Controls for Securing University Data – Best Practices

This page is to be used in conjunction with REG 08.00.03 – Data Management Procedures and the following pages:


Contents of this page

Introduction

The controls described below are designed to prevent unauthorized access to University Data. They will be used by the following persons:

  • OIT Security & Compliance Unit staff
  • Data Custodians
  • Designers and implementers of IT systems and applications
  • Application Sponsors
  • Data Stewards
  • End-users (only with assistance from the appropriate Data Custodian)

If there is a perceived need to handle Sensitive Data in a less secure manner than specified in this document, all changes in handling must be approved by the affected Data Stewards and the Director of OIT Security and Compliance.

[Back to Contents]

Sensitive Data

As used in this document, the term Sensitive Data refers to only the three highest data sensitivity levels (Ultra-sensitive, Highly sensitive and Moderately sensitive) and does not include Normal, not sensitive and Unclassified, as described in the Data Classification Standard, section 6 of Reg 08.00.03 – Data Management Procedures.

[Back to Contents]

Applying principles and controls to Sensitive Data

Following each principle or control listed below, there is a table that indicates:

  • Data sensitivity levels:
    • Ultra-sensitive (Purple)
    • Highly sensitive (Red)
    • Moderately sensitive (Yellow)
    • Normal, not sensitive (Green)
    • Unclassified (White)
  • Degree to which that principle or control must be applied to data in each sensitivity level:
    • Mandatory
    • Recommended
    • Optional
    • Not Applicable (N/A)

[Back to Contents]

Principles and controls

1. Control principles for Data Stewards and Application Sponsors

1.1 Limit University Data access to those who have a legitimate, university-related reason to see that data.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
1.1 Mandatory Mandatory Mandatory Optional N/A

[Back to Contents]

1.2 Control and record who has access to University Data through authentication and authorization of the individuals seeking access.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
1.2 Mandatory Mandatory Mandatory Mandatory Optional

[Back to Contents]

1.3 Security Awareness

  • Promote security awareness of University Data within the user community.
  • Provide user training and easy-to-understand documentation for handling and displaying University Data, especially Sensitive Data.
  • Provide the user with information from relevant university regulations.
Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
1.3 Mandatory Mandatory Mandatory Optional N/A

[Back to Contents]

1.4 Implement suitable controls for safeguarding Sensitive Data in university computers.

1.4.1 Provide strong authentication for all access to Sensitive Data.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
1.4.1 Mandatory Mandatory Mandatory N/A N/A

[Back to Contents]

1.4.2 Encrypt Sensitive Data during transmission over networks.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
1.4.2 Mandatory Mandatory Mandatory N/A N/A

[Back to Contents]

1.4.3 Address controls, including encryption, for access to stored Sensitive Data.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
1.4.3 Mandatory Mandatory Mandatory N/A N/A

[Back to Contents]

1.5 Provide for active monitoring and logging of data streams to detect attacks or unauthorized transmission of Sensitive Data.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
1.5 Mandatory Recommended Optional N/A N/A

[Back to Contents]

1.6 Ensure that end-user controls are employed as needed to protect Sensitive Data in the application user environment; e.g., laptop, desktop, mobile device.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
1.6 Mandatory Recommended Optional N/A N/A

[Back to Contents]

1.7 Require signed non-disclosure and return agreements from non-univeristy parties who are provided access to university material containing Sensitive Data.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
1.7 Mandatory Mandatory Mandatory N/A N/A

[Back to Contents]

Specific types of controls for use in protecting Sensitive Data

Designers of Internet applications should include suitable administrative and procedural design controls to safeguard University Data. The Data Steward and Application Sponsor should verify that the selected controls are necessary and sufficient for the application. These controls are outlined in sections 2 through 4 below.

2. Administrative and procedural design controls

2.1 Use authorization approval to manage access to Sensitive Data in applications; e.g., as provided by the System Access Request (SAR) application.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
2.1 Mandatory Mandatory Optional N/A N/A

[Back to Contents]

2.2 Whenever possible, remove the sensitive part of the data before displaying or storing it.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
2.2 Mandatory Recommended Recommended N/A N/A

[Back to Contents]

2.3 Mask Ultra-sensitive (Purple) data where possible; e.g., display only the last four (4) digits of Social Security and banking account numbers.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
2.3 Mandatory N/A N/A N/A N/A

[Back to Contents]

2.4 Consider automatically notifying a user externally (e.g., via email) whenever his/her University Data has been changed by anyone using a Web application. This allows the user to confirm whether the change in the data has been authorized.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
2.4 Mandatory Recommended Optional Optional N/A

[Back to Contents]

2.5 Dispose of printed output, portable media and other storage devices containing Sensitive Data through shredding or another means that renders the data unreadable.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
2.5 Mandatory Mandatory Recommended N/A N/A

[Back to Contents]

2.6 To the extent possible, store data sets of different sensitivity levels in separate locations so that appropriate controls may be applied to each set.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
2.6 Recommended Recommended Recommended N/A N/A

[Back to Contents]

2.7 Do not allow the emailing of Ultra-sensitive (Purple) or Highly sensitive (Red) data unless it is either

  • contained in an encrypted attachment
    or
  • stored securely on a website that has both
    • authenticated access control
      and
    • encrypted transmission and storage.
Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
2.7 Mandatory Mandatory Recommended N/A N/A

[Back to Contents]

2.8 In order for a student’s FERPA (Yellow) data to be conveyed by any means (e.g., email, Google Drive, Google Docs, Google Sites), that student must give prior written or electronic consent (e.g., by clicking on a link in a website and authenticating). This includes conveying that student’s FERPA data to either of the following:

  • that student
  • any other person or group of persons.
Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
2.8 Mandatory Mandatory Recommended N/A N/A

[Back to Contents]

2.9 Store all media containing Sensitive Information under secured physical conditions. Be careful to observe this control before, during and after scanning a document containing Sensitive Information, for example.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
2.9 Mandatory Mandatory Recommended N/A N/A

[Back to Contents]

3. Computer server-related technical controls

Computer server-related provisions for safeguarding University Data should be

  • recommended by Internet application implementers
  • confirmed as necessary and sufficient by the Data Steward and Application Sponsor, and
  • implemented by appropriate technical personnel.

3.1 Require authentication (e.g., Shibboleth or WRAP) to access websites and other applications that display University Data.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.1 Mandatory Mandatory Mandatory Optional N/A

[Back to Contents]

3.2 Use a firewall to control access to services or ports on a server that contains University Data.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.2 Mandatory Mandatory Mandatory Optional N/A

[Back to Contents]

3.2.1 When a website references Ultra-sensitive (Purple) or Highly sensitive (Red) data, consider using an application firewall to detect data breaches that result from application layer attacks.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.2.1 Mandatory Recommended Optional N/A N/A

[Back to Contents]

3.3 When an application references Ultra-sensitive (Purple) or Highly sensitive (Red) data, consider using data leakage protection (DLP) software to prevent release of the data.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.3 Recommended Recommended Optional N/A N/A

[Back to Contents]

3.4 Encrypt data streams containing Sensitive Data during transmission, preferably with SSL or a VPN. Consider all places where data is in transit and how it is protected in each place, not just in the path from application server to user.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.4 Mandatory Mandatory Mandatory Optional N/A

[Back to Contents]

3.5 Whenever possible for batched file transfers, use a tool that provides encrypted communication (e.g., FTP(S) or SFTP) to transmit Sensitive Data; otherwise, encrypt the data file before transmission.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.5 Mandatory Mandatory Mandatory N/A N/A

[Back to Contents]

3.6 Actively manage user access privileges to shared network drives, on-line data bases and Web server file space.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.6 Mandatory Mandatory Mandatory Optional N/A

[Back to Contents]

3.7 Encrypt data files, records and fields that contain Sensitive Data and are at rest on a publicly viewable volume or other unprotected storage medium (e.g., copier, scanner, printer, end user PC workstation.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.7 Mandatory Recommended Optional N/A N/A

[Back to Contents]

3.8 Password-protect access to files containing Sensitive Data or, preferably, encrypt the files.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.8 Mandatory Recommended Optional N/A N/A

[Back to Contents]

3.9 Maintain and secure backups of University Data. Protect access to the backups by physical and/or technological controls.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.9 Mandatory Mandatory Mandatory Mandatory Recommended

[Back to Contents]

3.10 Encrypt backups that contain Sensitive Data.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.10 Mandatory Mandatory Recommended Optional N/A

[Back to Contents]

3.11 Security patches:

  • Apply all security patches to server software on a regular basis.
  • Apply critical security patches to server software within a timeframe consistent with the relevance and severity of the problem addressed by the patch.
Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.11 Mandatory Mandatory Mandatory Mandatory Recommended

[Back to Contents]

3.12 Do not attempt to secure University Data that is directly available on the Internet (e.g., file, Web page) by leaving its Internet address or URL unpublished. This is not a sufficient security measure.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.12 Mandatory Mandatory Mandatory Optional N/A

[Back to Contents]

3.13 Protect passwords by:

not displaying them as they are typed or

encrypting them if they are stored or

preferably, protecting them through hash valuation during authentication, so that the actual passwords are not stored.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
3.13 Mandatory Mandatory Mandatory Recommended Optional

[Back to Contents]

4. Technical controls for end-user devices

End-user devices include desktop computers, laptops, smart phones, tablets, printers, copiers, scanners, removable drives (thumb drives, jump drives, memory sticks, USB drives), and any other electronic devices that may be used to access, store or process Sensitive Data. The following security guidelines should be followed”

  • The implementer of an Internet application should employ security technical controls to safeguard University Data on the end-user device that accesses the application.
  • As far as possible, these controls should be automated and configured so that the user cannot turn them off.
  • The Data Steward and Application Sponsor should confirm that these controls are necessary and sufficient for the application.

4.1 Require antivirus software to be installed on all devices accessing University Data. Set the antivirus software to update automatically.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
4.1 Mandatory Mandatory Mandatory Recommended Recommended

[Back to Contents]

4.2 Ensure that the end-user device software is automatically updated, especially with critical security patches.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
4.2 Mandatory Mandatory Recommended Recommended Recommended

[Back to Contents]

4.3 Use a client software firewall (e.g. have Windows firewall turned on).

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
4.3 Mandatory Mandatory Mandatory Recommended Recommended

[Back to Contents]

4.4 End-user procedures should close a Web browser after use in order to clear cache.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
4.4 Mandatory Mandatory Recommended Optional N/A

[Back to Contents]

4.5 Unless Sensitive Data is encrypted, do not store it on a portable device (e.g., USB drive, flash drive, CD, DVD, PDA, laptop, notebook, tablet, smart phone). Full-disk encryption or other other mobile device all-disk encryption is sufficient to prevent loss if the device is stolen, mislaid, or disposd of without clearing the data.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
4.5 Mandatory Mandatory Recommended N/A N/A

[Back to Contents]

4.6 Do not store Sensitive Data on a local computer workstation (or laptop) hard drive or other local storage without additional security precautions.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
4.6 Mandatory Mandatory Recommended N/A N/A

[Back to Contents]

4.7 Do not store data from SSL sessions locally (option in Web browser settings).

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
4.7 Mandatory Mandatory Optional Optional N/A

[Back to Contents]

4.8 Whenever possible, ensure that users know how to erase copies of data that are automatically stored on copiers, printers and scanners during image processing. When these devices are to be transferred or surplused, make sure that all copies of data are erased from them before they leave the responsible end-user’s control.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
4.8 Mandatory Mandatory Mandatory Optional N/A

[Back to Contents]

4.9 Refer to Mobile Device Security for additional requirements and guidelines for securing mobile devices.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
4.9 Mandatory Mandatory Mandatory Recommended N/A

[Back to Contents]

4.10 As default, disable the remembering of passwords on a device. If this is not disabled, make sure to use a secure password keeper application for storing the passwords.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
4.10 Mandatory Mandatory Recommended Optional N/A

[Back to Contents]

4.11 Use network firewalls to protect the computers and networking devices of any offices that deal with significant volumes of Sensitive Data.

Control Ultra-sensitive
(Purple)
Highly sensitive
(Red)
Moderately sensitive
(Yellow)
Normal, not sensitive
(Green)
Unclassified
(White)
4.11 Mandatory Mandatory Recommended N/A N/A

[Back to Contents]

Principles and controls, sorted by applicability

 

Principles and controls for Ultra-sensitive (Purple) data, sorted by applicability

Control Ultra-sensitive
(Purple)
1.1 Mandatory
1.2 Mandatory
1.3 Mandatory
1.4.1 Mandatory
1.4.2 Mandatory
1.4.3 Mandatory
1.5 Mandatory
1.6 Mandatory
1.7 Mandatory
2.1 Mandatory
2.2 Mandatory
2.3 Mandatory
2.4 Mandatory
2.5 Mandatory
2.7 Mandatory
2.8 Mandatory
2.9 Mandatory
3.1 Mandatory
3.2 Mandatory
3.2.1 Mandatory
3.4 Mandatory
3.5 Mandatory
3.6 Mandatory
3.7 Mandatory
3.8 Mandatory
3.9 Mandatory
3.10 Mandatory
3.11 Mandatory
3.12 Mandatory
3.13 Mandatory
4.1 Mandatory
4.2 Mandatory
4.3 Mandatory
4.4 Mandatory
4.5 Mandatory
4.6 Mandatory
4.7 Mandatory
4.8 Mandatory
4.9 Mandatory
4.10 Mandatory
4.11 Mandatory
2.6 Recommended
3.3 Recommended

[Back to Contents]

Principles and controls for Highly Sensitive (Red) data, sorted by applicability

Control Highly sensitive
(Red)
1.1 Mandatory
1.2 Mandatory
1.3 Mandatory
1.4.1 Mandatory
1.4.2 Mandatory
1.4.3 Mandatory
1.7 Mandatory
2.1 Mandatory
2.5 Mandatory
2.7 Mandatory
2.8 Mandatory
2.9 Mandatory
3.1 Mandatory
3.2 Mandatory
3.4 Mandatory
3.5 Mandatory
3.6 Mandatory
3.9 Mandatory
3.10 Mandatory
3.11 Mandatory
3.12 Mandatory
3.13 Mandatory
4.1 Mandatory
4.2 Mandatory
4.3 Mandatory
4.4 Mandatory
4.5 Mandatory
4.6 Mandatory
4.7 Mandatory
4.8 Mandatory
4.9 Mandatory
4.10 Mandatory
4.11 Mandatory
1.5 Recommended
1.6 Recommended
2.2 Recommended
2.3 Recommended
2.6 Recommended
3.2.1 Recommended
3.3 Recommended
3.7 Recommended
3.8 Recommended

[Back to Contents]

Principles and controls for Moderately Sensitive (Yellow) data, sorted by applicability

Control Moderately sensitive
(Yellow)
1.1 Mandatory
1.2 Mandatory
1.3 Mandatory
1.4.1 Mandatory
1.4.2 Mandatory
1.4.3 Mandatory
1.7 Mandatory
3.1 Mandatory
3.2 Mandatory
3.4 Mandatory
3.5 Mandatory
3.6 Mandatory
3.9 Mandatory
3.11 Mandatory
3.12 Mandatory
3.13 Mandatory
4.1 Mandatory
4.3 Mandatory
4.8 Mandatory
4.9 Mandatory
2.2 Recommended
2.5 Recommended
2.6 Recommended
2.7 Recommended
2.8 Recommended
2.9 Recommended
3.10 Recommended
4.2 Recommended
4.4 Recommended
4.5 Recommended
4.6 Recommended
4.10 Recommended
4.11 Recommended
1.5 Optional
1.6 Optional
2.1 Optional
2.4 Optional
3.2.1 Optional
3.3 Optional
3.7 Optional
3.8 Optional
4.7 Optional

[Back to Contents]

Principles and controls for Normal, not sensitive (Green) data, sorted by applicability

Control Normal, not sensitive
(Green)
1.2 Mandatory
3.9 Mandatory
3.11 Mandatory
3.13 Recommended
4.1 Recommended
4.2 Recommended
4.3 Recommended
4.9 Recommended
1.1 Optional
1.3 Optional
2.4 Optional
3.1 Optional
3.2 Optional
3.4 Optional
3.6 Optional
3.10 Optional
3.12 Optional
4.4 Optional
4.7 Optional
4.8 Optional
4.10 Optional

[Back to Contents]

Principles and controls for Unclassified (White) data, sorted by applicability

Control Unclassified
(White)
3.9 Recommended
3.11 Recommended
4.1 Recommended
4.2 Recommended
4.3 Recommended
1.2 Optional
3.13 Optional

[Back to Contents]