UF IT Data Security Standard
Data of value (data which would be missed if lost) which cannot be easily recreated (as from an OS installation) must be backed up on a regular basis. An exception to this standard is provided if the cost of backing up exceeds the cost of restoration from a total loss. UF and Level 2 Unit ISMs must ensure that a means of backing up and restoring vital data (including software) is provided.
Access to data must be restricted to authorized users and programs.
All data must be classified appropriately. Within a single system or application, each category of data may be treated differently. Factors that must be considered when classifying data include:
- Confidentiality: Preserving authorized restrictions on data access and disclosure including means for protecting privacy and proprietary data. Upholding privacy and confidentiality laws.
- Integrity: Guarding against improper data creation, modification or destruction. Includes ensuring data non-repudiation and authenticity.
- Availability: Ensuring timely and reliable data access.
Data security involves resources and processes beyond the scope of the UF IT Data Security Standard. This standard attempts to address only the electronic and technological aspects of data security that involve UF IT workers, those that have authority over data stored on systems managed by IT workers, and users of such systems.
All data must have individuals assigned to roles of:
- Data Principal
- Data Custodian
The Level 2 Unit ISAs must ensure that Data Principal roles are assigned. Data Principals establish policy for creating, altering, transmitting, and/or storing data that are used to carry out programs under their direction. Data Principals must be established and documented in each unit. Supervisors are responsible for ensuring that Data Principals are provided specific instruction about their responsibilities.
Data Principal Responsibilities:
- Apply the appropriate classification to the data according to this standard.
- Decide to what audience the Data Classification will be made available.
- Ensure the appropriate security controls are in place commensurate with the classification designation to protect confidentiality, integrity, and availability.
- Formally assign custodianship of the data resources, approve access to responsible custodians and ensure custodians are given appropriate authority to implement security controls and procedures.
- Identify positions that require special trust. A position of special trust is one in which the incumbent can view confidential data, can alter sensitive data, or is depended upon for the continuity of data resources that are determined to be essential.
- Maintain an accountability of who has access to their data and at least annually revalidating the access requirements.
- Ensure appropriate review of data classifications are conducted at least annually to determine if the classifications are still appropriate and that the classifications are implemented properly.
- Ensure their data has an appropriate disaster recovery plan and is backed up.
- Ensure that, when necessary, data be irretrievably removed from physical storage media upon disposal or transfer.
- Ensure that users are aware of their data protection responsibilities.
Examples of Data Principals: Deans, Directors, Department Chairs, Principal Investigators.
Custodians provide technical facilities and support services to Data Principals and Users. Custodians also implement security controls for data protection, and typically control physical access to data resources. When possible and reasonable to do, the roles of Data Principal and Data Custodian should not be held by the same individual. When the Principal is also a Custodian, they should not be the only Custodian.
- Assist data principals in data classification, disaster recovery planning, and cost-effectiveness evaluation of security controls.
- Implement the controls specified by the Data Principals at the server, operating system, network, PC, and application levels.
- Confirm that the appropriate security controls are in place commensurate with the classification designation to protect confidentiality, integrity, and availability.
Examples of Custodians: Network managers, Server Managers, Webmasters, System Administrators, and Managers of IT workers, IT workers
Users of data resources are individuals who create, access or alter data.
- Know and comply with published UF policies, standards and procedures.
- Manage UF data and data resources responsibly.
- Users must create, access, alter or delete data through specifically defined/provided interfaces.
- Protect confidential and sensitive data in their entirety, regardless of the method of access.
- Realize they are accountable for their actions relating to data resource security.
Examples of Users: Faculty, staff, students, vendors, visitors, contractors
Data, which if available to the public, will not harm an individual, group, or institution. Data in this classification must:
- Be labeled appropriately.
- Reside on an appropriately secured host.
- Have appropriate integrity protection.
- Have redundant systems to maintain availability as appropriate.
- Be retained according to public record requirements.
- Have an appropriate recovery plan.
Examples: UF home page, UF course catalog, seminar schedules, press releases, job announcements, advertisements
Data, which if available to unauthorized users, may harm an individual, a group or the institution, but is not Critical Data as defined below. Data in this classification must meet all the requirements for Unrestricted Data and must:
- Have a clearly defined purpose.
- Be easily identified.
- Have appropriate classification documentation.
- Have individuals assigned for Data Principal and Data Custodian roles.
- Have a clearly defined and documented user access list.
- Have appropriate documentation available to users that explains their obligations to protect the data.
- Be available only to those who are authorized.
- Be stored and transmitted securely to prevent unauthorized access.
- Be rendered unreadable prior to disposal.
- Have other protection as required by law or UF policy, standards, and procedures.
Examples: Staff salaries, infrastructure diagrams such as building and network, strategy documents, financial information, purchasing information, policies, standards, and procedures, business recovery plans, system configurations, emergency response plans, emergency equipment inventories
Data with the highest level of protection includes, but is not limited to, data restricted by law, data restricted by legal contracts, security-related data such as passwords and risk assessments, and intellectual property. Data in this classification must meet all the requirements of Sensitive Data and must:
- Require authorization and authentication to view, change or delete.
Examples: Student grades, social security numbers, passwords, credit card numbers, bank account numbers, security plans and assessments
Level 2 Unit ISAs must ensure specific data security procedures are written for their organization.
The standard Data Classification addresses the following:
- What is the function or purpose of the data?
- How is it identified?
- Is it mission critical data?
- Is it system/application or user data?
Roles and to whom they are assigned.
- Who is the Data Principal?
- Who are the Data Custodians?
- Who are the Users?
Does access to the data need to be restricted? And if so, to/from whom?
Alteration of all data is restricted to authorized people and access methods. Restrictions for data retrieval include:
- Is the data protected by law, such as FERPA, GLBA and HIPAA?
- Is it exempt from public records law? Security-related data must be restricted. This includes but is not limited to passwords, vulnerability assessments, and physical facility diagrams.
- Is there potential harm from unauthorized access to the data?
- Is there any reason this data should be publicly accessible?
- Who is authorized to create, view or modify this data?
Protection methods for access, storage and/or transmission.
Specific technical details of methods used to protect data should not be made available to the general public.
- Will the data be stored on an appropriately-secured host?
- Will the data be secured by appropriate host system security access restrictions, such as file permissions, Access Control Lists or passwords?
- Will application-level security, such as .htaccess or the myUFL portal, be employed?
- How will unauthorized access to the data be prevented?
- How will integrity of the data be ensured?
- Will it be distributed in electronic format?
- Should it be encrypted for storage and/or transmission? (This would apply to such data as passwords and data transmitted over wireless networks.)
- Will the data be accessed via clear-text transmission protocols?
- Are the host system's security mechanisms adequate for the sensitivity of the data, or should additional methods, such as encryption, be employed?
- Is the security of the transmission path adequate for the sensitivity of the data, or should additional methods be employed? (For instance, end-to-end encryption such as VPN, SSH, SSL or TLS should be used routinely on wireless networks.)
(Note: Protection method(s) should never be included as part of the data or its label.)
- Should the Data Principal be identified on the label?
- Should the entire classification be included on the label?
- Should the distribution restrictions be included on the label?
- Should the disposal restrictions be included on the label?
- Should the creator be identified on the label?
- Should relevant dates be included on the label?
- What harm will be done if the data is not available?
- Do availability requirements change with time?
- What redundant systems are necessary to guarantee that the data will be available for its intended purpose? (Such as RAID, redundant network connection, UPS, etc.)
- How is data restored if something happens to it? (Such as operations procedures, back-ups, etc.)
- How quickly must data be restored if something happens to it?
- Is appropriate recovery documentation available?
- Does the data require special disposal methods? (Such as rendering it unreadable or shredding before disposal)
- Do persistent copies of the data (such as backups) need special attention?
- Are there legal considerations for records-retention?