procedure: data classification and handling...1.0 purpose classification of data is a critical...
TRANSCRIPT
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 1of17
PROCEDURE: DATACLASSIFICATIONAND
HANDLINGEFFECTIVE: 09-19-2017
1.0PURPOSE
ClassificationofdataisacriticalelementofanymatureinformationsecurityprogramandfundamentaltosecuringNewYorkSixLiberalArtsConsortium(NY6)informationassets.Thisprocedurehasbeendevelopedtoassist,providedirectiontoandgovernallentitiesoftheorganizationregardingidentification,classificationandhandlingofinformationassets.TheCampusexpectsallthirdpartyserviceproviderstoadheretotheinstitutions’securitypolicies.Ifnon-publicinformationistobeaccessedorsharedwiththesethirdparties,theyshouldbeboundbycontracttoabidebytheserequirements.
2.0DEFINITIONS
Data:Informationinaspecificrepresentation,usuallyasasequenceofsymbolsthathavemeaning.
DataAsset:Anyentitythatiscomprisedofdata.Theterms“informationasset”and“dataasset”areusedinterchangeablythroughoutthisdocument.
PersonallyIdentifiableInformation(PII)isdefinedasthefirstnameorfirstinitialandlastname,incombinationwithanyoneormoreofthefollowingdataelements:
• Government-IssuedIdentificationNumbero SocialSecurityNumber(SSN)/TaxpayerIdentificationNumber(TIN)/
NationalIdentificationNumber(NIN)/Othersimilarnationalidentification
o Passportnumbero Permanentresidentcard
• DriverLicense(DL)Number
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 2of17
• Financialaccountnumber:o Paymentcardnumber(creditordebit)o Bankaccountnumbero ElectronicProtectedHealthInformation(ePHI)
ElectronicProtectedHealthInformation(ePHI):AcombinationoftwoormoredataelementsthatuniquelyidentifyanindividualthatwouldprovideknowledgeofmedicalinformationabouttheindividualasdefinedbytheHealthInsurancePortabilityandAccountabilityAct(HIPAA).
Filetransferprotocol(FTP):Astandardnetworkprotocolusedforthetransferofcomputerfilesbetweenaclientandserveronacomputernetwork.
InstantMessaging:Atypeofchatofferingreal-timetexttransmissionovertheinternetorothercommunicationmedium(e.g.cellular,Near-FieldCommunication(NFC),etc.).
InstitutionFinancialInformation:Informationabouttheinstitution’sfinances,investmentsorinvestmentstrategiesthatarenotpublicknowledge.
PaymentCardIndustry(PCI):Dataassociatedwithpaymentcardsissuedbythemajorpaymentbrands(Visa,MasterCard,AMEX,Discover,etc.).
PaymentCardIndustry(PCI)Dataor“Cardholder”Data:Accountdataassociatedwithpaymentcardsissuedbythemajorpaymentbrands(Visa,MasterCard,AMEX,Discover,etc.).ItincludesthePrimaryAccountNumber(PAN),expirationdateandcardverificationcode.
IntellectualProperty(IP):Informationaboutworks,inventionsoranyotherintellectualmaterialsthatgivetheinstitutionacompetitiveadvantage.
Confidentiality:Preservingauthorizedrestrictionsonaccessanddisclosure,includingmeansforprotectingpersonalprivacyandproprietaryinformation.
Integrity:Guardingagainstimproperinformationmodificationordestruction,includingensuringinformationnonrepudiationandauthenticity.
Availability:Ensuringtimelyandreliableaccesstoanduseofinformation.
Source:CommitteeonNationalSecuritySystemsInstructionNo.4009(CNSSI-4009)
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 3of17
3.0ROLESANDRESPONSIBILITIES
• ITSecurity–Responsibleforcreatingandmanagingmanyoftheassetinventoriesusedtostore,process,transmitorprovideaccesstoelectronicinformation.ITSisthecustodianforthisprocedure.
• ChiefInformationOfficer(CIO)–Responsibleformonitoringtheimplementationofthisprocedureandreportingtoseniormanagementonanyabnormalfindingsorexceptions.
• AllEmployees–
o Responsibleforclassifyingandmarkingallcreatedormodifiedinformation,includinganyreproductionsthataremade(e.g.reports).
o Responsibleforhandlingallclassifiedinformation(electronicornon-electronic)inaccordancewithStep5ofSection6.
4.0DATACLASSIFICATIONLEVELS
Informationassetsshallbehandledaccordingtotheirprescribedclassification,includingaccesscontrols,labeling,retentionpoliciesanddestructionmethods,amongothers.
Informationassetsareassignedaclassificationlevelbasedontheappropriateaudiencefortheinformation.Iftheinformationhasbeenpreviouslyclassifiedbyregulatory,legal,contractualorinstitutiondirective,thenthatclassificationwilltakeprecedence.Theclassificationlevelthenguidestheselectionofprotectivemeasurestosecuretheinformation.Allinformationassetsaretobeassignedoneofthefollowingthreeclassificationlevels:
CLASSIFICATION DATACLASSIFICATIONDESCRIPTION
CONFIDENTIAL Definition
-Confidentialinformationishighly-valuable,highly-sensitiveinstitutioninformation.Thelevelofprotectionisgenerallydictatedexternallybylegaland/orcontractualrequirements,butmayalsobegeneratedinternallyasitrelatestorelevantconfidentialinstitutionalinformation.-Confidentialinformationmustbelimitedtoonlyauthorizedemployees,contractorsandbusinesspartnerswithaspecificbusinessneed.
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 4of17
CLASSIFICATION DATACLASSIFICATIONDESCRIPTION
PotentialImpact
SignificantdamagewouldoccurifConfidentialinformationweretobecomeavailabletounauthorizedpartieseitherinternalorexternaltoUnion.TheimpactwillnegativelyaffectUnion’s’scompliancewithregulatoryrequirements,damagingtheinstituion’sreputation,andposinganidentitytheftrisk.
SENSITIVE
Definition
-Sensitiveinformationishighly-valuable,sensitiveinstituioninformationandthelevelofprotectionisdictatedinternallybyUnion.-SensitiveinformationisinformationoriginatedorownedbyUnion,orentrustedtoitbyothers.Sensitiveinformationmaybesharedwithauthorizedemployees,contractors,andbusinesspartnerswhohaveabusinessneed,butmaynotbereleasedtothegeneralpublic,duetothenegativeimpactitmighthaveontheinstituion’sbusinessinterests.
PotentialImpact
ModerateDamagewouldoccurifSensitiveinformationweretobecomeavailabletounauthorizedpartieseitherinternalorexternaltoUnion.TheimpactcouldincludenegativelyaffectingUnion’sreputation,violatingcontractualrequirements,andexposingpersonalinformationaboutUnion’semployeesorstudents.
PUBLIC
DefinitionPublicinformationisinformationthathasbeenapprovedforreleasetothegeneralpublicandisfreelyshareablebothinternallyandexternally.
PotentialImpact
MinimalornodamagewouldoccurifPublicinformationweretobecomeavailabletopartieseitherinternalorexternaltoUnion.TheimpactwouldnotbedamagingtoUnion’sreputationorarisktoinstituionoperations.
5.0DATACLASSIFICATIONLABELING
Dataclassificationlabelingisthepracticeofmarkinganinformationsystemordocumentwithitsappropriateclassificationlevelbasedonthetypeofinformationitcontainssothatothersknowhowtoappropriatelyhandletheinformation.Thereareseveralmethodsforlabelinginformationassets.
• Printed:Informationthatcanbeprinted(e.g.,spreadsheets,files,reports,drawings,orhandouts)shouldcontainoneofthefollowingconfidentialitysymbolsinthedocumentfooteroneveryprintedpage,orsimplythewordsifthegraphicisnottechnicallyfeasible.Theexceptionforlabelingiswith
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 5of17
marketingmaterial,sincemarketingmaterialisprimarilydevelopedforpublicrelease.
• Displayed:RestrictedorPrivateinformationthatisdisplayedorviewed(e.g.,websites,presentations,etc.)mustbelabeledwithitsclassificationaspartofthedisplay.
CONFIDENTIAL AccessLimitedtoAuthorizedPersonnelOnlySENSITIVE AccessLimitedtoInternalUseOnlyPUBLIC PublicReleaseAuthorized
GENERALGUIDELINES
• AnyinformationcreatedorreceivedbyUnionemployeesintheperformanceofthetheirjobatUnionisPrivate(InternalUse),bydefault,unlesstheinformationrequiresahigherclassificationorisapprovedforreleasetothegeneralpublic.
• Treatinformationthatisnotassignedaspecificclassificationlevelas“Private”ataminimumandusecorrespondingcontrols.
• Whencombininginformationwithdifferentsensitivitylevelsintoasingleapplicationordatabase,assignthemostrestrictiveclassificationtothecombinedasset.Forexample,ifanapplicationcontainsPrivateandRestrictedinformation,theentireapplicationisRestricted.
• RestrictedandPrivateinformationmustneverbereleasedtothegeneralpublicbutmaybesharedwiththirdparties,suchasgovernmentagencies,businesspartnersorconsultants,whenthereisabusinessneedtodosoandtheappropriatesecuritycontrolsareinplaceaccordingtothelevelofclassification.
• Youmaynotchangetheformatormediaofinformationifthenewformatormediayouwillbeusingdoesnothavethesamelevelofsecuritycontrolsinplace.Forexample,youmaynotexportrestrictedinformationfromasecureddatabasetoanunprotectedMicrosoftExcelspreadsheet.
6.0PROCEDURE
STEP1–IDENTIFYDATAASSET
Identificationofinformationassetsinvolvescreatinganinventoryofallinformationassetsintheorganization.
Inordertofacilitatetheclassificationofinformationassetsandallowforamoreefficientapplicationofcontrols,itmaybedesirabletogroupinformationassetstogether.Itisimportant
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 6of17
toestablishthatthegroupingofassetsforclassificationisappropriate.Abroadgroupingmayresultinapplyingcontrolsunnecessarilyastheinformationassetmustbeclassifiedatthehighestlevelnecessitatedbyitsindividualdataelements.Forexample,ifHumanResourcesdecidestoclassifyalloftheirpersonnelfilesasasingleinformationassetandanyoneofthosefilescontainsanameandsocialsecuritynumber,theentiregroupingwouldneedtobeprotectedwiththecontrolsforaconfidentialityofHigh.
Anarrowgroupingallowsformoreprecisetargetingofcontrols.However,astherearemoreinformationassetstoclassify,thisincreasesthecomplexityoftheclassificationandthemanagementofcontrols.Usingthepreviousexample,classifyingthemultitudeofpersonnelfiles(e.g.,appointmentletters,timecards,positionclassifications,holidaywaivers)asindividualinformationassetsrequiresadifferentsetofcontrolsforeachclassification.
Inthecaseofasystem(e.g.,database,datawarehouse,applicationserver),itmaybeeasiertoapplycontrolsifthesystemisclassifiedasasingleentity.However,costsmaybereducedbyapplyingthecontrolstotheindividualelements(e.g.,field,record,application).Therefore,itisimportantthattheorganizationevaluatethedifferencebetweenthetwotoidentifythemostappropriatesolutionwhendeterminingthegroupingofinformationassetsforclassification.
Example:
AssetName AssetOwner Confidentiality Ingetrity Availability Classification
StudentGrades
AdmissionData
AnnualReport
HealthRecords
STEP2–IDENTIFYDATAASSETOWNER
Itisimportanttoplacetheresponsibilityfortheclassificationandcontrolofaninformationassetwithanindividualorrole.Thisshouldbeanindividualinamanagerialposition.Ifmultipleindividualsarefoundtobe“owners”ofthesameinformationasset,anindividualownershouldbedesignatedbyahigherlevelofmanagement.
Theinformationownerisresponsiblefordeterminingtheinformation’sclassificationandhowandbywhomtheinformationwillbeused.
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 7of17
Example:
AssetName AssetOwner Confidentiality Ingetrity Availability Classification
StudentGrades Registrar
AdmissionData VPofAdmissions
AnnualReport BoardofTrustees
HealthRecords HealthDirector
STEP3–EVALUATEDATAASSET
Usetheflowchartbelowtoidentifythelevelsofclassificationfortheconfidentiality,integrityandavailabilityofeachinformationasset.Classificationofdatawillbebasedonspecific,finitecriteriaasidentifiedintheFederalInformationProcessingStandardPublication199(FIPS-199).PleaseseeAppendixAfordetailsonFIPS-199categories.
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 8of17
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 9of17
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 10of17
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 11of17
Examples:
AssetName AssetOwner Confidentiality Ingetrity Availability Classification
StudentGrades Registrar High High High
AdmissionData VPofAdmissions Moderate Moderate Moderate
AnnualReport BoardofTrustees Low Low Low
HealthRecords HealthDirector High Moderate Moderate
STEP4–ASSIGNDATACLASSIFICATION
ClassificationofdataassetwillbebasedonthehighestcategoryassignedtoConfidentiality,IntegrityorAvailability.IfanycategoryisratedHigh,thedataassetshallbeclassifiedasConfidential.IfallcategoriesareratedLow,thedataassetshallbeclassifiedasPublic.AllotherdataassetsshallbeclassifiedasSensitive.
Examples:
AssetName AssetOwner Confidentiality Ingetrity Availability Classification
StudentGrades Registrar High High High Confidential
AdmissionData VPofAdmissions Moderate Moderate Moderate Sensitive
AnnualReport BoardofTrustees Low Low Low Public
HealthRecords HealthDirector High Moderate Moderate Confidential
STEP5–IMPLEMENTDATAHANDLINGCONTROLS
Informationassetsshallbelabelled(ifpossible)andhandledaccordingtotheirprescribedclassification,includingaccesscontrols,labeling,retentionpoliciesanddestructionmethods,amongothers.Thefollowingcontrolsshallbeappliedtodataassets,basedontheirclassification:
Confidential Sensitive Public
Non-DisclosureAgreement(NDA)
• NDAisrequiredpriortoaccessbynon-Unionemployees
• NDAisrequiredpriortoaccessbynon-Unionemployees
• N/A
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 12of17
Confidential Sensitive Public
Access • Strongpassword(s)• Accessrequest,review,
approvalandterminationprocess
• AssetOwner-approvedaccess
• Non-DisclosureAgreement(NDA)forthird-parties
• Immediateretrievalwhenprintingorfaxing
• Securestoragewhennotinuse
• Situationalawarenessforverbalcommunications
• Password(s)• Accessrequest,review,
approvalandterminationprocess
• Securestoragewhennotinuse
• Situationalawarenessforverbalcommunications
• Accessrequest,review,approvalandterminationprocess
Cloud-basedStorage(DropBox,OneDrive,GoogleDrive)
• OnlyuseUnion’sGoogleDrive
• OnlyuseUnion’sGoogleDrive
• None
Email(withandwithoutattachments)
• [email protected]:Union’sGoogleMailsolution
• [email protected]:AllinformationencryptedusingMSOfficepasswordprotection
• TootherUnionEmployees:Union’sGoogleMailsolution
• Tonon-UnionEmployees:AllinformationencryptedusingMSOfficepasswordprotection
• None
Encryption • Encryptionduringcreation,storage,processingandtransmission
• Encryptionforthirdparties
• Encryptionduringtransmission
• Encryptionforthirdparties
• None
Internal&ExternalNetworkTransmission(wired&wireless)
• Encryptionisrequired• InstantMessagingis
prohibited• Non-ITapprovedFTP
solutionsareprohibited• Remoteaccessshould
beusedonlywhennecessaryandonlywithapprovedVPNandtwo-factorauthenticationsolutions
• Encryptionisrequired• InstantMessagingis
prohibited• Non-ITapprovedFTP
solutionsareprohibited
• None
Faxing/Printing • Verifydestinationprinter
• Attendfax/printerwhileprinting
• Verifydestinationprinter
• Attendfax/printerwhileprinting
• None
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 13of17
Confidential Sensitive Public
Labelling • Documentwatermark
• None
• None
MobileDevices(iPhone,iPad,MP3player,USBdrive,etc.)
• Encryptionisrequired • Encryptionisrequired • None
Monitoring • Securitymonitoringandalerting
• Privilegedidentitymonitoring
• None
• None
RemovableMedia(flashdrives,jumpdrives,externalharddrives,CD’s,DVD’s,etc.)
• OnlyuseITapprovedsolutions
• OnlyuseITapprovedsolutions
• None
Retention • Backuptestingandverification
• InclusioninBusinessContinuityandDisasterRecoveryPlans
• Redundancyorautomaticfailover
• Offsitebackup• Securephysicalstorage
• Backuptestingandverification
• InclusioninBusinessContinuityandDisasterRecoveryPlans
• None
Destruction • Approvedsecuredestructionsolutions,includingshreddingandsecurewiping
• Approvedsecuredestructionsolutions,includingshreddingandsecurewiping
• None
Audit • Annualcontrolsaudit
• Biennialcontrolsaudit
• None
Physical • Securecourierwhenshipping
• Mediapossessionatalltimes
• Mark“OpenbyAddresseeOnly”
• Use“CertifiedMail”andsealed,tamper-resistantenvelopesforexternalmailings
• Deliveryconfirmationisrequired
• Securecourierwhenshipping
• Mediapossessionatalltimes
• Mark“OpenbyAddresseeOnly”
• Use“CertifiedMail”andsealed,tamper-resistantenvelopesforexternalmailings
• Deliveryconfirmationisrequired
• None
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 14of17
7.0DATACLASSIFICATIONEXAMPLES
Thefollowingtabledepictsexamplesofsensitivedataelementsandtheirassignedclassification:
DATACLASS SENSITIVEDATAELEMENTS
Public
Sensitive
Confidential
PersonallyIdentifiableInform
ation
SocialSecurityNumber(SSN) XEmployerIdentificationNumber(EIN) XDriver’sLicense(DL)Number XFinancialAccountNumber XPaymentCardNumber(creditordebit) XGovernment-IssuedIdentification(e.g.,passport,permanentresidentcard,etc) XElectronicProtectedHealthInformation XBirthDate XFirst&LastName XAge XPhoneand/orFaxNumber XHomeAddress XGender XEthnicity XEmailAddress X
OtherEmployee-
Data
ProtectedDataRelatedtoResearch X Compensation&BenefitsData XMedicalData XWorkersCompensationClaimData XEducationData X DependentorBeneficiaryData X
Student-Related
Data
AcademicTranscript XClassSchedule XIndividualGrades XMajor X Degree X AdvisingNotes X
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 15of17
DATACLASS SENSITIVEDATAELEMENTS
Public
Sensitive
Confidential
MarketingData BusinessPlan(includingmarketingstrategy) X
FinancialDataRelatedtoRevenueGeneration X MarketingPromotionsDevelopment X Internet-FacingWebsites(e.g.,institutionwebsite,socialnetworks,blogs,promotions,etc.) X NewsReleases X
Networking&
InfrastructureData
Username&PasswordPairs XPublicKeyInfrastructure(PKI)CryptographicKeys(publicandprivate) XHardwareorSoftwareTokens(multifactorauthentication) XSystemConfigurationSettings X RegulatoryComplianceData X InternalIPAddresses X PrivilegedAccountUsernames X ServiceProviderAccountNumbers X
IP Formulas X
ResearchandDevelopment X
Strategic
FinancialData CorporateTaxReturnInformation X
LegalBillings XBudget-RelatedData XUnannouncedMergerandAcquisitionInformation XTradeSecrets(e.g.,designdiagrams,competitiveinformation,etc.) X
OperatingFinancialData ElectronicPaymentInformation(WirePayment/ACH) X
Paychecks XIncentivesorBonuses(amountsorpercentages) XStockDividendInformation XBankAccountInformation XInvestment-RelatedActivity XAccountInformation(e.g.,stocks,bonds,mutualfunds,moneymarkets,etc.) XDebtAmountInformation XSECDisclosureInformation X
8.0REFERENCES
• Policy–NewYorkSix(NY6)–DataClassificationandHandling• QuickReference–NewYorkSix(NY6)DataClassificationandHandling
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 16of17
• CommitteeonNationalSecuritySystemsInstructionNo.4009(CNSSI-4009)
9.0REVISIONHISTORY
Version Date Author Revisions
1.00 02-10-15 GreyCastleSecurity Original
1.01 04-01-15 GreyCastleSecurity UnionCollegeUpdates
1.02 05-06-15 GreyCastleSecurity UnionCollegeUpdates
1.03 02-04-16 GreyCastleSecurity UnionCollegeUpdates
1.04 02-18-16 GreyCastleSecurity UnionCollegeUpdates
1.05 03-02-16 GreyCastleSecurity UnionCollegeUpdates
1.06 03-03-16 GreyCastleSecurity UnionCollegeUpdates
1.07 03-04-16 GreyCastleSecurity UnionCollegeUpdates
1.08 03-09-16 GreyCastleSecurity UnionCollegeUpdates
1.09 03-15-16 GreyCastleSecurity UnionCollegeUpdates
1.10 04-19-16 GreyCastleSecurity UnionCollegeUpdates
1.11 05-09-16 GreyCastleSecurity UnionCollegeUpdates
1.12 GreyCastleSecurity UpdatesbasedonDCWorkshop
1.13 09-14-17 GreyCastleSecurity ReviewandupdateofUnionChanges
1.14 09-18-17 GreyCastleSecurity UnionCollegeUpdates
New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges
St. Lawrence University, Skidmore College, Union College 17of17
APPENDIXA–FIPS199CATEGORIES