Controls- Protecting Internal Use Information Systems

Title: Controls- Protecting Internal Use Information Systems
Approved by: Office of the President
Date approved by President or Board of Trustees: August 29, 2016
Effective date: August 29, 2016
Responsible Official: Chief Information Security Officer
Responsible University Office: UTech Security and Policy
Revision History: 2
Related legislation and University policies:

Review Period: 3 Years
Date of Last Review: August 21, 2024
Related to: Faculty, Staff, Students, Alumni, affiliate account holders

Summary

This procedure outlines basic controls required for all Internal Use Only information (IUO), including paper files and IT devices, systems processing, storing, or transmitting Internal Use Only. Because Internal Use Only information requires a sensitivity level designed to protect confidential proceedings and administrative functions at the university, this procedure defines additional appropriate management processes.

Internal Use Only control standards are built upon the Public Information control standards, and therefore considered to be the enhanced security configuration standards. For all IT systems processing Internal Use Only information, the Public Information controls standards are applicable, and the controls listed here are to be applied in addition to those for lower level information.

Purpose

As a risk mitigation action for enterprise wide information protection, the ÐÇ¿Õ´«Ã½ Internal Use Only Controls are provided to guide users and administrators with the requirements for the proper storage, handling, and protection of Internal Use Only (IUO) information in IT devices or paper resources, including networked hosts on the ÐÇ¿Õ´«Ã½ networks.

Information that contains data from more than one classifications must be protected at the highest level of information represented. Therefore, data handling of information classified as IUO and Restricted shall require controls defined for Restricted data.

This Procedure applies to all university information and information technology systems and services that use the ÐÇ¿Õ´«Ã½ network infrastructure. It is designed to support the ÐÇ¿Õ´«Ã½ Information Security Policies and to be auditable.

Procedure

All configuration controls for Public Information control levels are applicable to Internal Use Only (IUO) environments, where Internal Use Only data are stored, transferred, and managed.

Administrative Controls

  1. Inventory. Any university organization (school, management center, department) that is responsible for IUO information shall maintain a written inventory of the type and location of the data used in their operational or administrative capacity. This inventory shall include IT resources with Internal Use Only data, paper-based records, and any other physical or logical asset that contains such information. For example, the department should define what type of IUO data is regularly accessed (eg: student records, financial records)
  2. Security Responsibilities. Any university organization that is responsible for IUO information shall designate in writing a management representative as the responsible party for implementation and adherence to security protections and controls for the information.
    If IUO information, passwords or other access devices are lost or stolen, the ÐÇ¿Õ´«Ã½ user must notify help@case.edu immediately to prevent disclosure, modification or disruption of ÐÇ¿Õ´«Ã½ IUO information.
  3. Security Review. All UTech systems processing and managing IUO information as a means of tracking and confirming shall have or seek consult from Information Security regarding security controls around the Internal Use Only information. Additional security planning should include the following topics:
    1. Data ownership.
    2. Security responsibilities for staff, including workforce security procedures.
    3. An inventory of IT systems that hold and/or host access to IUO information.
    4. A listing of known risks and an action plan to address the top risks (eg: loss/destruction, modification, interception, disclosure.)
    5. A basic contingency plan for any high impact risks and integration into IT Business Continuity Plans
    6. A data security plan detailing the known protections in place (Consult for a data security plan is available from the Information Security office at help@case.edu).
    7. An annual review of the plan and controls, including validation of controls and protections in place by means of vulnerability scanning and follow up audit.
    8. A statement of approval to operate the system from senior management (CISO Dean or VP).
  4. Training of Users and Systems Administrators. All systems administrators and users of IUO information shall receive appropriate and documented training in sensitive data handling and management. At least one systems administrator responsible for IT systems with Internal Use Only information shall complete an awareness program for Information Security based on the SANS Securing the Human.
    1. Non-employee students shall be prohibited from handling Internal Use Only information or managing IT systems that handle Internal Use Only information.
  5. Evaluation and Audit. On an annual basis, the internal staff of an organization responsible for Internal Use Only information will complete and/or update a data security plan, including review of the security controls (refer to Critical Controls Poster). A gap analysis report with a remediation plan will be reviewed and submitted to the organization's management and the ÐÇ¿Õ´«Ã½ Chief Information Security Officer.
  6. Personnel Controls. Background checks shall be performed on a periodic basis for all persons authorized to access, process, and store IUO information. The University Department of Human Resources will determine the appropriate time intervals. Additionally, background checks for systems administrators of IT systems with Internal Use Only information shall include criminal background check, employment record review, and credit check.
  7. Labeling. All documents and communications containing Internal Use Only information, should include labels indicating "Internal Use Only" information is present. Typical examples are the use of document headers and footers and/or watermarks with the label "Internal Use Only."
  8. Business Continuity Planning. Departments with Internal Use Only information systems and critical IT infrastructure may, upon management discretion, develop and implement business continuity planning.

Technical Controls

  1. Login Screen. All hosts that support a login screen shall be configured to require individual users to login with credentials (e.g. username and password) that adhere to ÐÇ¿Õ´«Ã½ standards. Hosts shall not be configured to auto-login. Passwords shall be changed annually (refer to [U]Tech policy on password change).
  2. Access Control. Access to IUO data shall require authentication using Single Sign On (SSO); Shibboleth or Kerberos or LDAP.
  3. Devices supporting IUO information will be managed by Active Directory. Exceptions may be granted, based on business requirements, or based on management requirements.
  4. Screen Timeout/Locking. Screens must lock with 15 minutes of inactivity, and require a username and password to unlock. Enterprise Systems and/or Clinical departments may have shorter locking requirements.
  5. Evaluation. Via a threat profile focused on minimizing attack surface and threat vectors. Any system with Internal Use Only information must seek an evaluation from the Information Security Office (ISO) to ensure that the information is adequately protected from public access. This may include vulnerability management, testing of hardening and/or physical access controls.
  6. Firewall. All hosts which support a host-based firewall shall configure the local firewall in a manner to mitigate common network-based attacks.
  7. Operating System and Software Security Updates. Information Security requires regular, active, and timely attention to patching and updating. All hosts shall be configured to receive and implement security updates to software and operating system software through a management server (such as WS ) at most 1 month after the release of updates by software vendors. 3rd-party software updates and feature updates are not in the scope of this requirement. Evidence of an active exploit for a published vulnerability in the wild will escalate the urgency and require a shorter time frame.
  8. Anti-Virus Software. All Windows-based hosts have a supported anti-virus application, and therefore shall have anti-virus software installed and enabled for automated signature updates. For non-Windows hosts that have a supported anti-virus application, the installation of this software is recommended. At a minimum users should conduct full system scans on a monthly basis, including MAC. Any supported operating systems that have anti-virus should conduct scans.
  9. Anti-Spyware. Anti-spyware software is recommended for all users who use web-based resources. The [U]Tech Help Desk lists available anti-spyware.
  10. Anti-Theft Utilities. For mobile systems (e.g. tablet PC, notebook computers, PDAs, etc.), anti-theft technologies are highly recommended. Locking cables are highly recommended. Software-based tracking services are also recommended.
  11. Data Backup. Internal Use Information that is of value to the user should be retained in a backup capability to mitigate the impact of hardware failure, loss, and theft.
  12. Cloud Based Services. Only approved cloud based services are authorized for storage of ÐÇ¿Õ´«Ã½ Internal Use Only information.

Physical Controls

  1. Facility and Device Access.
    1. Each department shall institute a protection process from unauthorized physical access, tampering, and theft (office and computer devices). Infrastructure (e.g. file servers) shall be protected by placement in ÐÇ¿Õ´«Ã½ Data Centers or managed cloud providers.
    2. Restrict physical access to laptop computers when physically away from office or work space, by practicing a clean desk, clean screen policy (lock the office or suite door; use security cables or locking devices; screen locks and logout when no longer accessing ÐÇ¿Õ´«Ã½ data).
    3. Access shall be reviewed annually and require re-authorization. Persons no longer needing physical access shall be removed from access within 1 working day of notification of change in status.
    4. Access to rooms containing information technology infrastructure must be controlled to permit only authorized persons access to server resources. This group of authorized persons must be the minimum number of persons with a documented need for access.
    5. Appropriate fire protection/suppression capabilities as required by law.
    6. Appropriate environmental controls such as cooling, humidity controls.
    7. Plan for appropriate electrical power. Consider an Uninterruptible Power Supply (UPS) as part of a Business Continuity Plan.
  2. Access Controls and Validation.
    1. No Internal Use Only data shall be made publicly available in an IT system or visible format without access controls to ensure only authorized individuals are granted access.
  3. Disposal. At the end of their life cycles, all IT resources that process, store, and manage IUO or internal use information shall be disposed of in accordance with the ÐÇ¿Õ´«Ã½ data disposal procedure, which includes hard disk overwrite procedures.

Regulatory Controls

  1. Research Data. Certain data systems associated with Federally funded research may be subject to additional security controls. These controls will be applied to a small subset of systems that shall also comply with IUO controls. These controls shall be addressed by individual systems and written and reviewed by the Information Security Office to evaluate if the information is Internal Use Only or Restricted data.
  2. Student Record Data. Certain individually-identifiable data from students’ education records may be protected by federal law, including the Family Educational Rights and Privacy Act (FERPA). ÐÇ¿Õ´«Ã½ views FERPA-protected data as IUO data, and IUO controls are appropriate.

Responsibility

ÐÇ¿Õ´«Ã½ End Users: Assure controls based on ÐÇ¿Õ´«Ã½ information categories are implemented.

Departmental IT Staff: Manage IT systems with the goal of maintaining confidentiality, integrity, and availability of IT systems for the department and the university.

ÐÇ¿Õ´«Ã½ [U]Tech Information Security Staff: Monitor security risks on a continual basis and regularly update the procedural controls based on changing security threat scenarios.

Chief Information Security Officer (CISO): Assure compliance with the protection requirements for Internal Use Only and Restricted data.

Data Owners: Develop security plans to assure that Internal Use Only controls are applied where applicable to protect Restricted data. Assume responsibility for data protection and risk management of IT systems and data.

Definitions

Restricted Data: Restricted information is information that is protected by local, national, or international statute or regulation mandating certain restrictions. This may include student academic and financial records regulated by the Family Educational Rights and Privacy Act (FERPA); personal health information regulated by the Health Insurance Portability and Accountability Act (HIPAA); or other forms of regulated information such as social security numbers and credit card numbers. Other examples of Restricted Information include payroll and tax information, tenure committee reviews and applications; donor information; and performance appraisals.

Internal Use Only Information: Information that must be limited to appropriate university faculty, staff, students, or other authorized users with a valid business need. This information must be protected from unauthorized access, modification, use, or disclosure due to university policies, contract, or designation, or due to privacy considerations.

Host: Any network capable device utilizing network services. A host may be a personal computer, a network appliance, server resources, printers, scanners, copiers, or similar electronic device.

Data Owner: A Data Owner a senior-level employee of the university who oversees the lifecycle of one or more sets of Institutional Data. This person has financial and administrative responsibility for the protection, use, and management of the data.

Systems administrator: A technically trained university staff with responsibility for implementing IT systems. Any person with "administrator" or "root" privileges to an IT system with Internal Use Only information is considered a systems administrator for compliance purposes.

Student employee: A university student who is employed part time to fulfill a technical role or complete IT tasking. These are most typically undergraduate students. Graduate and professional students performing IT roles as part of their research or thesis work are considered university employees.