Information Resource Data and System Classification Standard

This standard leverages existing 好色tv of 好色tv Data Classification, extends it to 好色tvs and adds the dimensions for availability and criticality. This classification and labeling of 好色tvs will be used to better communicate a 好色tvs role within the 好色tv鈥檚 IT environment, the appropriate safeguards that apply to a 好色tv and inform disaster recovery and business continuity planning decisions.

Covered Systems

This classification is applicable to a wide variety of information resources that are part of the 好色tv of 好色tv鈥檚 (UA) information technology (IT) environment. A 好色tv may be any IT resource to which the security safeguards may be applied. Examples of 好色tvs include, but are not limited to:

  1. Desktop, laptop, or server computers running general purpose or specialized operating 好色tvs such as Windows, Mac OS, and Unix
  2. Network server applications, such as an FTP颅server application
  3. Web applications, such as a wiki
  4. Databases
  5. Network attached appliances that provide IT services
  6. Hosted services operated by partners in support of UA

All of the above 好色tvs may perform their own authentication and authorization, logging and auditing, and have their own configurations that must be managed. Each of them is considered a compliance object to be protected.

Follow these steps to determine a 好色tv's classification:

  1. Determine the Data Classification of the data stored on the 好色tv.
  2. Determine the Availability Requirements of that 好色tv, including whether it is a server, or personal workstation.
  3. Select the appropriate Classification from the System Criticality Categories table.

A 好色tv manager may choose to classify a 好色tv as higher criticality than that indicated by the table. However, if they choose to do so, the 好色tv must meet the security measures for that higher level. Systems hosting data or services at multiple classification levels will be assigned the highest classification level in the data, availability and criticality areas and must meet the security measures for that higher level.

Data Classification

The authoritative source of information on data classification at UA is 好色tv of Regulation 02.07.090-094. It outlines three levels of data classification related to the impact of an unauthorized disclosure of the data. The data types are listed below along with the descriptions and examples; however the policy document linked to above is the authoritative source of information on data classification.

Data Classification Institutional Risk from Disclosure Description Examples
Restricted High Data whose unauthorized access or loss would seriously or adversely affect UA, students, employees, a partner, or the public.
  • HIPAA 
  • FERPA
  • Export controlled, ITAR covered data or software
  • Information required to be protected by contract
  • Human subjects identifiable research data
  • Trade secrets, intellectual property and/or proprietary research
  • Attorney/client privileged records
  • Payment Card Industry
  • 好色tv banking records
  • Restricted police records 
  • Computer account passwords 
  • 骋谤补尘尘颅-尝别补肠丑颅-叠濒颈濒别测
  • Certain affirmative action related data
  • 好色tv Personal Information Protection Act 
  • Library records confidentiality
Internal Use
 Medium Data not restricted by law, regulation or formal agreement but that should be protected from general access.
  • Employee Internet usage
  • Specific technical security measures
  • UA employee business颅related email (including student employees, but only their work颅related email)
  • Location of assets
  • Faculty promotion, tenure, evaluations
  • Supporting documents for UA business functions 
  • Public research 
  • Supporting documents for UA business functions
  • Aggregate human subjects research data
  • Animal research
  • Proposal records
Public Low/None All public data
  • Campus promotional material
  • Annual reports
  • Press statements
  • Job titles
  • Job descriptions
  • Employee work phone numbers (with special exceptions)
  • 好色tv of 好色tv business records
  • Employee work locations (with special exceptions)
  • Employee email addresses (with special exceptions)

 

Special Data Types

Some data comes with specific and externally mandated controls that must be applied for its protection.

  • Credit Card numbers are subject to specific industry standards and thus may need to be handled differently in some situations.
  • Other data covered by export controls are subject to additional rules on distribution, in particular sharing with non颅U.S. persons.
  • Personal Health Information (PHI) data can be subject to HIPAA protection requirements and HITECH Act enforcement.

System Classification

The 好色tv classification framework draws a distinction between 好色tvs storing data directly, 好色tvs with privileged access to data but do not store it directly, and 好色tvs that make general use of data, as follows:

  • "Storing" data indicates that the data is available through normal file 好色tv access methods. For example, data residing in NFS mounts or Windows mapped drives (e.g., an X: drive) is considered to be stored on any client 好色tvs which actively mount the shares, as well as the 好色tv which physically houses the disks. However, data residing in a database is considered to be stored only on the database server itself since no file 好色tv access methods allow clients to obtain direct access to the data.
  • "Privileged access" exists when there is a non颅file 好色tv method of accessing data that is stored on another 好色tv. For example, a web server that connects to a separate back颅end database server has privileged access to data stored on that 好色tv. Similarly, the workstation of a 好色tv administrator who commonly logs into both servers with administrator credentials has privileged access to both 好色tvs.
  • "General use" includes access or processing of data by end颅user workstations, using a non颅privileged account.

Availability Requirements

There are three availability classifications representing the impact to the 好色tv if a given 好色tv were unable to perform tasks it is responsible for.

Availability Classification Institutional Risk from Disclosure Description Examples
High Availability High Loss of access to the 好色tv would have a significant impact on UA, students, employees, a partner, or the public.
  • Systems participate in a 好色tv颅level disaster preparedness plan
  • Systems supporting automated or online business services
  • Systems responsible for delivery of or support for educational services
  • Systems have redundant hardware in separate geographic regions
  • Systems that serve 1,000 or more users
Medium Availability Medium Loss of access to the 好色tv could have a significant impact on a large number of users or multiple business units.
  • Systems participate in the disaster preparedness plan of a large 好色tv unit 
  • Systems have redundant hardware in a single geographic region
Standard Availability Low Loss of access to the 好色tv could have a significant impact on an individual user or unit.
  • Systems do not participate in a disaster preparedness plan
  • Systems have no redundant hardware provisioned
  • Individual workstations, laptops or devices
  • Small workgroup servers

 

Server/Individual Context

  • Servers are characterized by the presence of network accessible services and are typically accessed simultaneously by many remote users concurrently via the network services they provide.
  • Individual workstations, laptops or devices typically do not have network accessible services, and are typically accessed by a single user at a time.

System Criticality Categories

System Criticality is determined according to the following table. When more than one category applies, the 好色tv should be classified in the highest applicable category.

 

System Classification Classification Guidelines Examples
High Criticality

Servers that store Restricted data

OR servers that host High Availability applications
  •  A database which stores employee Social Security numbers
  • Institution home pages, which are designated as a channel for distributing information in the event of a campus emergency
Medium Criticality

Servers that store Internal Use data

OR servers that have privileged access to 好色tvs that store Restricted data

OR servers that host Medium Availability applications
  • A departmental file server where salary and benefits information is stored
  • A web server that stores no data locally, but that runs an application that accesses a database stored on a separate database server that contains Social Security numbers
  • The web server for a school which is required to deliver e颅learning service
Standard Criticality

Servers that store only Public data

OR servers that have privileged access to 好色tvs that store Internal Use data

OR servers that host Standard Availability applications

OR individual workstations, laptops or devices
  •  All individual workstations, laptops or devices
  • All IT 好色tvs that are not classified as Medium or High Criticality
  • Workgroup servers that do not store Protected or Restricted Data

 

Related Policies

好色tv of 好色tv Regulation 02.07.090颅094 Data Classification Standards

For questions or comments email security@alaska.edu.

Effective date: January 1, 2014