9.8.2 Procedure for Securing and Accessing Each Data/System Classification
I. Purpose
This document establishes the minimum controls to protect against theft, compromise, and inappropriate use based upon data classification. Procedures for classifying data and the data categories are provided in the 9.8.1 Data Classification Procedure.
II. Coverage/Applicability
Data resources are the discrete assets that store, process, transmit, or receive data. The data resources covered by this procedure include:
| Data Resource Type | Description |
| Non-Electronic Media | Printed, hard-copy versions of information. |
| Electronic Media | |
| University owned, maintained, or contracted servers | Systems that the University has purchased, maintains, or has entered into a contract that provides services such as but not limited to: file sharing, web services, database services, print services. |
| University owned, maintained, or contracted workstations | Systems that the University has purchased, maintains, or has entered into a contract that do not act as servers and are not considered mobile. Examples include but are not limited to: Dell Optiplex, Apple Mac Pro, HP Compaq |
| Personally owned workstations | Systems that the University has not purchased, does not maintain, or has not entered into a contract that do not act as servers and are not mobile. Example include but are not limited to: Dell Optiplex, Apple Mac Pro, HP Compaq |
| University owned or maintained laptop computers |
Systems that the University has purchased, maintains, or has entered into a contract that do not act as servers and are laptops. Examples include but are not limited to: Dell Inspiron, Apple MacBook, Lenovo ThinkPad. |
| Personally owned laptop computers | Systems that the University has not purchased, does not maintain, or has not entered into a contract that do not act as servers and are laptops. Examples include but are not limited to: Dell Inspiron, Apple MacBook, Lenovo ThinkPad. |
| University owned or maintained mobile devices |
Systems that the University has purchased, maintains, or has entered into a contract that do not act as servers, are not laptops, and are mobile. Examples include: Apple iPads, Samsung Galaxy, Blackberry PlayBook, Apple iPhones, Motorola Droid, BlackBerry smartphone. |
| Personally owned mobile devices | Systems that the University has not purchased, does not maintain, or has not entered into a contract that do not act as servers, are not laptops, and are mobile. Examples include but are not limited to: Apple iPad, Samsung Galaxy, Apple iPhone, Motorola Droid, BlackBerry smartphone. |
|
University owned, maintained, or contracted printers, scanners/faxes, multi-function devices, and electronic surveillance devices |
Systems that the University has purchased, maintains, or has entered into a contract that performs printing,scanning, faxing, or electronic surveillance. |
|
Personally owned, maintained, or contracted printers, scanners/faxes, and multi-function devices, and electronic surveillance devices |
Systems that the University has purchased, maintains, or has entered into a contract that performs printing, scanning, faxing, or electronic surveillance. |
III. Responsibility
Procedures addressing the minimum or baseline controls for securing data that is stored, processed, transmitted, or received by each data resource type are described below. The highest level of data classification being stored, processed, transmitted, or received by the resource determines the minimum level of controls required for the resource. For example, if a server or workstation is storing, processing, transmitting, or receiving data that is classified as Highly Restricted and it is also storing, processing, transmitting, or receiving data that classified as Restricted, the controls for Highly Restricted are required.
Individuals (as defined in Procedures 9.8.3 and 9.8.7) have varying responsibilities under this procedure. Data Stewards in conjunction with Unit Security Liaisons, Data Custodians, Functional Owners, Security Administrators, and System Administrators are responsible for implementing and administering these minimum controls. Data Stewards in conjunction with Unit Security Liaisons, Data Custodians, Functional Owners, Security Administrators, and System Administrators may develop requirements in addition to these minimum controls dependent upon regulatory, legal, or contractual requirements. Data users are also responsible for adhering to the established minimum controls. If you do not meet the minimum controls for the type of data you are using you are prohibited from using the data in that media format. For assistance, contact your Unit Security Liaison.
Security Review for Purchases or Development of Systems Handling Highly Restricted Data.
Departments evaluating the purchase or development of a data resource that would be storing, processing, transmitting, or receiving Highly Restricted data, must contact the Data Stewardship Committee prior to development or undertaking the purchasing process.
IV. Non-Compliance and Exceptions
Non-compliance with these standards will result in revocation of system or network access.
If any of the controls contained within this document cannot be met on data resources storing, processing, transmitting, or receiving Highly Restricted, Restricted, or Unrestricted data, an Exception Request must be initiated that includes reporting the non-compliance to the Data Stewardship Council via the Information Security Officer.
V. Non-Electronic Media
| Non-Electronic Media | ||||
| Control Number | Control | Highly Restricted Data | Restricted Data | Unrestricted Data |
| NEM-1 | Access | Access should be restricted based on roles and responsibility. Individuals who have been granted access should understand their responsibility and exercise care to ensure adequate protection. |
Access should be restricted based on roles and responsibility. Individuals who have been granted access should understand their responsibility and exercise care to ensure adequate protection. |
No requirement. |
| NEM-2 |
Documents in use |
Private, secure offices/workspaces where information is not in view of visitors. Documents should be secure at all times and not left unattended. |
Private, secure offices/workspaces where information is not in view of visitors. Documents should be secure at all times and not left unattended. |
No requirement. |
| NEM-3 | Printing | Only printed when there is a legitimate need.
Unattended printing is allowed if access controls are in place to prevent unauthorized viewing. Immediately retrieve and secure documents. See additional controls under Printers/Scanners/Faxes/Multi-Function Devices. |
Unattended printing is allowed if access controls are in place to prevent unauthorized viewing.
See additional controls under Printers/Scanners/Faxes/Multi-Function Devices |
No requirement. See additional controls under Printers/Scanners/Faxes/Multi-Function Devices. |
| NEM-4 | Labeling |
Certain documents must be labeled as "Confidential" regardless of internal or external use. Documents approved for distribution should be labeled accordingly. |
Certain documents must be labeled as "Confidential" regardless of internal or external use. Documents approved for distribution should be labeled accordingly. |
No requirement. |
| NEM-5 | Transmission | Data should not be transmitted in any manner unless for legitimate ISU business purpose. Recipients should be notified that the information is highly restricted and provided for specific business need. Recipients should be aware that they are responsible for the protection and destruction. | Data should not be transmitted in any manner unless for legitimate ISU business purpose. Recipients should be notified that the information is highly restricted and provided for specific business need. Recipients should be aware that they are responsible for the protection and destruction. | Data should not be transmitted in any manner unless for legitimate ISU business purpose. Recipients should be notified that the information is highly restricted and provided for specific business need. Recipients should be aware that they are responsible for the protection and destruction. |
| NEM-6 | Campus Mail; Envelope is marked confidential. Sealed in such a manner that tampering would be evident upon receipt.
External Mail Services; No markings required. Confirmation of receipt is required as legally mandated. |
No requirement | No requirement. | |
| NEM-7 | FAX |
Send: Double-check recipient fax numbers and security and privacy arrangements prior to sending. Confirmation of receipt is required as legally mandated. Data should not be left unattended on fax machines. Immediately retrieve or secure documents. Receive: Fax machines should be in secure, private locations. Data should not be left unattended on fax machines. Immediately retrieve or secure documents. See additional controls under Printers/Scanners/Faxes/Multi-Function Devices. |
No requirement.
See additional controls under Printers/Scanners/Faxes/Multi-Function Devices |
No requirement. See additional controls under Printers/Scanners/Faxes/Multi-Function Devices. |
| NEM-8 | Scan |
Data should not be left unattended. Immediately retrieve or secure documents. See additional controls under Printers/Scanners/Faxes/Multi-Function Devices. |
No requirement. See additional controls under Printers/Scanners/Faxes/Multi-Function Devices. |
No requirement. See additional controls under Printers/Scanners/Faxes/Multi-Function Devices. |
| NEM-9 | Storage | Stored in a secured location with restricted access based on role and responsibility. Documents critical to the conduct of University Business should be stored in fireproof cabinets. | Stored out of sight when not in use. | No requirement. |
| NEM-10 | Disposal |
Adhere to retention schedules. Cross shred within office or utilize confidential collection services of Facilities Management, by placing in locked, confidential recycle container. Prior to shredding container should be placed in private, secure office locations. |
Adhere to retention schedules. Cross shred within office or utilize confidential collection services of Facilities Management, by placing in locked, confidential recycle container. Prior to shredding container should be placed in private, secure office locations. |
Adhere to retention schedules. Utilize single-stream recycling containers. |
| NEM-11 | Secondary Use | Prohibited | As authorized by Business Owner | As authorized by Business Owner. |
| NEM-12 | External Data Sharing | As allowed by applicable laws and regulations. | As allowed by applicable laws and regulations. | No requirement. |
| NEM-13 | Duplicating |
Copies must be limited to individuals authorized to access the data within their roles and responsibilities. Receiver must not further distribute without permission. Data should not be left unattended on fax machines. Immediately retrieve or secure documents. See additional controls under Printers/Scanners/Faxes/Multi-Function Devices. |
No requirement.
See additional controls under Printers/Scanners/Faxes/Multi-Function Devices. |
No requirement.
See additional controls under Printers/Scanners/Faxes/Multi-Function Devices. |
| NEM-14 | Verbal/Oral |
Private offices or work areas where information cannot be overheard by the general public. |
Private offices or work areas where information cannot be overheard by the general public. |
No requirement. |
| NEM-15 | Review | Annually or as needed. | Annually or as needed. | Annually or as needed. |
VI. Servers
Electronic Data - University Owned, Maintained, or Contracted Servers
| Control Number | Control | Highly Restricted Date | Restricted Data | Unrestricted Data |
| S-1 |
Email on University email servers - Store on the email server, view, store locally, send, or receive. |
Not Permitted | Permitted | Permitted |
| S-2 |
Email on non-University email servers - Store on the email server, view, store locally, send, or receive. |
Not Permitted | Not Permitted | Permitted |
| S-3 |
Physical Access - Servers must be located in areas with restricted access. |
Required | Required | Not Required |
| S-4 |
Logical Access – Data is captured, maintained, and disseminated in accordance with the Master Access Plan. |
Required | Required | Required |
| S-5 |
Logical Access – Local and third party systems transferring and storing Enterprise Data Repository (EDR) data must adhere to the Procedures for Use of Enterprise Data in Local and Third-Party Systems. |
Required | Required | Required |
| S-6 |
Logical Access - Servers must not be directly accessible from the Internet. Use of private internal network addressing required. |
Required | Required | Not Required |
| S-7 |
Logical Access - Servers must be in a VLAN designated for servers. |
Required | Required | Required |
| S-8 | Logical Access - Access to non-public file system areas must require authentication. | Required | Required | Required |
| S-9 | Configure and manage in accordance to the Minimum Security Standard for Servers. | Required | Required | Required |
| S-10 |
Configure and manage in accordance with the Account and Password Standard. |
Required | Required | Required |
| S-11 |
Configure and manage in accordance with the Remote Access Standard. |
Required | Required | Required |
| S-12 |
All Accounts - Disable or delete unused accounts |
Required | Required | Required |
| S-13 |
All Accounts - Change default passwords. |
Required | Required | Required |
| S-14 |
Secondary Use of Data - use of the data other than for the requested purpose. |
Not permitted | As authorized by Data Stewards | As authorized by Data Steward |
| S-15 | Backups - Establish and follow a procedure to carry out regular system backups. | Required | Required | Recommended |
| S-16 | Backups - Backups must be verified, either through automated verification, through customer restores, or through trial restores. | Required | Required | Recommended |
| S-17 |
Backups - Maintain documented restoration procedures for systems and the data on those systems. |
Required | Required | Recommended |
| S-18 | Backups - Backup media must be secured from unauthorized physical access. If the backup media is stored off-site, it must be encrypted or have a documented process to prevent unauthorized access. | Required | Required | Recommended |
| S-19 |
Disposal, End of Life, Surplus – Dispose in accordance with the University Data Disposal Process |
Required | Required | Required |
| S-20 |
Reissue, Trade, RMA, Sold - Dispose in accordance with the University Data Disposal Process |
Required | Required | Required |
| S-21 |
Lost or Stolen |
Report to ISUPD | Report to ISUPD | Report to ISUPD |
VII. Workstations
Electronic Data - ISU and Personal Workstations
| Control Number | Control | Highly Restricted Data | Restricted Data | Unrestricted Data | |||
| ISU Owned |
Personally Owned Not Permitted |
ISU Owned | Personally Owned | ISU Owned | Personally Owned | ||
| W-1 | Email on University email servers - Store on the email server, view, store locally, send, or receive. | Not Permitted | Permitted | Permitted | Permitted | Permitted | |
| W-2 |
Email on non-University email servers - Store on the email server, view, store locally, send, or receive. |
Not permitted | Not Permitted | Not Permitted | Permitted | Permitted | |
| W-3 |
Logical Access – Data is captured, maintained, and disseminated in accordance with the Master Access Plan |
Required | Required | Required | Required | Required | |
| W-4 |
Logical Access – Local and third party systems transferring and storing Enterprise Data Repository (EDR) data must adhere to the Procedures for Use of Enterprise Data in Local and Third-Party Systems. |
Required | Required | Required | Required | Required | |
| W-5 | Logical Access - Workstations must not be directly accessible from the Internet. Use of private internal network addressing required. | Required | Required on campus network.
Recommended off-campus |
Required on campus network.
Recommended off-campus. |
Required on campus network.
Recommended off-campus. |
Recommended | |
| W-6 |
Logical Access - Workstations must be in a VLAN designated for workstations. |
Required on-campus | Required on campus network.
Recommended off-campus. |
Required on campus network.
Recommended off-campus. |
Required on campus network.
Recommended off-campus. |
Recommended | |
| W-7 |
Logical Access - Access to non-public file system areas must require authentication. |
Required | Required | Required | Required | Recommended | |
| W-8 |
Configure and manage in accordance to the Minimum Security Standard for Workstations. |
Required | Required | Required | Required | Recommended | |
| W-9 | Configure and manage in accordance with the Account and Password Standard. | Required | Required | Required | Required | Recommended | |
| W-10 |
Configure and manage in accordance with the Remote Access Standard. |
Required | Required | Required | Required | Recommended | |
| W-11 | All Accounts - Disable or delete unused accounts | Required | Required | Required | Required | Recommended | |
| W-12 | All Accounts - Change default passwords | Required | Required | Required | Required | Recommended | |
| W-13 | Secondary Use of Data - use of the data other than for the requested purpose | Not permitted | As authorized by Data Steward |
As authorized by Data Steward |
As authorized by Data Steward |
As authorized by Data Steward |
|
| W-14 | Disposal, End of Life, Surplus – Dispose in accordance with the University Data Disposal Process | Required | Required | Required | Required | No Requirements | |
| W-15 | Reissue, Trade, RMA, Sold - Dispose in accordance with the University Data Disposal Process | Required | Required | Required | Required | No Requirements | |
| W-16 | Lost or Stolen |
Report to ISUPD |
Report to ISUPD |
Report to ISUPD |
Report to ISUPD |
No Requirements | |
VIII. Laptop Systems
Electronic Data - ISU and Personal Laptop Systems
|
Control Number |
Control | Highly Restricted Data | Restricted Data | Unrestricted Data | |||
| ISU Owned |
Personally owned Not Permitted |
ISU Owned | Personally Owned | ISU Owned | Personally Owned | ||
| LS-1 |
Email on University email servers - Store on the email server, view, store locally, send, or receive. |
Not Permitted | Permitted | Permitted | Permitted | Permitted | |
| LS-2 |
Email on non-University email servers - Store on the email server, view, store locally, send, or receive. |
Not Permitted | Not Permitted | Not Permitted | Permitted | Permitted | |
| LS-3 |
Logical Access – Data is captured, maintained, and disseminated in accordance with the Master Access Plan |
Required | Required | Required | Required | Required | |
| LS-4 |
Logical Access – Local and third party systems transferring and storing Enterprise Data Repository (EDR) data must adhere to the Procedures for Use of Enterprise Data in Local and Third-Party Systems. |
Required | Required | Required | Required | Required | |
| LS-5 |
Logical Access – Laptop systems must not be directly accessible from the Internet. Use of private internal network addressing required. |
Required on campus | Required on campus network. Recommended off-campus | Required on campus network. Recommended off-campus | Required on campus network. Recommended off-campus | Recommended | |
| LS-6 |
Logical Access - Laptop systems must be in a VLAN designated for workstations or wireless devices. |
Required on campus | Required on campus network. Recommended off-campus | Required on campus network. Recommended off-campus | Required on campus network. Recommended off-campus | Recommended | |
| LS-7 | Logical Access - Access to non-public file system areas must require authentication. | Required | Required | Required | Required | Recommended | |
| LS-8 |
Configure and manage in accordance to the Minimum Security Standard for Laptop Systems. |
Required | Required | Required | Required | Recommended | |
| LS-9 | Configure and manage in accordance with the Account and Password Standard. | Required | Required | Required | Required | Recommended | |
| LS-10 | Configure and manage in accordance with the Remote Access Standard. | Required | Required | Required | Required | Recommended | |
| LS-11 | All Accounts - Disable or delete unused accounts | Required | Required | Required | Required | Recommended | |
| LS-12 | All Accounts - Change default passwords | Required | Required | Required | Required | Recommended | |
| LS-13 |
Secondary Use of Data - use of the data other than for the requested purpose. |
Not Permitted | As authorized by Data Steward | As authorized by Data Steward | As authorized by Data Steward | As authorized by Data Steward | |
| LS-14 | Disposal, End of Life, Surplus – Dispose in accordance with the University Data Disposal Process | Required | Required | Required | Required | Recommended | |
| LS-15 |
Reissue, Trade, RMA, Sold - Dispose in accordance with the University Data Disposal Process |
Required | Required | Required | Required | Recommended | |
| LS-16 | Lost or Stolen | Report to ISUPD | Report to ISUPD | Report to ISUPD | Report to ISUPD | No Requirements | |
IX. Mobile Devices
Electronic Data - ISU and Personal Mobile Devices
| Control Number | Control | Highly Restricted Data | Restricted Data | Unrestricted Data | |||
| ISU Owned | Personally owned Not Permitted | ISU Owned | Personally Owned | ISU Owned | Personally Owned | ||
| MD-1 |
Email on University email servers - Store on the email server, view, store locally, send, or receive. |
Not Permitted | Permitted | Permitted | Permitted | Permitted | |
| MD-2 |
Email on non-University email servers - Store on the email server, view, store locally, send, or receive. |
Not Permitted | Not Permitted | Not Permitted | Permitted | Permitted | |
| MD-3 |
Logical Access – Data is captured, maintained, and disseminated in accordance with the Master Access Plan |
Required | Required | Required | Required | Required | |
| MD-4 |
Logical Access – Local and third party systems transferring and storing Enterprise Data Repository (EDR) data must adhere to the Procedures for Use of Enterprise Data in Local and Third-Party Systems. |
Required | Required | Required | Required | Required | |
| MD-5 |
Logical Access - Mobile devices must not be directly accessible from the Internet. Use of private internal network addressing required. |
Required on campus | Required on campus network. Recommended off-campus |
Required on campus network. Recommended off-campus |
Required on campus network. Recommended off-campus |
Recommended | |
| MD-6 |
Logical Access - Mobile devices must be in a VLAN designated for workstations or wireless devices. |
Required on campus | Required on campus network. Recommended off-campus | Required on campus network. Recommended off-campus | Required on campus network. Recommended off-campus | Recommended | |
| MD-7 | Logical Access - Access to non-public file system areas must require authentication. | Required | Required | Required | Required | Recommended | |
| MD-8 | Configure and manage in accordance to the Minimum Security Standard for Mobile Devices. | Required | Required | Required | Required | Recommended | |
| MD-9 | Configure and manage in accordance with the Account and Password Standard. | Required | Required | Required | Required | Recommended | |
| MD-10 | Configure and manage in accordance with the Remote Access Standard. | Required | Required | Required | Required | Recommended | |
| MD-11 | All Accounts - Disable or delete unused accounts | Required | Required | Required | Required | Recommended | |
| MD-12 | All Accounts - Change default passwords |
Required |
Required |
Required |
Required |
Recommended | |
| MD-13 |
Secondary Use of Data - use of the data other than for the requested purpose. |
Not Permitted | As authorized by Data Steward | As authorized by Data Steward | As authorized by Data Steward | As authorized by Data Steward | |
| MD-14 |
Disposal, End of Life, Surplus – Dispose in accordance with the University Data Disposal Process |
Required | Required | Required | Required | Recommended | |
| MD-15 |
Reissue, Trade, RMA, Sold - Dispose in accordance with the University Data Disposal Process |
Required | Required | Required | Required | Recommended | |
| MD-16 | Lost or Stolen | Report to ISUPD | Report to ISUPD | Report to ISUPD | Report to ISUPD | No requirements | |
X. Printers/Scanners/Faxes/Multi-Function Devices, and Electronic Surveillance Devices
Electronic Data - ISU and Personal Printers/Scanners/Faxes/Multi-Function Devices, and Electronic Surveillance Devices
| Control Number | Control | Highly Restricted Data | Restricted Data | Unrestricted Data | |||
| ISU Owned | Personally Owned Not Permitted | ISU Owned | Personally Owned | ISU Owned | Personally Owned | ||
| PSF-1 |
Email on University email servers - Store on the email server, view, store locally, send, or receive. |
Not Permitted | Permitted | Permitted | Permitted | Permitted | |
| PSF-2 |
Email on non-University email servers - Store on the email server, view, store locally, send, or receive. |
Not Permitted | Not Permitted | Not Permitted | Permitted | Permitted | |
| PSF-3 |
Comply with University Policy 1.7 Use of Electronic Equipment for Surveillance Purposes, and consult with ISU Police prior to purchase. |
Required | Required | Required | Required | Required | |
| PSF-4 | Logical Access – Data is captured, maintained, and disseminated in accordance with the Master Access Plan | Required | Required | Required | Required | Required | |
| PSF-5 | Logical Access – Local and third party systems transferring and storing Enterprise Data Repository (EDR) data must adhere to the Procedures for Use of Enterprise Data in Local and Third-Party Systems. | Required | Required | Required | Required | Required | |
| PSF-6 | Logical Access – Printers/Scanners/Faxes/Multi-Function devices must not be directly accessible from the Internet. Use of private internal network addressing required. | Required on campus | Required | Required on campus network. Recommended off-campus. | Required on campus network. Recommended off-campus. | Recommended | |
| PSF-7 |
Logical Access - Printers/Scanners/Faxes/Multi-Function devices must be in a VLAN designated for printer or server devices. |
Required on campus | Required | Required on campus network. Recommended off-campus. | Required on campus network. Recommended off-campus. | Recommended | |
| PSF-8 | Logical Access - Access to non-public file system areas must require authentication. | Required | Required | Required | Required | Recommended | |
| PSF-9 |
Configure and manage in accordance to the Minimum Security Standard for Printers/Scanners/Faxes, and Multi-Function Devices.. |
Required | Required | Required | Required | Recommended | |
| PSF-10 | Configure and manage in accordance with the Account and Password Standard. | Required | Required | Required | Required | Recommended | |
| PSF-11 | Configure and manage in accordance with the Remote Access Standard. | Required | Required | Required | Required | Recommended | |
| PSF-12 | Secondary Use of Data - use of the data other than for the requested purpose. | Not Permitted | As authorized by Data Steward | As authorized by Data Steward | As authorized by Data Steward | As authorized by Data Steward | |
| PSF-13 |
Disposal, End of Life, Surplus – Dispose in accordance with the University Data Disposal Process |
Required | Required | Required | Required | Recommended | |
| PSF-14 |
Reissue, Trade, RMA, Sold - Dispose in accordance with the University Data Disposal Process |
Required | Required | Required | Required | Recommended | |
| PSF-15 | Lost or Stolen | Report to ISUPD | Report to ISUPD | Report to ISUPD | Report to ISUPD |
No requirements |
|
Definitions:
Server: A system that performs tasks on behalf of clients. Examples include but are not limited to: File servers, database servers, web servers, mail servers, print servers.
Remote Access: The ability to access a system from a location other than at the system itself. Examples of application that provide remote access include but are not limited to: Microsoft Remote Desktop Services, SSH, Telnet, RealVNC, pcAnywhere, GoToMyPC, LogMeIn.
Last Review: July 2013