receive.

Not permitted Not Permitted Not Permitted Permitted Permitted
W-3

Logical Access – Data is captured, maintained, and disseminated in accordance with the Master Access Plan

Required Required Required Required Required
W-4

Logical Access – Local and third party systems transferring and storing Enterprise Data Repository (EDR) data must adhere to the Procedures for Use of Enterprise Data in Local and Third-Party Systems.

Required Required Required Required Required
W-5 Logical Access - Workstations must not be directly accessible from the Internet. Use of private internal network addressing required. Required Required on campus network.

Recommended off-campus

Required on campus network.

Recommended off-campus.

Required on campus network.

Recommended off-campus.

Recommended
W-6

Logical Access - Workstations must be in a VLAN designated for workstations.

Required on-campus Required on campus network.

Recommended off-campus.

Required on campus network.

Recommended off-campus.

Required on campus network.

Recommended off-campus.

Recommended
W-7

Logical Access - Access to non-public file system areas must require authentication.

Required Required Required Required Recommended
W-8

Configure and manage in accordance to the Minimum Security Standard for Workstations.

Required Required Required Required Recommended
W-9 Configure and manage in accordance with the Account and Password Standard. Required Required Required Required Recommended
W-10

Configure and manage in accordance with the Remote Access Standard.

Required Required Required Required Recommended
W-11 All Accounts - Disable or delete unused accounts Required Required Required Required Recommended
W-12 All Accounts - Change default passwords Required Required Required Required Recommended
W-13 Secondary Use of Data - use of the data other than for the requested purpose Not permitted As authorized by Data Steward

As authorized by Data Steward

As authorized by Data Steward

As authorized by Data Steward

W-14 Disposal, End of Life, Surplus – Dispose in accordance with the University Data Disposal Process Required Required Required Required No Requirements
W-15 Reissue, Trade, RMA, Sold - Dispose in accordance with the University Data Disposal Process Required Required Required Required No Requirements
W-16 Lost or Stolen

Report to ISUPD

Report to ISUPD

Report to ISUPD

Report to ISUPD

No Requirements

VIII. Laptop Systems

Electronic Data - ISU and Personal Laptop Systems

Control

Number

Control Highly Restricted Data Restricted Data Unrestricted Data
ISU Owned

Personally owned

Not Permitted

ISU Owned Personally Owned ISU Owned Personally Owned
LS-1

Email on University email servers - Store on the email server, view, store locally, send, or receive.

Not Permitted Permitted Permitted Permitted Permitted
LS-2

Email on non-University email servers - Store on the email server, view, store locally, send, or receive.

Not Permitted Not Permitted Not Permitted Permitted Permitted
LS-3

Logical Access – Data is captured, maintained, and disseminated in accordance with the Master Access Plan

Required Required Required Required Required
LS-4

Logical Access – Local and third party systems transferring and storing Enterprise Data Repository (EDR) data must adhere to the Procedures for Use of Enterprise Data in Local and Third-Party Systems.

Required Required Required Required Required
LS-5

Logical Access – Laptop systems must not be directly accessible from the Internet. Use of private internal network addressing required.

Required on campus Required on campus network. Recommended off-campus Required on campus network. Recommended off-campus Required on campus network. Recommended off-campus Recommended
LS-6

Logical Access - Laptop systems must be in a VLAN designated for workstations or wireless devices.

Required on campus Required on campus network. Recommended off-campus Required on campus network. Recommended off-campus Required on campus network. Recommended off-campus Recommended
LS-7 Logical Access - Access to non-public file system areas must require authentication. Required Required Required Required Recommended
LS-8

Configure and manage in accordance to the Minimum Security Standard for Laptop Systems.

Required Required Required Required Recommended
LS-9 Configure and manage in accordance with the Account and Password Standard. Required Required Required Required Recommended
LS-10 Configure and manage in accordance with the Remote Access Standard. Required Required Required Required Recommended
LS-11 All Accounts - Disable or delete unused accounts Required Required Required Required Recommended
LS-12 All Accounts - Change default passwords Required Required Required Required Recommended
LS-13

Secondary Use of Data - use of the data other than for the requested purpose.

Not Permitted As authorized by Data Steward As authorized by Data Steward As authorized by Data Steward As authorized by Data Steward
LS-14 Disposal, End of Life, Surplus – Dispose in accordance with the University Data Disposal Process Required Required Required Required Recommended
LS-15

Reissue, Trade, RMA, Sold - Dispose in accordance with the University Data Disposal Process

Required Required Required Required Recommended
LS-16 Lost or Stolen Report to ISUPD Report to ISUPD Report to ISUPD Report to ISUPD No Requirements

IX. Mobile Devices

Electronic Data - ISU and Personal Mobile Devices

Control Number Control Highly Restricted Data Restricted Data Unrestricted Data
ISU Owned Personally owned Not Permitted ISU Owned Personally Owned ISU Owned Personally Owned
MD-1

Email on University email servers - Store on the email server, view, store locally, send, or receive.

Not Permitted Permitted Permitted Permitted Permitted
MD-2

Email on non-University email servers - Store on the email server, view, store locally, send, or receive.

Not Permitted Not Permitted Not Permitted Permitted Permitted
MD-3

Logical Access – Data is captured, maintained, and disseminated in accordance with the Master Access Plan

Required Required Required Required Required
MD-4

Logical Access – Local and third party systems transferring and storing Enterprise Data Repository (EDR) data must adhere to the Procedures for Use of Enterprise Data in Local and Third-Party Systems.

Required Required Required Required Required
MD-5

Logical Access - Mobile devices must not be directly accessible from the Internet. Use of private internal network addressing required.

Required on campus Required on campus network. Recommended off-campus

Required on campus network. Recommended off-campus

Required on campus network. Recommended off-campus

Recommended
MD-6

Logical Access - Mobile devices must be in a VLAN designated for workstations or wireless devices.

Required on campus Required on campus network. Recommended off-campus Required on campus network. Recommended off-campus Required on campus network. Recommended off-campus Recommended
MD-7 Logical Access - Access to non-public file system areas must require authentication. Required Required Required Required Recommended
MD-8 Configure and manage in accordance to the Minimum Security Standard for Mobile Devices. Required Required Required Required Recommended
MD-9 Configure and manage in accordance with the Account and Password Standard. Required Required Required Required Recommended
MD-10 Configure and manage in accordance with the Remote Access Standard. Required Required Required Required Recommended
MD-11 All Accounts - Disable or delete unused accounts Required Required Required Required Recommended
MD-12 All Accounts - Change default passwords

Required

Required

Required

Required

Recommended
MD-13

Secondary Use of Data - use of the data other than for the requested purpose.

Not Permitted As authorized by Data Steward As authorized by Data Steward As authorized by Data Steward As authorized by Data Steward
MD-14

Disposal, End of Life, Surplus – Dispose in accordance with the University Data Disposal Process

Required Required Required Required Recommended
MD-15

Reissue, Trade, RMA, Sold - Dispose in accordance with the University Data Disposal Process

Required Required Required Required Recommended
MD-16 Lost or Stolen Report to ISUPD Report to ISUPD Report to ISUPD Report to ISUPD No requirements

X. Printers/Scanners/Faxes/Multi-Function Devices, and Electronic Surveillance Devices

Electronic Data - ISU and Personal Printers/Scanners/Faxes/Multi-Function Devices, and Electronic Surveillance Devices

Control Number Control Highly Restricted Data Restricted Data Unrestricted Data
ISU Owned Personally Owned Not Permitted ISU Owned Personally Owned ISU Owned Personally Owned
PSF-1

Email on University email servers - Store on the email server, view, store locally, send, or receive.

Not Permitted Permitted Permitted Permitted Permitted
PSF-2

Email on non-University email servers - Store on the email server, view, store locally, send, or receive.

Not Permitted Not Permitted Not Permitted Permitted Permitted
PSF-3

Comply with University Policy 1.7 Use of Electronic Equipment for Surveillance Purposes, and consult with ISU Police prior to purchase.

Required Required Required Required Required
PSF-4 Logical Access – Data is captured, maintained, and disseminated in accordance with the Master Access Plan Required Required Required Required Required
PSF-5 Logical Access – Local and third party systems transferring and storing Enterprise Data Repository (EDR) data must adhere to the Procedures for Use of Enterprise Data in Local and Third-Party Systems. Required Required Required Required Required
PSF-6 Logical Access – Printers/Scanners/Faxes/Multi-Function devices must not be directly accessible from the Internet. Use of private internal network addressing required. Required on campus Required Required on campus network. Recommended off-campus. Required on campus network. Recommended off-campus. Recommended
PSF-7

Logical Access - Printers/Scanners/Faxes/Multi-Function devices must be in a VLAN designated for printer or server devices.

Required on campus Required Required on campus network. Recommended off-campus. Required on campus network. Recommended off-campus. Recommended
PSF-8 Logical Access - Access to non-public file system areas must require authentication. Required Required Required Required Recommended
PSF-9

Configure and manage in accordance to the Minimum Security Standard for Printers/Scanners/Faxes, and Multi-Function Devices..

Required Required Required Required Recommended
PSF-10 Configure and manage in accordance with the Account and Password Standard. Required Required Required Required Recommended
PSF-11 Configure and manage in accordance with the Remote Access Standard. Required Required Required Required Recommended
PSF-12 Secondary Use of Data - use of the data other than for the requested purpose. Not Permitted As authorized by Data Steward As authorized by Data Steward As authorized by Data Steward As authorized by Data Steward
PSF-13

Disposal, End of Life, Surplus – Dispose in accordance with the University Data Disposal Process

Required Required Required Required Recommended
PSF-14

Reissue, Trade, RMA, Sold - Dispose in accordance with the University Data Disposal Process

Required Required Required Required Recommended
PSF-15 Lost or Stolen Report to ISUPD Report to ISUPD Report to ISUPD Report to ISUPD

No requirements

Definitions:

Server: A system that performs tasks on behalf of clients. Examples include but are not limited to: File servers, database servers, web servers, mail servers, print servers.

Remote Access: The ability to access a system from a location other than at the system itself. Examples of application that provide remote access include but are not limited to: Microsoft Remote Desktop Services, SSH, Telnet, RealVNC, pcAnywhere, GoToMyPC, LogMeIn.

Last Review: July 2013