III-1e Tier III Controls: Case Information Security Requirements for Restricted Information
Last Revision Date: May 20, 2011
Approval Date: November 16, 2009
Approval Authority: Case Chief Information Security Officer
As a risk mitigation action for enterprise wide information protection, the Case Tier III Controls are provided to guide users and administrators with the requirements for the proper storage, handling, and protection of Restricted information in IT or paper resources, including networked hosts on the Case networks.
This Procedure applies to all university information and information technology systems that use the Case network infrastructure. It is designed to support the Case Information Security Policies and to be auditable.
This procedure outlines basic controls required for all restricted information, including paper files and IT systems processing, storing, or transmitting Restricted information. Because Restricted information is the highest confidentiality level of information in the university, this procedure defines additional management processes required.
Tier III IT control standards are built upon the Tier I and Tier II control standards, and therefore considered to be the maximum security configuration standards. For all IT systems processing Restricted information, the Tier I and Tier II standards are applicable, and the controls listed here are to be applied in addition to those for lower
All configuration controls for Tier I and Tier II control levels are applicable to Tier III environments, where Restricted data are maintained.
- Inventory. Any university organization (school, management center, department) that is responsible for Restricted information shall maintain a written inventory of the type and location of any Restricted information used in their operational or administrative capacity. This inventory shall include IT resources with Restricted data, paper-based records, and any other physical or logical asset that contains such information.
- Security Responsibilities. Any university organization that is responsible for Restricted information shall designate in writing a
management representative as the responsible party for implementation and adherence to security protections and controls for Restricted information. All security incidents involving Restricted data are under a mandatory reporting requirement.
- Security Plan. All IT systems processing and managing Restricted information shall have a written security plan which delineates management processes pertaining to the acknowledged risk associated with Restricted
information in the university IT environment. A security plan template is available from the Information Security Office. The security plan will address the following topics:
- Data ownership.
- Security responsibilities for staff, including workforce security procedures.
- An inventory of IT systems authorized for Restricted information.
- A listing of known risks and an action plan to address the top risks.
- A basic contingency plan for any high impact risks.
- An audit report which details the known protections in place.
- An annual review of the plan and controls.
- A statement of approval to operate the system from senior management (Dean or VP)
- Training of Users and Systems Administrators. All systems administrators and users of Restricted information shall receive appropriate and documented training in restricted data handling and management. At least one systems administrator responsible for IT systems with Restricted information shall complete a certification program for Information Security based on the SANS Security 351 "Computer and Network Security Awareness" on a one-time basis. These systems administrators shall be certified to the National Information Assurance Training Standard for System Administrators (NSTISSI-4013), or similar certification (SANS, Security+, CompTIA) that will be equivalent to the DoD 8570 IAT Level II certification. Non-employee students shall be prohibited from handling Restricted information or managing IT systems that handle Restricted information.
- Evaluation and Audit. On an annual basis, the internal staff of a organization responsible for Restricted information will conduct
random audit of the security plan and implemented security controls. A gap analysis report with a remediation plan will be submitted to the organization's management and the university's Chief Information Security Officer.
- Personnel Controls. Background checks shall be performed on a periodic basis for all persons authorized to access, process, and store
Restricted information. The University Department of Human Resources will determine the appropriate time intervals. Additionally, background checks for systems administrators of IT systems with Restricted information shall include criminal background check,
employment record review, and credit check.
- Labeling. All documents and communications containing Restricted information, shall include labels indicating "Restricted" information is present. Typical examples are the use of document headers and footers and/or watermarks with the label "Restricted."
- Business Continuity Planning. Departments with Restricted information systems and critical IT infrastructure may, upon management discretion, develop and implement business continuity planning.
- Facility Access. All server resources that process, store, and manage Restricted information shall be hosted in a facility that
permits auditable physical access controls which will protect the technology, the work force, and the resident Restricted information through:
- Protection from unauthorized physical access, tampering, and theft.
- Controlled physical access entries to the facility, with appropriate access logging. Access shall be reviewed annually and require re-authorization. Persons no longer needing physical access shall be removed from access within 1 working day of notification of change in status.
- Access to rooms containing information technology infrastructure must be controlled to permit only authorized persons access to server resources. This group of authorized persons must be the minimum number of persons with a documented need
- Appropriate fire protection/suppression capabilities as required by law.
- Appropriate environmental controls such as cooling, humidity controls.
- Electrical power requirements and emergency interruptible power supplies.
- Access Controls and Validation.
- No Restricted data shall be made publicly available in an IT system or visible format with out access controls to ensure only authorized individuals are granted access.
- All server resources that process, store, and manage Restricted information shall be protected by access controls which ensure that only authorized persons have access to the system and data.
- All paper-based records with Restricted
information shall use mechanisms to prevent unauthorized access such as
storage in locked cabinets and locked office spaces.
- Access must
be approved by data owners and authorized by the Information Security
Use. All workstation resources that process, store, and
manage Restricted information shall be controlled to prevent improper
usage that may lead to unauthorized access to, loss, or damage to the
integrity of Restricted information.
- All workstations and other devices must be
pre-approved by organizational management for processing Tier III
information. Note that Tier I and Tier II configuration standards
- No Restricted information may be permanently
stored on single user workstations or laptops. All Restricted
information must maintained on Tier III secured servers.
- Transmission of Restricted information
shall employ encrypted communications methods
(e.g. use of the Case VPN or SSL based communications). Temporary
local storage shall be
protected by approved encryption methods and technologies to prevent
- Theft prevention and recovery software shall
be required for mobile workstations used for Restricted information
access to mitigate the likelihood of data disclosure in the event of
loss or theft.
At the end of their life cycles, all IT resources that process, store,
and manage Restricted information shall be disposed of in accordance
the Case data disposal procedure, which includes hard disk overwrite
- Login Screen.
All hosts that support a
screen shall be configured to require individual users to login with
credentials (e.g. username and password). Hosts shall not be
configured to auto-login. Special exceptions for managed kiosk
devices will be made on a case-by-case basis, and must be approved by
System Hardening and Administrative Procedures. All hosts
shall undergo some basic hardware and operating system assessment and
configuration to assure default options to not permit easy and rapid
host compromise. Basic hardening can be implemented via local
policy, or via a managed network environment (e.g. Active Directory
Group Policy). Specific examples include:
- Minimizing unnecessary network based
services and ports. The use of the SANS/FBI
Top 20 List can be a key guideline in hardening a host.
- All system users shall have unique
to maintain accountability for system actions. Following the principle
of least privilege, users should have minimum privileges
necessary for daily operations, only using an account with
Administrator or root privileges when needed for system maintenance.
Remote access is performed with a standard user account, then 'sudo' or
'RunAs' procedures are used to perform administrative functions.
- Remote access to Unix or Linux-based systems
shall not permit the root user to connect remotely.
- All vendor-supplied default user names and
passwords shall be changed before systems are approved for operational
- Clear text communications protocols for
server administration shall be disabled (encrypt all non-console
administrative access ).
- Session idle timeouts shall be set to lock
screens or logout connections after 15 minutes of idle time.
- Additional configuration guidance checklists
Tier III systems shall be protected by University infrastructure
firewalls (e.g., housed in a Data Center). Additional data center
firewall rules shall be implemented to restrict network connections to
the minimum necessary for operation and function of the server.
Specific requirements include:
- Firewall and router configuration standards
shall conform to industry best practices.
- The firewalls shall follow a "default deny"
stance from all untrusted environments that are not explicitly allowed.
- Firewalls shall prohibit direct public access
to systems storing Restricted data (data shall be segregated from
publicly available applications and services such as web services).
- Firewalls should conceal addressing schemes
of Tier III systems from untrusted environments.
- Firewalls (local or network) shall be
configured to perform network ex-filtration to deny server-initiated
outbound connections not associated with the operational function of
- Network firewalls will be applied in
accordance with the Network
All Tier III systems shall have open source encryption utilities
available and implemented for protection of Restricted data from
- The use of encrypted protocols for network
communications (e.g. ssh, SSL, sftp, etc.) supporting administrative
operations is required.
- Communication of Restricted data via email in
clear text is prohibited. Communication utilizing end-to-end
encryption methods shall be used for Restricted data.
- Users are discouraged from using mobile
systems (e.g. laptops) to store and process Restricted data. If
needed, mobile systems shall employ appropriate encryption techniques
to protect stored Restricted data from loss or disclosure.
- Considerations shall be made for encryption
key management by data owners to ensure data availability is maintained
by the university.
Management. All Tier III systems shall be periodically
evaluated for system and system software vulnerabilities.
- Tier III systems in the Data Centers shall
undergo weekly vulnerability assessments.
- Systems administrators shall mitigate or
close discovered vulnerabilities on a negotiated schedule based on
system risk and data owner needs.
- Systems with open vulnerabilities that
constitute a significant risk to the Restricted data or Tier III
environment may be subject to network access removal until mitigated.
System and Software Security Updates.
applicable, all hosts shall be configured to receive and implement security
updates to software and operating system software within a
time frame of 1 month after the release of updates by software
vendors. Occasional out of band patches shall be applied if risk
levels warrant such action. It is expected that Tier III servers
are manged by competent IT staff who shall apply patches
expeditiously. Operational needs may support variance from the
patch time frame with the written approval of the Data Owner.
Security. Application security is of equal importance as
network and operating system security with regard to Restricted
- Software development must involve reviews
for design, implementation, and logic vulnerabilities before a system
will receive management approval to operate.
- Change control procedures exist and are
- Protections are in place to ensure the
integrity of application code.
- Applications with Restricted data must
perform user data input validation.
- Error handling routines must not disclose
system architectural details.
- Default passwords or vendor credentials shall
be removed before Restricted data are placed on the systems or systems
- Application logging shall include success,
failure, and privilege escalation.
Utilities. Users of mobile systems (e.g.
PC, notebook computers, PDAs, etc.) are highly discouraged from using
them to store and process Restricted information, however when such a
need arises, anti-theft technologies are required. The use of
locking cables are highly recommended.
Software-based tracking services are required.
- Data Backup.
Tier I data that is of value
the user should be retained in a backup capability to mitigate the
impact of hardware failure, loss, and theft. Case has a branded
partnership for online backup services through Carbonite (PC users).
- Research Data.
Certain data systems associated with Federally funded research may be
subject to additional security controls. These controls will be
applied to a small subset of systems that shall also comply with Tier
III controls. These controls shall be addressed by individual
systems and written into applicable systems security plans.
- Health Insurance Portability and
Accountability Act (HIPAA) Covered Entity data shall comply with a
local HIPAA security plan, or the controls defined by the Investigation
Review Board for the covered entity responsible for the research.
- Electronic Private Health Information (ePHI)
may have similar data security requirements.
- Family Educational Rights Protection Act
(FERPA) has additional constraints under the stewardship of the
Case End Users: Assure controls based on Case information
categories are implemented.
Departmental IT Staff: Manage IT systems with the goal of
maintaining confidentiality, integrity, and availability of IT systems
for the department and the university.
Case ITS Security Staff: Monitor security risks on a continual
basis and regularly update the procedural controls based on changing
security threat scenarios.
Chief Information Security Officer: Assure compliance with the
protection requirements for Restricted data.
Data Owners: Develop security plans to assure that Tier III
applied where applicable to protect Restricted data. Assume
responsibility for data protection and
risk management of IT systems and data.
Host: Any network capable device utilizing network
services. A host may be a personal computer, a network appliance,
server resources, printers, scanners, copiers, or similar electronic
Data Owner: A Data Owner a senior-level employee of the
University who oversees the lifecycle of one or more sets of
Institutional Data. This person has financial and administrative
responsibility for the protection, use, and management of the data.
Systems administrator: A technically trained university staff
with responsibility for implementing IT systems. Any person with
"administrator" or "root" privileges to an IT system with Restricted
information is considered a systems administrator for compliance
Student employee: A university student who is employed part time
to fulfill a technical role or complete IT tasking. These
are most typically undergraduate students. Graduate and
professional students perfoming IT roles as part of their research or
thesis work are considered university employees.
End-to-end encryption: The information is encrypted once at the
original encryption source and decrypted at the destination
source. Speed and overall security are advantages. Note
only the data is encrypted, not the routing information.
Standards Review Cycle
This procedure will be reviewed every three years on the anniversary of
policy effective date, at a minimum. The standard may be reviewed on a
more frequent basis depending on changes of risk exposure.