III-1e Tier III Controls: Case Information Security Requirements for Restricted Information
Last Revision Date: May 20, 2011
Approval Date: November 16, 2009
Approval Authority: Case Chief Information Security Officer
As a risk mitigation action for enterprise wide information protection, the Case Tier III Controls are provided to guide users and administrators with the requirements for the proper storage, handling, and protection of Restricted information in IT or paper resources, including networked hosts on the Case networks.
This Procedure applies to all university information and information technology systems that use the Case network infrastructure. It is designed to support the Case Information Security Policies and to be auditable.
This procedure outlines basic controls required for all restricted information, including paper files and IT systems processing, storing, or transmitting Restricted information. Because Restricted information is the highest confidentiality level of information in the university, this procedure defines additional management processes required.
Tier III IT control standards are built upon the Tier I and Tier II control standards, and therefore considered to be the maximum security configuration standards. For all IT systems processing Restricted information, the Tier I and Tier II standards are applicable, and the controls listed here are to be applied in addition to those for lower level information.
All configuration controls for Tier I and Tier II control levels are applicable to Tier III environments, where Restricted data are maintained.
- Inventory. Any university organization (school, management center, department) that is responsible for Restricted information shall maintain a written inventory of the type and location of any Restricted information used in their operational or administrative capacity. This inventory shall include IT resources with Restricted data, paper-based records, and any other physical or logical asset that contains such information.
- Security Responsibilities. Any university organization that is responsible for Restricted information shall designate in writing a management representative as the responsible party for implementation and adherence to security protections and controls for Restricted information. All security incidents involving Restricted data are under a mandatory reporting requirement.
- Security Plan. All IT systems processing and managing Restricted information shall have a written security plan which delineates management processes pertaining to the acknowledged risk associated with Restricted information in the university IT environment. A security plan template is available from the Information Security Office. The security plan will address the following topics:
- Data ownership.
- Security responsibilities for staff, including workforce security procedures.
- An inventory of IT systems authorized for Restricted information.
- A listing of known risks and an action plan to address the top risks.
- A basic contingency plan for any high impact risks.
- An audit report which details the known protections in place.
- An annual review of the plan and controls.
- A statement of approval to operate the system from senior management (Dean or VP)
- Training of Users and Systems Administrators. All systems administrators and users of Restricted information shall receive appropriate and documented training in restricted data handling and management. At least one systems administrator responsible for IT systems with Restricted information shall complete a certification program for Information Security based on the SANS Security 351 "Computer and Network Security Awareness" on a one-time basis. These systems administrators shall be certified to the National Information Assurance Training Standard for System Administrators (NSTISSI-4013), or similar certification (SANS, Security+, CompTIA) that will be equivalent to the DoD 8570 IAT Level II certification. Non-employee students shall be prohibited from handling Restricted information or managing IT systems that handle Restricted information.
- Evaluation and Audit. On an annual basis, the internal staff of a organization responsible for Restricted information will conduct random audit of the security plan and implemented security controls. A gap analysis report with a remediation plan will be submitted to the organization's management and the university's Chief Information Security Officer.
- Personnel Controls. Background checks shall be performed on a periodic basis for all persons authorized to access, process, and store Restricted information. The University Department of Human Resources will determine the appropriate time intervals. Additionally, background checks for systems administrators of IT systems with Restricted information shall include criminal background check, employment record review, and credit check.
- Labeling. All documents and communications containing Restricted information, shall include labels indicating "Restricted" information is present. Typical examples are the use of document headers and footers and/or watermarks with the label "Restricted."
- Business Continuity Planning. Departments with Restricted information systems and critical IT infrastructure may, upon management discretion, develop and implement business continuity planning.
- Facility Access. All server resources that process, store, and manage Restricted information shall be hosted in a facility that permits auditable physical access controls which will protect the technology, the work force, and the resident Restricted information through:
- Protection from unauthorized physical access, tampering, and theft.
- Controlled physical access entries to the facility, with appropriate access logging. Access shall be reviewed annually and require re-authorization. Persons no longer needing physical access shall be removed from access within 1 working day of notification of change in status.
- Access to rooms containing information technology infrastructure must be controlled to permit only authorized persons access to server resources. This group of authorized persons must be the minimum number of persons with a documented need for access.
- Appropriate fire protection/suppression capabilities as required by law.
- Appropriate environmental controls such as cooling, humidity controls.
- Electrical power requirements and emergency interruptible power supplies.
- Access Controls and Validation.
- No Restricted data shall be made publicly available in an IT system or visible format with out access controls to ensure only authorized individuals are granted access.
- All server resources that process, store, and manage Restricted information shall be protected by access controls which ensure that only authorized persons have access to the system and data.
- All paper-based records with Restricted information shall use mechanisms to prevent unauthorized access such as storage in locked cabinets and locked office spaces.
- Access must be approved by data owners and authorized by the Information Security Office.
- Workstation Use. All workstation resources that process, store, and manage Restricted information shall be controlled to prevent improper usage that may lead to unauthorized access to, loss, or damage to the integrity of Restricted information.
- All workstations and other devices must be pre-approved by organizational management for processing Tier III information. Note that Tier I and Tier II configuration standards also apply.
- No Restricted information may be permanently stored on single user workstations or laptops. All Restricted information must maintained on Tier III secured servers.
- Transmission of Restricted information shall employ encrypted communications methods (e.g. use of the Case VPN or SSL based communications). Temporary local storage shall be protected by approved encryption methods and technologies to prevent inadvertent disclosure.
- Theft prevention and recovery software shall be required for mobile workstations used for Restricted information access to mitigate the likelihood of data disclosure in the event of loss or theft.
- Disposal. At the end of their life cycles, all IT resources that process, store, and manage Restricted information shall be disposed of in accordance with the Case data disposal procedure, which includes hard disk overwrite procedures.
- Login Screen. All hosts that support a login screen shall be configured to require individual users to login with credentials (e.g. username and password). Hosts shall not be configured to auto-login. Special exceptions for managed kiosk devices will be made on a case-by-case basis, and must be approved by Information Security.
- Advanced System Hardening and Administrative Procedures. All hosts shall undergo some basic hardware and operating system assessment and configuration to assure default options to not permit easy and rapid host compromise. Basic hardening can be implemented via local policy, or via a managed network environment (e.g. Active Directory Group Policy). Specific examples include:
- Minimizing unnecessary network based services and ports. The use of the SANS/FBI Top 20 List can be a key guideline in hardening a host.
- All system users shall have unique identifiers to maintain accountability for system actions. Following the principle of least privilege, users should have minimum privileges necessary for daily operations, only using an account with Administrator or root privileges when needed for system maintenance. Remote access is performed with a standard user account, then 'sudo' or 'RunAs' procedures are used to perform administrative functions.
- Remote access to Unix or Linux-based systems shall not permit the root user to connect remotely.
- All vendor-supplied default user names and passwords shall be changed before systems are approved for operational use.
- Clear text communications protocols for server administration shall be disabled (encrypt all non-console administrative access ).
- Session idle timeouts shall be set to lock screens or logout connections after 15 minutes of idle time.
- Additional configuration guidance checklists can be found here.
- Firewall. Tier III systems shall be protected by University infrastructure firewalls(e.g., housed in a Data Center). Additional data center firewall rules shall be implemented to restrict network connections to the minimum necessary for operation and function of the server. Specific requirements include:
- Firewall and router configuration standards shall conform to industry best practices.
- The firewalls shall follow a "default deny" stance from all untrusted environments that are not explicitly allowed.
- Firewalls shall prohibit direct public access to systems storing Restricted data (data shall be segregated from publicly available applications and services such as web services).
- Firewalls should conceal addressing schemes of Tier III systems from untrusted environments.
- Firewalls (local or network) shall be configured to perform network ex-filtration to deny server-initiated outbound connections not associated with the operational function of the server.
- Network firewalls will be applied in accordance with the Network Management Policy.
- Encryption. All Tier III systems shall have open source encryption utilities available and implemented for protection of Restricted data from inadvertent disclosure.
- The use of encrypted protocols for network communications (e.g. ssh, SSL, sftp, etc.) supporting administrative operations is required.
- Communication of Restricted data via email in clear text is prohibited. Communication utilizing end-to-end encryption methods shall be used for Restricted data.
- Users are discouraged from using mobile systems (e.g. laptops) to store and process Restricted data. If needed, mobile systems shall employ appropriate encryption techniques to protect stored Restricted data from loss or disclosure.
- Considerations shall be made for encryption key management by data owners to ensure data availability is maintained by the university.
- Vulnerability Management. All Tier III systems shall be periodically evaluated for system and system software vulnerabilities.
- Tier III systems in the Data Centers shall undergo weekly vulnerability assessments.
- Systems administrators shall mitigate or close discovered vulnerabilities on a negotiated schedule based on system risk and data owner needs.
- Systems with open vulnerabilities that constitute a significant risk to the Restricted data or Tier III environment may be subject to network access removal until mitigated.
- Operating System and Software Security Updates. When applicable, all hosts shall be configured to receive and implement security updates to software and operating system software within a time frame of 1 month after the release of updates by software vendors. Occasional out of band patches shall be applied if risk levels warrant such action. It is expected that Tier III servers are managed by competent IT staff who shall apply patches expeditiously. Operational needs may support variance from the patch time frame with the written approval of the Data Owner.
- Application/Software Security. Application security is of equal importance as network and operating system security with regard to Restricted information.
- Software development must involve reviews for design, implementation, and logic vulnerabilities before a system will receive management approval to operate.
- Change control procedures exist and are in place.
- Protections are in place to ensure the integrity of application code.
- Applications with Restricted data must perform user data input validation.
- Error handling routines must not disclose system architectural details.
- Default passwords or vendor credentials shall be removed before Restricted data are placed on the systems or systems are implemented.
- Application logging shall include success, failure, and privilege escalation.
- Anti-Theft Utilities. Users of mobile systems (e.g. tablet PC, notebook computers, PDAs, etc.) are highly discouraged from using them to store and process Restricted information, however when such a need arises, anti-theft technologies are required. The use of locking cables are highly recommended. Software-based tracking services are required.
- Data Backup. Tier I data that is of value to the user should be retained in a backup capability to mitigate the impact of hardware failure, loss, and theft. Case has a branded partnership for online backup services through Carbonite (PC users).
- Research Data. Certain data systems associated with Federally funded research may be subject to additional security controls. These controls will be applied to a small subset of systems that shall also comply with Tier III controls. These controls shall be addressed by individual systems and written into applicable systems security plans.
- Health Insurance Portability and Accountability Act (HIPAA) Covered Entity data shall comply with a local HIPAA security plan, or the controls defined by the Investigation Review Board for the covered entity responsible for the research.
- Electronic Private Health Information (ePHI) may have similar data security requirements.
- Family Educational Rights Protection Act (FERPA) has additional constraints under the stewardship of the University Registrar.
Case End Users: Assure controls based on Case information categories are implemented.
Departmental IT Staff: Manage IT systems with the goal of maintaining confidentiality, integrity, and availability of IT systems for the department and the university.
Case ITS Security Staff: Monitor security risks on a continual basis and regularly update the procedural controls based on changing security threat scenarios.
Chief Information Security Officer: Assure compliance with the protection requirements for Restricted data.
Data Owners: Develop security plans to assure that Tier III controls are applied where applicable to protect Restricted data. Assume responsibility for data protection and risk management of IT systems and data.
Host: Any network capable device utilizing network services. A host may be a personal computer, a network appliance, server resources, printers, scanners, copiers, or similar electronic device.
Data Owner: A Data Owner a senior-level employee of the University who oversees the lifecycle of one or more sets of Institutional Data. This person has financial and administrative responsibility for the protection, use, and management of the data.
Systems administrator: A technically trained university staff with responsibility for implementing IT systems. Any person with "administrator" or "root" privileges to an IT system with Restricted information is considered a systems administrator for compliance purposes.
Student employee: A university student who is employed part time to fulfill a technical role or complete IT tasking. These are most typically undergraduate students. Graduate and professional students performing IT roles as part of their research or thesis work are considered university employees.
End-to-end encryption: The information is encrypted once at the original encryption source and decrypted at the destination source. Speed and overall security are advantages. Note only the data is encrypted, not the routing information.
Standards Review Cycle
This procedure will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.