procedure: data classification and handling...1.0 purpose classification of data is a critical...

New York Six Liberal Arts Consortium Colgate University, Hamilton College, Hobart & William Smith Colleges

St. Lawrence University, Skidmore College, Union College 1of17

PROCEDURE: DATACLASSIFICATIONAND

HANDLINGEFFECTIVE: 09-19-2017

1.0PURPOSE

ClassificationofdataisacriticalelementofanymatureinformationsecurityprogramandfundamentaltosecuringNewYorkSixLiberalArtsConsortium(NY6)informationassets.Thisprocedurehasbeendevelopedtoassist,providedirectiontoandgovernallentitiesoftheorganizationregardingidentification,classificationandhandlingofinformationassets.TheCampusexpectsallthirdpartyserviceproviderstoadheretotheinstitutions’securitypolicies.Ifnon-publicinformationistobeaccessedorsharedwiththesethirdparties,theyshouldbeboundbycontracttoabidebytheserequirements.

2.0DEFINITIONS

Data:Informationinaspecificrepresentation,usuallyasasequenceofsymbolsthathavemeaning.

DataAsset:Anyentitythatiscomprisedofdata.Theterms“informationasset”and“dataasset”areusedinterchangeablythroughoutthisdocument.

PersonallyIdentifiableInformation(PII)isdefinedasthefirstnameorfirstinitialandlastname,incombinationwithanyoneormoreofthefollowingdataelements:

• Government-IssuedIdentificationNumbero SocialSecurityNumber(SSN)/TaxpayerIdentificationNumber(TIN)/

NationalIdentificationNumber(NIN)/Othersimilarnationalidentification

o Passportnumbero Permanentresidentcard

• DriverLicense(DL)Number



• Financialaccountnumber:o Paymentcardnumber(creditordebit)o Bankaccountnumbero ElectronicProtectedHealthInformation(ePHI)

ElectronicProtectedHealthInformation(ePHI):AcombinationoftwoormoredataelementsthatuniquelyidentifyanindividualthatwouldprovideknowledgeofmedicalinformationabouttheindividualasdefinedbytheHealthInsurancePortabilityandAccountabilityAct(HIPAA).

Filetransferprotocol(FTP):Astandardnetworkprotocolusedforthetransferofcomputerfilesbetweenaclientandserveronacomputernetwork.

InstantMessaging:Atypeofchatofferingreal-timetexttransmissionovertheinternetorothercommunicationmedium(e.g.cellular,Near-FieldCommunication(NFC),etc.).

InstitutionFinancialInformation:Informationabouttheinstitution’sfinances,investmentsorinvestmentstrategiesthatarenotpublicknowledge.

PaymentCardIndustry(PCI):Dataassociatedwithpaymentcardsissuedbythemajorpaymentbrands(Visa,MasterCard,AMEX,Discover,etc.).

PaymentCardIndustry(PCI)Dataor“Cardholder”Data:Accountdataassociatedwithpaymentcardsissuedbythemajorpaymentbrands(Visa,MasterCard,AMEX,Discover,etc.).ItincludesthePrimaryAccountNumber(PAN),expirationdateandcardverificationcode.

IntellectualProperty(IP):Informationaboutworks,inventionsoranyotherintellectualmaterialsthatgivetheinstitutionacompetitiveadvantage.

Confidentiality:Preservingauthorizedrestrictionsonaccessanddisclosure,includingmeansforprotectingpersonalprivacyandproprietaryinformation.

Integrity:Guardingagainstimproperinformationmodificationordestruction,includingensuringinformationnonrepudiationandauthenticity.

Availability:Ensuringtimelyandreliableaccesstoanduseofinformation.

Source:CommitteeonNationalSecuritySystemsInstructionNo.4009(CNSSI-4009)



3.0ROLESANDRESPONSIBILITIES

• ITSecurity–Responsibleforcreatingandmanagingmanyoftheassetinventoriesusedtostore,process,transmitorprovideaccesstoelectronicinformation.ITSisthecustodianforthisprocedure.

• ChiefInformationOfficer(CIO)–Responsibleformonitoringtheimplementationofthisprocedureandreportingtoseniormanagementonanyabnormalfindingsorexceptions.

• AllEmployees–

o Responsibleforclassifyingandmarkingallcreatedormodifiedinformation,includinganyreproductionsthataremade(e.g.reports).

o Responsibleforhandlingallclassifiedinformation(electronicornon-electronic)inaccordancewithStep5ofSection6.

4.0DATACLASSIFICATIONLEVELS

Informationassetsshallbehandledaccordingtotheirprescribedclassification,includingaccesscontrols,labeling,retentionpoliciesanddestructionmethods,amongothers.

Informationassetsareassignedaclassificationlevelbasedontheappropriateaudiencefortheinformation.Iftheinformationhasbeenpreviouslyclassifiedbyregulatory,legal,contractualorinstitutiondirective,thenthatclassificationwilltakeprecedence.Theclassificationlevelthenguidestheselectionofprotectivemeasurestosecuretheinformation.Allinformationassetsaretobeassignedoneofthefollowingthreeclassificationlevels:

CLASSIFICATION DATACLASSIFICATIONDESCRIPTION

CONFIDENTIAL Definition

-Confidentialinformationishighly-valuable,highly-sensitiveinstitutioninformation.Thelevelofprotectionisgenerallydictatedexternallybylegaland/orcontractualrequirements,butmayalsobegeneratedinternallyasitrelatestorelevantconfidentialinstitutionalinformation.-Confidentialinformationmustbelimitedtoonlyauthorizedemployees,contractorsandbusinesspartnerswithaspecificbusinessneed.



CLASSIFICATION DATACLASSIFICATIONDESCRIPTION

PotentialImpact

SignificantdamagewouldoccurifConfidentialinformationweretobecomeavailabletounauthorizedpartieseitherinternalorexternaltoUnion.TheimpactwillnegativelyaffectUnion’s’scompliancewithregulatoryrequirements,damagingtheinstituion’sreputation,andposinganidentitytheftrisk.

SENSITIVE

Definition

-Sensitiveinformationishighly-valuable,sensitiveinstituioninformationandthelevelofprotectionisdictatedinternallybyUnion.-SensitiveinformationisinformationoriginatedorownedbyUnion,orentrustedtoitbyothers.Sensitiveinformationmaybesharedwithauthorizedemployees,contractors,andbusinesspartnerswhohaveabusinessneed,butmaynotbereleasedtothegeneralpublic,duetothenegativeimpactitmighthaveontheinstituion’sbusinessinterests.

PotentialImpact

ModerateDamagewouldoccurifSensitiveinformationweretobecomeavailabletounauthorizedpartieseitherinternalorexternaltoUnion.TheimpactcouldincludenegativelyaffectingUnion’sreputation,violatingcontractualrequirements,andexposingpersonalinformationaboutUnion’semployeesorstudents.

PUBLIC

DefinitionPublicinformationisinformationthathasbeenapprovedforreleasetothegeneralpublicandisfreelyshareablebothinternallyandexternally.

PotentialImpact

MinimalornodamagewouldoccurifPublicinformationweretobecomeavailabletopartieseitherinternalorexternaltoUnion.TheimpactwouldnotbedamagingtoUnion’sreputationorarisktoinstituionoperations.

5.0DATACLASSIFICATIONLABELING

Dataclassificationlabelingisthepracticeofmarkinganinformationsystemordocumentwithitsappropriateclassificationlevelbasedonthetypeofinformationitcontainssothatothersknowhowtoappropriatelyhandletheinformation.Thereareseveralmethodsforlabelinginformationassets.

• Printed:Informationthatcanbeprinted(e.g.,spreadsheets,files,reports,drawings,orhandouts)shouldcontainoneofthefollowingconfidentialitysymbolsinthedocumentfooteroneveryprintedpage,orsimplythewordsifthegraphicisnottechnicallyfeasible.Theexceptionforlabelingiswith



marketingmaterial,sincemarketingmaterialisprimarilydevelopedforpublicrelease.

• Displayed:RestrictedorPrivateinformationthatisdisplayedorviewed(e.g.,websites,presentations,etc.)mustbelabeledwithitsclassificationaspartofthedisplay.

CONFIDENTIAL AccessLimitedtoAuthorizedPersonnelOnlySENSITIVE AccessLimitedtoInternalUseOnlyPUBLIC PublicReleaseAuthorized

GENERALGUIDELINES

• AnyinformationcreatedorreceivedbyUnionemployeesintheperformanceofthetheirjobatUnionisPrivate(InternalUse),bydefault,unlesstheinformationrequiresahigherclassificationorisapprovedforreleasetothegeneralpublic.

• Treatinformationthatisnotassignedaspecificclassificationlevelas“Private”ataminimumandusecorrespondingcontrols.

• Whencombininginformationwithdifferentsensitivitylevelsintoasingleapplicationordatabase,assignthemostrestrictiveclassificationtothecombinedasset.Forexample,ifanapplicationcontainsPrivateandRestrictedinformation,theentireapplicationisRestricted.

• RestrictedandPrivateinformationmustneverbereleasedtothegeneralpublicbutmaybesharedwiththirdparties,suchasgovernmentagencies,businesspartnersorconsultants,whenthereisabusinessneedtodosoandtheappropriatesecuritycontrolsareinplaceaccordingtothelevelofclassification.

• Youmaynotchangetheformatormediaofinformationifthenewformatormediayouwillbeusingdoesnothavethesamelevelofsecuritycontrolsinplace.Forexample,youmaynotexportrestrictedinformationfromasecureddatabasetoanunprotectedMicrosoftExcelspreadsheet.

6.0PROCEDURE

STEP1–IDENTIFYDATAASSET

Identificationofinformationassetsinvolvescreatinganinventoryofallinformationassetsintheorganization.

Inordertofacilitatetheclassificationofinformationassetsandallowforamoreefficientapplicationofcontrols,itmaybedesirabletogroupinformationassetstogether.Itisimportant



toestablishthatthegroupingofassetsforclassificationisappropriate.Abroadgroupingmayresultinapplyingcontrolsunnecessarilyastheinformationassetmustbeclassifiedatthehighestlevelnecessitatedbyitsindividualdataelements.Forexample,ifHumanResourcesdecidestoclassifyalloftheirpersonnelfilesasasingleinformationassetandanyoneofthosefilescontainsanameandsocialsecuritynumber,theentiregroupingwouldneedtobeprotectedwiththecontrolsforaconfidentialityofHigh.

Anarrowgroupingallowsformoreprecisetargetingofcontrols.However,astherearemoreinformationassetstoclassify,thisincreasesthecomplexityoftheclassificationandthemanagementofcontrols.Usingthepreviousexample,classifyingthemultitudeofpersonnelfiles(e.g.,appointmentletters,timecards,positionclassifications,holidaywaivers)asindividualinformationassetsrequiresadifferentsetofcontrolsforeachclassification.

Inthecaseofasystem(e.g.,database,datawarehouse,applicationserver),itmaybeeasiertoapplycontrolsifthesystemisclassifiedasasingleentity.However,costsmaybereducedbyapplyingthecontrolstotheindividualelements(e.g.,field,record,application).Therefore,itisimportantthattheorganizationevaluatethedifferencebetweenthetwotoidentifythemostappropriatesolutionwhendeterminingthegroupingofinformationassetsforclassification.

Example:

AssetName AssetOwner Confidentiality Ingetrity Availability Classification

StudentGrades

AdmissionData

AnnualReport

HealthRecords

STEP2–IDENTIFYDATAASSETOWNER

Itisimportanttoplacetheresponsibilityfortheclassificationandcontrolofaninformationassetwithanindividualorrole.Thisshouldbeanindividualinamanagerialposition.Ifmultipleindividualsarefoundtobe“owners”ofthesameinformationasset,anindividualownershouldbedesignatedbyahigherlevelofmanagement.

Theinformationownerisresponsiblefordeterminingtheinformation’sclassificationandhowandbywhomtheinformationwillbeused.



Example:


StudentGrades Registrar

AdmissionData VPofAdmissions

AnnualReport BoardofTrustees

HealthRecords HealthDirector

STEP3–EVALUATEDATAASSET

Usetheflowchartbelowtoidentifythelevelsofclassificationfortheconfidentiality,integrityandavailabilityofeachinformationasset.Classificationofdatawillbebasedonspecific,finitecriteriaasidentifiedintheFederalInformationProcessingStandardPublication199(FIPS-199).PleaseseeAppendixAfordetailsonFIPS-199categories.



Examples:


StudentGrades Registrar High High High

AdmissionData VPofAdmissions Moderate Moderate Moderate

AnnualReport BoardofTrustees Low Low Low

HealthRecords HealthDirector High Moderate Moderate

STEP4–ASSIGNDATACLASSIFICATION

ClassificationofdataassetwillbebasedonthehighestcategoryassignedtoConfidentiality,IntegrityorAvailability.IfanycategoryisratedHigh,thedataassetshallbeclassifiedasConfidential.IfallcategoriesareratedLow,thedataassetshallbeclassifiedasPublic.AllotherdataassetsshallbeclassifiedasSensitive.

Examples:


StudentGrades Registrar High High High Confidential

AdmissionData VPofAdmissions Moderate Moderate Moderate Sensitive

AnnualReport BoardofTrustees Low Low Low Public

HealthRecords HealthDirector High Moderate Moderate Confidential

STEP5–IMPLEMENTDATAHANDLINGCONTROLS

Informationassetsshallbelabelled(ifpossible)andhandledaccordingtotheirprescribedclassification,includingaccesscontrols,labeling,retentionpoliciesanddestructionmethods,amongothers.Thefollowingcontrolsshallbeappliedtodataassets,basedontheirclassification:

Confidential Sensitive Public

Non-DisclosureAgreement(NDA)

• NDAisrequiredpriortoaccessbynon-Unionemployees

• NDAisrequiredpriortoaccessbynon-Unionemployees

• N/A




Access • Strongpassword(s)• Accessrequest,review,

approvalandterminationprocess

• AssetOwner-approvedaccess

• Non-DisclosureAgreement(NDA)forthird-parties

• Immediateretrievalwhenprintingorfaxing

• Securestoragewhennotinuse

• Situationalawarenessforverbalcommunications

• Password(s)• Accessrequest,review,

approvalandterminationprocess

• Securestoragewhennotinuse

• Situationalawarenessforverbalcommunications

• Accessrequest,review,approvalandterminationprocess

Cloud-basedStorage(DropBox,OneDrive,GoogleDrive)

• OnlyuseUnion’sGoogleDrive

• OnlyuseUnion’sGoogleDrive

• None

Email(withandwithoutattachments)

• [email protected]:Union’sGoogleMailsolution

• [email protected]:AllinformationencryptedusingMSOfficepasswordprotection

• TootherUnionEmployees:Union’sGoogleMailsolution

• Tonon-UnionEmployees:AllinformationencryptedusingMSOfficepasswordprotection

• None

Encryption • Encryptionduringcreation,storage,processingandtransmission

• Encryptionforthirdparties

• Encryptionduringtransmission

• Encryptionforthirdparties

• None

Internal&ExternalNetworkTransmission(wired&wireless)

• Encryptionisrequired• InstantMessagingis

prohibited• Non-ITapprovedFTP

solutionsareprohibited• Remoteaccessshould

beusedonlywhennecessaryandonlywithapprovedVPNandtwo-factorauthenticationsolutions

• Encryptionisrequired• InstantMessagingis

prohibited• Non-ITapprovedFTP

solutionsareprohibited

• None

Faxing/Printing • Verifydestinationprinter

• Attendfax/printerwhileprinting

• Verifydestinationprinter

• Attendfax/printerwhileprinting

• None




Labelling • Documentwatermark

• None

• None

MobileDevices(iPhone,iPad,MP3player,USBdrive,etc.)

• Encryptionisrequired • Encryptionisrequired • None

Monitoring • Securitymonitoringandalerting

• Privilegedidentitymonitoring

• None

• None

RemovableMedia(flashdrives,jumpdrives,externalharddrives,CD’s,DVD’s,etc.)

• OnlyuseITapprovedsolutions

• OnlyuseITapprovedsolutions

• None

Retention • Backuptestingandverification

• InclusioninBusinessContinuityandDisasterRecoveryPlans

• Redundancyorautomaticfailover

• Offsitebackup• Securephysicalstorage

• Backuptestingandverification

• InclusioninBusinessContinuityandDisasterRecoveryPlans

• None

Destruction • Approvedsecuredestructionsolutions,includingshreddingandsecurewiping

• Approvedsecuredestructionsolutions,includingshreddingandsecurewiping

• None

Audit • Annualcontrolsaudit

• Biennialcontrolsaudit

• None

Physical • Securecourierwhenshipping

• Mediapossessionatalltimes

• Mark“OpenbyAddresseeOnly”

• Use“CertifiedMail”andsealed,tamper-resistantenvelopesforexternalmailings

• Deliveryconfirmationisrequired

• Securecourierwhenshipping

• Mediapossessionatalltimes

• Mark“OpenbyAddresseeOnly”

• Use“CertifiedMail”andsealed,tamper-resistantenvelopesforexternalmailings

• Deliveryconfirmationisrequired

• None



7.0DATACLASSIFICATIONEXAMPLES

Thefollowingtabledepictsexamplesofsensitivedataelementsandtheirassignedclassification:

DATACLASS SENSITIVEDATAELEMENTS

Public

Sensitive

Confidential

PersonallyIdentifiableInform

ation

SocialSecurityNumber(SSN) XEmployerIdentificationNumber(EIN) XDriver’sLicense(DL)Number XFinancialAccountNumber XPaymentCardNumber(creditordebit) XGovernment-IssuedIdentification(e.g.,passport,permanentresidentcard,etc) XElectronicProtectedHealthInformation XBirthDate XFirst&LastName XAge XPhoneand/orFaxNumber XHomeAddress XGender XEthnicity XEmailAddress X

OtherEmployee-

Data

ProtectedDataRelatedtoResearch X Compensation&BenefitsData XMedicalData XWorkersCompensationClaimData XEducationData X DependentorBeneficiaryData X

Student-Related

Data

AcademicTranscript XClassSchedule XIndividualGrades XMajor X Degree X AdvisingNotes X



DATACLASS SENSITIVEDATAELEMENTS

Public

Sensitive

Confidential

MarketingData BusinessPlan(includingmarketingstrategy) X

FinancialDataRelatedtoRevenueGeneration X MarketingPromotionsDevelopment X Internet-FacingWebsites(e.g.,institutionwebsite,socialnetworks,blogs,promotions,etc.) X NewsReleases X

Networking&

InfrastructureData

Username&PasswordPairs XPublicKeyInfrastructure(PKI)CryptographicKeys(publicandprivate) XHardwareorSoftwareTokens(multifactorauthentication) XSystemConfigurationSettings X RegulatoryComplianceData X InternalIPAddresses X PrivilegedAccountUsernames X ServiceProviderAccountNumbers X

IP Formulas X

ResearchandDevelopment X

Strategic

FinancialData CorporateTaxReturnInformation X

LegalBillings XBudget-RelatedData XUnannouncedMergerandAcquisitionInformation XTradeSecrets(e.g.,designdiagrams,competitiveinformation,etc.) X

OperatingFinancialData ElectronicPaymentInformation(WirePayment/ACH) X

Paychecks XIncentivesorBonuses(amountsorpercentages) XStockDividendInformation XBankAccountInformation XInvestment-RelatedActivity XAccountInformation(e.g.,stocks,bonds,mutualfunds,moneymarkets,etc.) XDebtAmountInformation XSECDisclosureInformation X

8.0REFERENCES

• Policy–NewYorkSix(NY6)–DataClassificationandHandling• QuickReference–NewYorkSix(NY6)DataClassificationandHandling



• CommitteeonNationalSecuritySystemsInstructionNo.4009(CNSSI-4009)

9.0REVISIONHISTORY

Version Date Author Revisions

1.00 02-10-15 GreyCastleSecurity Original

1.01 04-01-15 GreyCastleSecurity UnionCollegeUpdates











1.12 GreyCastleSecurity UpdatesbasedonDCWorkshop

1.13 09-14-17 GreyCastleSecurity ReviewandupdateofUnionChanges




APPENDIXA–FIPS199CATEGORIES

procedure: data classification and handling...1.0 purpose classification of data is a critical...

Documents