Information Types and Sensitivity

Title: Information Types and Sensitivity
Approved by: Office of the President
Date approved by President or Board of Trustees: October 4, 2016
Effective date: October 4, 2016
Responsible Official: UTech Security and Policy
Responsible University Office: UTech Security and Policy
Revision History: 3
Related legislation and University policies: None
Review Period: 3 Years
Date of Last Review: August 6, 2024
Relates to: Faculty, Staff

Summary

The purpose of this policy is to assist ÐÇ¿Õ´«Ã½ users (persons assigned with data stewardship, ownership, and custodial duties) with the determination of the baseline security requirements based upon information tier level. Each category of information will have an assigned set of baseline security standards to apply as part of the risk management program in addressing confidentiality, integrity, and availability.

This policy applies to all ÐÇ¿Õ´«Ã½ Western Reserve University information. Many of the security requirements are targeted at networked information technology systems.

Purpose

ÐÇ¿Õ´«Ã½ uses a 3-tier system to categorize information types and sensitivity. Each of the three categories is determined based upon risk to the University in the areas of confidentiality, integrity, and availability of data in support of the University's mission. Information (or data) owners are responsible for determining the impact levels of their information and managing risk to such information through the implementation of applicable control tiers.

These categories are derived from the Federal Information Processing Standard 199 (FIPS-199)

Information Category Confidentiality Integrity Availability
Public low moderate moderate
Internal Use moderate moderate moderate
Restricted high moderate moderate

ÐÇ¿Õ´«Ã½ will not use the terms 'confidential, secret, top secret' unless they accurately describe information so categorized by the U.S. Government in the OMB Circular A-130 as pertaining to national security information. In general, none of the information at that level will appear in the ÐÇ¿Õ´«Ã½ academic, administrative, research, and [U]Tech environment.

Information Management Requirements

Information shall be segregated into technical or administrative categories such that controls can be applied to ensure risk to confidentiality, integrity, and availability are effectively managed. The most sensitive information will have the strongest set of controls. A determination of Information Category is a requirement for all information technology management and risk management decisions.

Public Information

The significant majority of information in use at ÐÇ¿Õ´«Ã½ is Public. Information systems that store, process, or manage Public information apply the minimum security configuration and management standards. These standards have been approved for use in all ÐÇ¿Õ´«Ã½ IT environments, at a minimum, and may be enhanced to more stringent controls as deemed appropriate by the information owner. Controls and security standards for Public information include basic hardening of network hosts, automated updates of systems software, anti-virus (and anti-spyware) software installed and automatically updated, and appropriate data backups.

Internal Use Only Information

Information systems that store, process, or manage Internal Use Only information apply the minimum security standards, and enhance with an additional set of host configurations to reduce the risk of host compromise via networking, or from data disclosure/loss in the event of theft or loss of the system. These Internal Use Only controls and security standards include network authentication, user access controls, enhanced system hardening, auditing, data backup, system disaster recovery planning, and regular risk evaluations. In general, any disclosure of information is of concern, but is expected to have minimal impact on university operations.

Restricted Information

Information systems that store, process, or manage Restricted information are to apply the aforementioned controls and security standards, as well as the most stringent controls in the university environment to address confidentiality issues. These are known as the Restricted Information controls and security standards.

Multi-tiered systems conflict- when an information system processes more than one tier of information, the requirements for the highest level will be applied.

Definitions

Information Owner: A University official (University faculty or staff) who is responsible for the security of information in a given school or department. This official often has management authority for directing administrative procedures or purchasing/budget authority for dealing with consequences of information interruption of service, loss/destruction, disclosure, or modification.

Confidentiality: The property that data or information is not made available or disclosed to unauthorized persons or processes

Integrity: The property that data or information have not been altered or destroyed in an unauthorized manner.

Availability: The property that data or information is accessible and usable upon demand by an authorized person.