UCOP ITS Systemwide CISO Office Systemwide IT Policy

Similar documents
What is a Dataset? Information Security and Privacy Office (ISPO) Risk Assessment Program August 2018 Version 1.1

Data Compromise Notice Procedure Summary and Guide

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Cybersecurity in Higher Ed

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Protecting Your Gear, Your Work & Cal Poly

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

DATA STEWARDSHIP STANDARDS

SAC PA Security Frameworks - FISMA and NIST

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Putting It All Together:

INTRODUCTION TO DFARS

Information Technology Security Plan (ITSP)

Executive Order 13556

01.0 Policy Responsibilities and Oversight

Data Governance & Classification Policy A Data Classification and Data Types

Compliance with CloudCheckr

Access to University Data Policy

Employee Security Awareness Training Program

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Subject: University Information Technology Resource Security Policy: OUTDATED

CCC Data Management Procedures DCL3 Data Access

Why is the CUI Program necessary?

Information Classification & Protection Policy

Virginia Commonwealth University School of Medicine Information Security Standard

Southern Adventist University Information Security Policy. Version 1 Revised Apr

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Virginia Commonwealth University School of Medicine Information Security Standard

Security Awareness Compliance Requirements. Updated: 11 October, 2017

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

University Policies and Procedures ELECTRONIC MAIL POLICY

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

New Process and Regulations for Controlled Unclassified Information

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Mobile Device policy Frequently Asked Questions April 2016

Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

U.S. Private-sector Privacy Certification

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

University of Wisconsin-Madison Policy and Procedure

DFARS Defense Industrial Base Compliance Information

UC Systemwide Information Security Awareness Workgroup

Get Compliant with the New DFARS Cybersecurity Requirements

Policies and Procedures Date: February 28, 2012

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Altius IT Policy Collection Compliance and Standards Matrix

Complete document security

ROADMAP TO DFARS COMPLIANCE

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Information Security Issues in Research

Shaw Privacy Policy. 1- Our commitment to you

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Altius IT Policy Collection Compliance and Standards Matrix

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

DeMystifying Data Breaches and Information Security Compliance

Navigating Regulatory Impacts of a Financial Services Data Breach

University of North Texas System Administration Identity Theft Prevention Program

Privacy and Security Liaison Program: Annual Compliance and Risk Assessment (Fiscal Year 2013/2014)

COMMENTARY. Information JONES DAY

Enterprise SM VOLUME 1, SECTION 5.7: SECURE MANAGED SERVICE

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

UTAH VALLEY UNIVERSITY Policies and Procedures

NIST Special Publication

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Media Protection Program

Information Security Management in a Regulation Driven World

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

What To Do When Your Data Winds Up Where It Shouldn t

DEPAUW UNIVERSITY DATA CLASSIFICATION POLICY AND HANDLING RECOMMENDATIONS ( )

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

IDENTITY THEFT PREVENTION Policy Statement

HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

Government Privacy. Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer

Compliance in 5 Steps

International Legal Regulation of Cybersecurity U.S.-German Standards Panel 2018

CHASE GRAMMAR SCHOOL PRIVACY STATEMENT General Data Protection Regulations (GDPR)

Privacy Policy on the Responsibilities of Third Party Service Providers

DETAILED POLICY STATEMENT

ISOO CUI Overview for ACSAC

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

HIPAA For Assisted Living WALA iii

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Cybersecurity Risk Management

Security of Personal and Financial Information.

Document Title: IT Security Assessment Questionnaire

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Post-Secondary Institution Data-Security Overview and Requirements

Red Flags/Identity Theft Prevention Policy: Purpose

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

The New COSO Framework, PII and Data Security. October 30, 2014

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Transcription:

UCOP ITS Systemwide CISO Office Systemwide IT Policy Revision History Date: By: Contact Information: Description: 08/16/17 Robert Smith robert.smith@ucop.edu Initial version, CISO approved

Classification Guide: Protection Levels for Institutional Information and IT Resources UC s Institutional Information and IT Resource Classification Standard specifies that all UC Institutional Information and IT Resources must be assigned one of four Protection Levels based on confidentiality and integrity requirements, with P4 requiring the highest level of protection and P1 requiring a minimal level of protection. The process outlined in the Institutional Information and IT Resource Classification Standard provides guidance on determining Protection Levels. Proprietors, with the support of their Security Subject Matter Experts (SME) and Unit Information Security Leads, are responsible for determining the Protection Level for Institutional Information and IT Resources under their area of responsibility. Note: Be careful when classifying. Over-classification may result in additional cost and compliance requirements. Under-classification may result in inadequate protections that could lead to data breaches. Proprietors can refer to the charts below to appropriately classify Protection Levels. If the Institutional Information or IT Resource in question is not included in this chart, Proprietors should consult their Chief Information Security Officer (CISO), Privacy Officer or Compliance Officer for guidance. There are definitions of acronyms at the end of this guide. PROTECTION LEVEL 4 Controlled Unclassified Information (CUI) Covered Technical Information (CTI) this includes CTI and Covered Defense Information (CDI) DFARS 252.204-7012 Credit card cardholder Financial, accounting, payroll Financial aid, student loans Personally Identifiable Information (PII) when contained in large sets and when containing a comprehensive set of about a person. Example: about a person s work-related accident that contains medical records. Protected Health Information (PHI) / patient records Social Security Numbers subset of PII Sensitive Identifiable Human Subject Research Research classified as Protection Level 4(P4) by an IRB or otherwise required to be stored or processed in a high-security Government contract Government contract PCI Integrity GLBA PII, regulatory HIPAA PII, GLBA, regulatory Privacy 2

environment Individually identifiable genetic (human subject identifiable) Human subject research data with individual identifiers, particularly those identified in CA law Passwords, PINs and passphrases that can be d to access P2 to P4 or manage IT Resources Information with contractual requirements for P4-level protection Certain types of Federal data (Pre-CUI) like HIPAA data PROTECTION LEVEL 3 Privacy, regulatory Privacy, regulatory Contract FISMA Attorney-Client Privileged Information Student education records Student special services records. These records may contain needed to provide services or plan accommodations, but for which the student has an expectation of privacy. Security camera recordings Building entry records from automated key card system IT security and system security plans Exams (questions and answers) Animal research protocols Export Controlled Research (ITAR, EAR) UC personnel records Research classified as Protection Level 3 (P3) by an Internal Research Board (IRB) Certain types of Federal data (Pre-CUI) Personally Identifiable Information (PII) Legal protection FERPA FERPA, privacy Protective Protective Protective Regulation Privacy FISMA Civil code, regulation PROTECTION LEVEL 2 Routine business records and e-mail that does not contain P3 or P4. Calendar that does not contain P3 or P4. Meeting notes that does not contain P3 or P4 3

Research using publicly available data UC directory (faculty, staff and students who have not requested a FERPA block) De-identified patient (negligible reidentification risk) Unpublished research work and intellectual property not classified as P3 or P4 Patent applications and work papers, drafts of research papers Building plans and about the university physical plant PROTECTION LEVEL 1, operational integrity, protective Public-facing websites Public event calendars Press releases Hours of operation Parking regulations Course catalogs Published research Special Cases Records that fall under a legal Notice of Duty to Preserve may not fall under attorney-client privilege. Unit Information Security Leads and Proprietors must consult with Location Counsel to determine if a higher Protection Level is required when specific records are subject to a Duty to Preserve. At no time may the Protection Level be lowered. KEY TERMINOLOGY: Attorney-Client Privileged Information: Confidential communications between a client and an attorney for the purpose of securing legal advice. For the privilege of confidentiality to exist, the communication must be to, from or with an attorney. 4

Controlled Unclassified Information (CUI): Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. Note: IS-3 and supporting standards lay the foundation for protecting CUI. See NIST Special Publication 800-171 for requirements. EAR/ITAR: Export Controlled Research includes that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation. The International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) govern this data type. Current law requires that this data be stored in the U.S and that only authorized U.S. persons be allowed access to it. Examples: Chemical and biological agents Scientific satellite Certain software or technical data Military electronics Certain nuclear physics Documents detailing work on new formulas for explosives Family Educational Rights and Privacy Act (FERPA): Records that contain directly related to a student and that are maintained by UC or by a person acting for the university. The Family Educational Rights and Privacy Act (FERPA) governs release of, and access to, student education records. Federal data (Pre CUI): The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document and implement security programs for technology systems and to store the data on U.S. soil. Under some federal contracts or grants, collected by the university or systems d by the university to process or store research data needs to comply with FISMA. FISMA: The Federal Information Security Management Act (FISMA) requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for technology systems and store the data on U.S. soil. Under some federal contracts or grants, collected by the university or systems d by the university to process or store research data needs to comply with FISMA. Examples: National Institutes of Health NASA Department of Veterans Affairs GLBA: Student loan application. Personal financial held by financial institutions and higher education organizations as related to student loan and financial aid applications. Gramm Leach Bliley Act (GLBA) provisions govern this data type. Personally Identifiable Information (PII): A category of sensitive that s associated with an individual person and can be d to uniquely identify, contact or locate that person. PII should be accessed on a strict need-to-know basis and handled carefully. Examples include: 5

- Social Security Number - Driver s license number - Passport number - National ID number - Visa identification number Payment Card Industry (PCI): Information related to credit, debit or other payment cards. This data type is governed by the PCI Data Security Standards. Protected Health Information (HIPAA): Protected Health Information (PHI) is defined by the Health Insurance Portability and Accountability Act (HIPAA). PHI is individually identifiable health that relates to the: Past, present or future physical or mental health or condition of an individual. Provision of health care to the individual by a covered entity (for example, hospital or doctor). Past, present or future payment for the provision of health care to the individual. Researchers should be aware that health and medical about research subjects may also be regulated by HIPAA. Sensitive Identifiable Human Subject Research: Sensitive identifiable human subject research data is regulated by the Federal Policy for the Protection of Human Subjects (also called the Common Rule ). Among other requirements, the Common Rule mandates that researchers protect the privacy of subjects and maintain confidentiality of human subject data. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback