III- 1 Information Tiers and
Sensitivity
Overview
Version 2.0
Last Revision Date: September 16, 2009
Approval Date: February 27, 2007
Approval Authority: Case Chief Information Security Officer
Case Information Technology Systems (ITS) have
created
an 3-tiered information taxonomy.
Purpose
The purpose of this standard is to assist Case
users
(persons assigned with data stewardship, ownership, and custodial
duties) with the determination of the baseline security requirements
based upon information tier level. Each category of information
will have an assigned set of baseline
numerically increasing tiers of security standards to apply as part of
the risk management program in
addressing confidentiality, integrity, and availability.
Scope
This policy applies to all Case information.
Many
of the security requirements are targeted at networked information
technology
systems.
Cancellation
Not applicable.
Three Tier Standard Information Taxonomy
General
Case uses a 3-tier system to categorize information types and
sensitivity. Each of the three categories is determined based
upon risk to the
University in the areas of confidentiality, integrity, and availability
of data in support of the University's mission. Information (or
data) owners are responsible for determining the impact levels of their
information and managing risk to such information through the
implementation of applicable control tiers.
These categories are derived from the Federal Information Processing
Standard 199 (FIPS-199)
Information
Category
|
Confidentiality
|
Integrity
|
Availability
|
Control
Tier
|
| Public |
low
|
moderate
|
low
|
Tier I
|
| Internal Use Only
|
moderate
|
moderate
|
moderate
|
Tier II
|
| Restricted |
high
|
moderate
|
moderate
|
Tier III
|
Case will not use the terms 'confidential, secret, top secret' unless
they accurately describe information so categorized by the U.S.
Government in the OMB
Circular A-130 as pertaining to national security
information. In general, none of the information at that level
will appear in the Case academic, administrative, research, and IT
environment.
Information Management Requirements
Information shall be segregated into technical or administrative
categories such that controls can be applied to ensure risk to
confidentiality, integrity, and availability are effectively
managed. The most sensitive information will have the
strongest set of controls. A determination of Information
Category is a requirement for all information technology management
and risk management decisions.
Pubic Information
The significant majority of information in use at Case is Public.
Information systems that store, process, or manage Public
information
are to apply the minimum security configuration and management
standards. These
standards have been approved for use in all Case IT environments, at a
minimum, and may be enhanced to more stringent controls as deemed
appropriate by the information owner. Tier I controls and
security standards
include basic hardening of network hosts, automated updates of systems
software, anti-virus (and anti-spyware) software installed and
automatically updated, and appropriate data backups.
Internal Use Only
Information
Information
systems that store, process, or manage Internal Use Only information
are to apply the Tier I minimum security standards, plus an
additional set of host configurations to reduce the risk of host
compromise via networking, or from data disclosure/loss in the event of
theft or loss of the system. These Tier II controls and security
standards include network authentication, user access controls,
enhanced
system
hardening, auditing, data backup, system disaster recovery planning,
and regular risk
evaluations. In general, any disclosure of information is
of concern, but is expected to have minimal impact on university
operations.
Restricted
Information
Information systems that store, process, or manage Restricted
information
are to apply the Tier II controls and security standards, plus the most
stringent controls in the university environment to address
confidentiality issues. These are known as the Tier III controls
and security standards.
Multi-tiered systems conflict- when an information system processed
more than one tier of information, the requirements for the highest
level will be applied.
Responsibility
Case IT Services will define basic protection controls for systems and
workflow designed to protect in a managed risk manner, each information
category.
Definitions
Information Owner: A University official (University faculty or
staff) who is responsible for the security of information in a given
school or department. This official often has management
authority for directing administrative procedures or purchasing/budget
authority for dealing with consequences of information interruption of
service, loss/destruction, disclosure, or modification.
Confidentiality: The property that data or information is not
made available or disclosed to unauthorized persons or processes.
Integrity: The property that data or information have not been
altered or destroyed in an unauthorized manner.
Availability: The property that data or information is accessible
and usable upon demand by an authorized person.
Note: As of May 15 2009, information categories were changed to the
current nomenclature (public, internal use only, restricted).
Information tier numbers with roman numerals are now used in reference
to the control standards, not the information category.
Standards Review Cycle
This standard will be reviewed every two years on the anniversary of
the
policy effective date, at a minimum. The standard may be reviewed on a
more frequent basis depending on changes of risk exposure.
|
