Endpoints | Servers | Applications

Data Classification Guidelines

 


These standards are intended to reflect the minimum level of care necessary for the University's sensitive data. They do not relieve the University of Iowa or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation, or contract.  You are encouraged to adopt these core security standards, prioritizing your systems by risk level.  As cybersecurity is a rapidly-evolving field that continuously presents us with new challenges, these standards will be revised and updated accordingly.  Many of these requirements are already codified in UI Policy, but the overall Core Security Standards document will eventually become UI Policy as well.


 

Endpoints

 

An endpoint is defined as any laptop, desktop, or mobile device.

  1. Determine the overall risk level by reviewing the data, server, and application risk classification examples and selecting the highest applicable risk designation across all.
    • For example, an endpoint storing Low Risk data but utilized to access a High-Risk application is designated as a High-Risk endpoint.
  2. Implement the security standards for the level of risk, as outlined in the table below to safeguard your endpoint.

 

Standards Recurring Task What To Do Low
Risk
Moderate Risk High
Risk
IT Policy/Standard Reference
 Patching X
  • Keep all software (OS and application) up to date to the extent possible.
  • Critical updates/patches shall be applied within 5 days, normal patches within 30 days.
  • Only use actively-supported Operating Systems and applications.  Systems with unsupported or outdated OS and applications may not be directly connected to the campus network.
X X X

IT-08 Network Citizenship Policy, Appendix A: Baseline Security Standards

IT Standard 05 - Computer Security Standard

 Inventory X
  • Utilize campus, college, or unit inventory service/procedures to track all devices.
X X X UI Controller's Computer Inventory & Control Policy
 Media  Disposal  
  • All institutional data and licensed software must be reliably erased from all devices prior to transfer within the UI, as well as out of University Control.
  • If data cannot be erased, the media must be destroyed.
  • Research data must be approved by the OVPR before it can be transferred out of University control.
X X X IT-21 Computer Data and Media Disposal Policy
 Whole Disk  Encryption  
  • Whole disk encryption is required on all laptops and tablet computers, USB storage devices with Level III data, and for desktops in units that regularly handle Level III data.
  • Enable FileVault2 for Mac, BitLocker for Windows, BitLocker2Go for Windows USB devices, LUKS or similar software for Linux.
  • Systems must be domain-attached and using device management to use whole-disk encryption.
X X X IT-19 Institutional Data Access & Handling Policy
 Backups X
  • Endpoints that store institutional data locally must have data backed up in accordance with the UI Records Management Program.
  • System and data backups must exist to enable prompt recovery/restoration of service.
X X X

IT-17 Backup & Recovery Policy 

UI Operations Manual, Ch. 17 - Records Management

 Incident  Handling X
  • All suspected or confirmed security events must be immediately reported to the Security Office.
  • No actions, including but not limited to sensitive data scans (IdentityFinder), repairs, reimaging, copying data, or other actions, may be performed without prior direction from the Security Office.
X X X  
 USR  Registration X
  • Endpoints that store Level II/III data locally must be registered with the Security Office.
  X X UI Controller's Computer Inventory & Control Policy
 Physical  Protection  
  • All devices with Level II & III data and all mobile devices must be kept in a physically secure location when staff are not present.
  • Location must be protected by physical access controls such as keys, biometrics, or proximity cards.
  X X IT-18 Information Security Framework Policy; Physical Access Controls
 Configuration  Management X
  • Automated system change control management must be utilized for devices, such as UI Capser or MS-SCCM services.
  • CM process must monitor and control hardware and software configuration changes.
  X X

IT-18 Information Security Framework

IT Standard - 05 Computer Security Standard

 Regulated
 Data Security
 Controls
 
  • Implement additional FISMA, PCI-DSS, HIPAA, or Export Control requirements as applicable.
  • Links to applicable controls are on the IT Security website.
    X UI Information Security Plan (08/2015)

Back to Top

 

Servers

A server is defined as a host that provides a network-accessible service.

  1. Determine the overall risk level by reviewing the data, server, and application risk classification examples and selecting the highest applicable risk designation across all.
    • For example, an application server that does not store High Risk data, but connects to a database server that does, is designated as a High-Risk server.
  2. Implement the security standards for the level of risk, as outlined in the table below to safeguard your endpoint.

 

Standards Recurring Task What To Do Low Risk Moderate Risk High Risk IT Policy/Standard Reference
 Patching X
  • Keep all software (OS and application) up to date to the extent possible.
  • Critical updates/patches shall be applied within 5 days, normal patches within 30 days.
  • Only use actively-supported Operating Systems and applications.  Systems with unsupported or outdated OS and applications may not be directly connected to the campus network.
X X X

IT-08 Network Citizenship Policy, Appendix A: Baseline Security Standards

IT Standard 05 - Computer Security Standard

 Malware  Protection  
  • Install anti-virus software on all eligible devices, using UI recommended or site-licensed software where possible.
  • Make certain the virus detection signatures are updated on a daily basis.
  • Configure the software to scan all incoming files
X X X IT-08 Network Citizenship Policy, Appendix A: Baseline Security Standards
 Inventory X
  • Utilize campus, college, or unit inventory service/procedures to track all devices.
  • Servers located in Enterprise Data Centers are inventoried by facility personnel.
X X X UI Comptroller's Computer Inventory & Control Policy
 Media Disposal  
  • All institutional data and licensed software must be reliably erased from all devices prior to transfer within the UI, as well as out of University Control.
  • If data cannot be erased, the media must be destroyed.
  • Research data must be approved by the OVPR before it can be transferred out of University control.
X X X IT-21 Computer Data and Media Disposal Policy
 Data Encryption  
  • Recommend whole-disk encryption where feasible.
  • Use certificates for encryption where applicable.
X X X IT-19 Institutional Data Access & Handling Policy
 Backups &  Disaster  Recovery X
  • System backups must exist to enable prompt restoration of UI services.
  • Backup of "UI Record" information must be performed in accordance with the UI Records Management Program.
  • Disaster Recovery Plan must exist & be reviewed annually.
  • Disaster Recovery Plan must be tested.
X X X

IT-17 Backup & Recovery

UI Operations Manual, Ch. 17 - Records Management

 Incident  Handling X
  • All suspected or confirmed security events must be immediately reported to the Security Office.
  • No actions, including but not limited to sensitive data scans (IdentityFinder), repairs, reimaging, copying data, or other actions, may be performed without prior direction from the Security Office.
X X X  
 Firewall  
  • Enable host-based firewall in default deny mode and permit minimum necessary services.
  • Servers with Level III data must be housed in an Enterprise Data Center.
X X X IT Security Best Practices, Resources for Everyone
 Credentials &  Access Control X
  • Conform to UI Password Policy.
  • Utilize HawkID authentication in lieu of local accounts.
  • Quarterly review of user accounts, Access privileges, and procedures/policies.
X X X IT-05 Enterprise Password Policy
 Centralized  Logging  
  • Activity Logging required on all servers.
  • Remote log forwarding required for servers handling Level II / III data.
X X X Iowa Board of Regents IT Security & Network Log Retention Guidelines
 USR
 Registration
X
  • Systems not in an Enterprise Data Center that store Level II / III data must be registered with the Security Office.
  X X UI Controller's Computer Inventory & Control Policy
 Configuration  Management  
  • A system for change control management must be implemented for systems handling level II & III institutional data.
  • System must monitor and control hardware and software configuration changes.
  X X

IT-18 Information Security Framework

IT STANDARD 05 - Computer Security Standards

 SysAdmin
 Training
X
  • SysAdmins must receive Media Disposal Training, as well as Network Security Training Seminars and Security Awareness Training for IT Personnel.
  X X IT-16 Roles and Responsibilities for Information Security; Data Custodian section
 Vulnerability  Management X
  • Systems attached to the University Network are subject to periodic vulnerability assessments by the Security Office.
  • High-severity vulnerabilities must be resolved within 5 days; Medium-severity vulnerabilities within 30 days of identification.
  X X IT-01 Network Vulnerability Scanning & Penetration Testing
 Intrusion
 Detection
X
  • Host-based monitoring and alerting tool, such as OSSEC, must be installed and configured if Level III data is handled.
  X X UI Defense in Depth Security Strategy (12/02/2003)
 Physical
 Protection
 
  • All servers with Level II & III data must be kept in a physically secure location.
  • Location must be protected by physical access controls such as keys, biometrics, or proximity cards.
  X X IT-18 Information Security Framework Policy; Physical Access Controls
 Remote Access  
  • 2-Factor authentication required for all remote access.
  • Utilize available privileged remote access services (Bastion Host, Terminal Server, etc.)
    X  
 Security,  Privacy, &
 Legal Review
 
  • Recommend all servers undergo a Security, Privacy, & Legal review and implement recommendations prior to deployment.
    X  
 Two-Step  Authentication  
  • Multi-Factor Authentication required for all Privileged Access (Root, Administrator)
    X  
 Regulated
 Data Security
 Controls
 
  • Implement FISMA, PCI-DSS, HIPAA, or Export Controls as applicable.
  • Links to applicable controls are on the IT Security website.
    X  

Back to Top

 

 

Applications

An application is defined as software running on a server that is remotely accessible.

  1. Determine the overall risk level by reviewing the data, server, and application risk classification examples and selecting the highest applicable risk designation across all.
    • For example, an application that processes critical business functions with high availability requirements, is designated as a High Risk application.
  2. Implement the security standards for the level of risk, as outlined in the table below to safeguard your endpoint.

 

Standards Recurring Task What To Do Low Risk Moderate Risk High Risk IT Policy/Standard Reference
 Patching X
  • Keep all application software up to date to the extent possible.
  • Critical updates/patches shall be applied within 5 days, normal patches within 30 days.
  • Only use actively-supported OS and applications only.
X X X

IT-08 Network Citizenship Policy, Appendix A: Baseline Security Standards

IT Standard 05 - Computer Security Standard

 Inventory X
  • All applications will be inventoried using the UI Application Portfolio Management system.
X X X UI Controller's Computer Inventory & Control Policy
 Data  Encryption X
  • Recommend whole-disk encryption where feasible.
  • Use certificates for communication encryption where possible.
X X X IT-19 Institutional Data Access & Handling Policy
 Backups &  Disaster  Recovery X
  • Application backups must exist to enable prompt restoration of UI services.
  • Backup of institutional data must be performed in accordance with the UI Records Management Program.
  • Disaster Recovery Plan must exist & be reviewed annually.
  • Disaster Recovery Plan must be tested.
X X X

IT-17 Backup & Recovery

UI Operations Manual, Ch. 17 - Records Management

 Firewall  
  • Enable host-based firewall in default deny mode and permit minimum necessary services.
X X X IT Security Best Practices, Resources for Everyone
 Software  Review  
  • All software must undergo software review prior to purchase, or installation/use by the University.
X X X IT Security Best Practices, Resources for Everyone
 Credentials
 & Access
 Control
X
  • Conform to UI Password Policy.
  • Utilize HawkID authentication in lieu of local accounts.
  • Quarterly review of user accounts, Access privileges, and procedures/policies.
X X X IT-05 Enterprise Password Policy
 Incident  Handling X
  • All suspected or confirmed security events must be immediately reported to the Security Office.
  • No actions, including but not limited to sensitive data scans (IdentityFinder), repairs, reimaging, copying data, or other actions, may be performed without prior direction from the Security Office.
X X X  
 Two-Step  Authentication X
  • Multi-factor authentication recommended for applications that handle sensitive institutional data, particularly accounts with Privileged (administrator) access.
  X X  
 Centralized  Logging  
  • Application activity logging required.
  • Remote log forwarding required for servers handling Level II / III data.
  X X Iowa Board of Regents IT Security & Network Log Retention Guidelines
 Vulnerability  Management X
  • Systems attached to the University Network are subject to periodic vulnerability assessments by the Security Office.
  • High-severity vulnerabilities must be resolved within 5 days; Medium-severity vulnerabilities within 30 days of identification.
  X X IT-01 Network Vulnerability Scanning & Penetration Testing
 Secure
 Software
 Development
X
  • System & application software must be tested before installation in a production environment.
  • Production version must be protected from unauthorized changes.
  • Separation of duties required between software developer and production implementers.
  X X IT-18 Information Security Framework Policy, Systems & Application Software
 Developer  Training  
  • Developers involved in support of systems that process payments must complete developer-specific security training annually, including secure coding techniques.
  X X IT-16 Roles & Responsibilities for Information Security; Data Custodian
 Security,  Privacy, &  Legal Review  
  • Recommend all applications undergo a Security, Privacy, & Legal review and implement recommendations prior to deployment.
    X  
 Regulated
 Data Security
 Controls
 
  • Implement FISMA, PCI-DSS, HIPAA, or Export Controls as applicable.
  • Links to applicable controls are on the IT Security website.
    X  

Back to Top