III- 1 Information Tiers and Sensitivity
Last Revision Date: March 16, 2012
Approval Date: February 27, 2007
Approval Authority: Case Chief Information Security Officer
Case University Technology, UTech have created a 3-tiered information taxonomy.
The purpose of this standard is to assist Case users (persons assigned with data stewardship, ownership, and custodial duties) with the determination of the baseline security requirements based upon information tier level. Each category of information will have an assigned set of baseline numerically increasing tiers of security standards to apply as part of the risk management program in addressing confidentiality, integrity, and availability.
This policy applies to all Case information. Many of the security requirements are targeted at networked information technology systems.
Three Tier Standard Information Taxonomy
Case uses a 3-tier system to categorize information types and sensitivity. Each of the three categories is determined based upon risk to the University in the areas of confidentiality, integrity, and availability of data in support of the University's mission. Information (or data) owners are responsible for determining the impact levels of their information and managing risk to such information through the implementation of applicable control tiers.
These categories are derived from the Federal Information Processing Standard 199 (FIPS-199)
|Information Category||Confidentiality||Integrity||Availability||Control Tier|
|Internal Use Only||moderate||moderate||moderate||Tier II|
Case will not use the terms 'confidential, secret, top secret' unless they accurately describe information so categorized by the U.S. Government in the OMB Circular A-130 as pertaining to national security information. In general, none of the information at that level will appear in the Case academic, administrative, research, and IT environment.
Information Management Requirements
Information shall be segregated into technical or administrative categories such that controls can be applied to ensure risk to confidentiality, integrity, and availability are effectively managed. The most sensitive information will have the strongest set of controls. A determination of Information Category is a requirement for all information technology management and risk management decisions.
The significant majority of information in use at Case is Public. Information systems that store, process, or manage Public information are to apply the minimum security configuration and management standards. These standards have been approved for use in all Case IT environments, at a minimum, and may be enhanced to more stringent controls as deemed appropriate by the information owner. Tier I controls and security standards include basic hardening of network hosts, automated updates of systems software, anti-virus (and anti-spyware) software installed and automatically updated, and appropriate data backups.
- See examples of Public Information.
- See Tier I Basic Security Controls (Procedure III-1c Standard network host configurations for Tier I information.
Internal Use Only Information
Information systems that store, process, or manage Internal Use Only information are to apply the Tier I minimum security standards, plus an additional set of host configurations to reduce the risk of host compromise via networking, or from data disclosure/loss in the event of theft or loss of the system. These Tier II controls and security standards include network authentication, user access controls, enhanced system hardening, auditing, data backup, system disaster recovery planning, and regular risk evaluations. In general, any disclosure of information is of concern, but is expected to have minimal impact on university operations.
- See examples of Internal Use Only Information.
- See Tier II Basic Security Controls (Procedure III-1d Standard network host configurations for Tier II information.
Information systems that store, process, or manage Restricted information are to apply the Tier II controls and security standards, plus the most stringent controls in the university environment to address confidentiality issues. These are known as the Tier III controls and security standards.
- See examples of Restricted Information.
- See Tier III Basic Security Controls (Procedure III-1e Standard network host configurations for Tier III information. (includes guidance for handling of SSNs, which are Tier III information)
Multi-tiered systems conflict- when an information system processed more than one tier of information, the requirements for the highest level will be applied.
Case IT Services will define basic protection controls for systems and workflow designed to protect in a managed risk manner, each information category.
Information Owner: A University official (University faculty or staff) who is responsible for the security of information in a given school or department. This official often has management authority for directing administrative procedures or purchasing/budget authority for dealing with consequences of information interruption of service, loss/destruction, disclosure, or modification.
Confidentiality: The property that data or information is not made available or disclosed to unauthorized persons or processes
Integrity: The property that data or information have not been altered or destroyed in an unauthorized manner.
Availability: The property that data or information is accessible and usable upon demand by an authorized person.
Note: As of May 15 2009, information categories were changed to the current nomenclature (public, internal use only, restricted). Information tier numbers with roman numerals are now used in reference to the control standards, not the information category
Standards Review Cycle
This standard will be reviewed every two years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.