information security: information tiers and sensitivity

III- 1 Information Tiers and Sensitivity

Overview

Version 2.0
Last Revision Date: March 16, 2012
Approval Date: February 27, 2007
Approval Authority:  Case Chief Information Security Officer

Case Information Technology Systems (ITS) have created an 3-tiered information taxonomy.

Purpose

The purpose of this standard is to assist Case users (persons assigned with data stewardship, ownership, and custodial duties) with the determination of the baseline security requirements based upon information tier level.  Each category of information will have an assigned set of baseline numerically increasing tiers of security standards to apply as part of the risk management program in addressing confidentiality, integrity, and availability.

Scope

This policy applies to all Case information.  Many of the security requirements are targeted at networked information technology systems.

Cancellation

Not applicable.

Three Tier Standard Information Taxonomy

General

Case uses a 3-tier system to categorize information types and sensitivity.  Each of the three categories is determined based upon risk to the University in the areas of confidentiality, integrity, and availability of data in support of the University's mission.  Information (or data) owners are responsible for determining the impact levels of their information and managing risk to such information through the implementation of applicable control tiers.

These categories are derived from the Federal Information Processing Standard 199 (FIPS-199)

Information Category
Confidentiality
Integrity
Availability
Control Tier
Public low
moderate
low
Tier I
Internal Use Only moderate
moderate
moderate
Tier II
Restricted high
moderate
moderate
Tier III

Case will not use the terms 'confidential, secret, top secret' unless they accurately describe information so categorized by the U.S. Government in the OMB Circular A-130 as pertaining to national security information.  In general, none of the information at that level will appear in the Case academic, administrative, research, and IT environment.

Information Management Requirements

Information shall be segregated into technical or administrative categories such that controls can be applied to ensure risk to confidentiality, integrity, and availability are effectively managed.   The most sensitive information will have the strongest set of controls.  A determination of Information Category is a requirement for all information technology management and  risk management decisions.

Public Information

The significant majority of information in use at Case is Public.  Information systems that store, process, or manage Public information are to apply the minimum security configuration and management standards.  These standards have been approved for use in all Case IT environments, at a minimum, and may be enhanced to more stringent controls as deemed appropriate  by the information owner.  Tier I controls and security standards include basic hardening of network hosts, automated updates of systems software, anti-virus (and anti-spyware) software installed and automatically updated, and appropriate data backups.

Internal Use Only Information

Information systems that store, process, or manage Internal Use Only information are to apply the Tier I minimum security standards, plus an additional set of host configurations to reduce the risk of host compromise via networking, or from data disclosure/loss in the event of theft or loss of the system.  These Tier II controls and security standards include network authentication, user access controls, enhanced system hardening, auditing, data backup, system disaster recovery planning, and regular risk evaluations.  In general, any disclosure of information is of concern, but is expected to have minimal impact on university operations.

Restricted Information

Information systems that store, process, or manage Restricted information are to apply the Tier II controls and security standards, plus the most stringent controls in the university environment to address confidentiality issues.  These are known as the Tier III controls and security standards.

Multi-tiered systems conflict- when an information system processed more than one tier of information, the requirements for the highest level will be applied.

Responsibility

Case IT Services will define basic protection controls for systems and workflow designed to protect in a managed risk manner, each information category.

Definitions

Information Owner:  A University official (University faculty or staff) who is responsible for the security of information in a given school or department.  This official often has management authority for directing administrative procedures or purchasing/budget authority for dealing with consequences of information interruption of service, loss/destruction, disclosure, or modification.

Confidentiality:  The property that data or information is not made available or disclosed to unauthorized persons or processes

Integrity:  The property that data or information have not been altered or destroyed in an unauthorized manner.

Availability:  The property that data or information is accessible and usable upon demand by an authorized person.

Note: As of May 15 2009, information categories were changed to the current nomenclature (public, internal use only, restricted).  Information tier numbers with roman numerals are now used in reference to the control standards, not the information category

Standards Review Cycle

This standard will be reviewed every two years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.

© 2013 Case Western Reserve University
Cleveland, OH 44106
216.368.2000
 
Information Technology Services
(legal notice)
 
Contact website owner
 
Contact our service desk
CWRU ITS Social Networks
Translate this page

Share |