UC Santa CruzInformation Technology Services
Home About ITS Service Catalog News and Events Policies and Guidelines IT Governance ITS Staff Site ITS Job Opportunities ITS Frequently Asked Questions ITS Feedback Form
A-Z Index | Find People

Information Security Team
Communications Building
1156 High Street
Santa Cruz, CA 95064
Phone: (831) 459-HELP

SECURITY Home
Technical Alerts
Tips, Tricks and Tools
Detecting a Breach
Reporting an Incident
Prevention
Anti Virus
Policies
Security Services
Additional Resources
Security Training
Best Practices
Restricted Data Resources
About Our Team

Other UCSC Links:
UCSC Home
MyUCSC
ResNet
UCSC Library
AIS Home

Maintained by secweb@ucsc.edu
Last Reviewed on Oct 26, 2004

© 2008 The Regents of the University of California

 

Security Measures by Degree of Information Sensitivity

Printer-friendly version (PDF, 127K)


 
Level of Sensitivity: The degree of adverse affect that may result from unauthorized access or disclosure

Protections based on IS-3

High
(Restricted Data)

Moderate
(Confidential Data) [1]

Low or None
(Non-Confidential Data)

Minimum Network Connectivity Requirements:
1.
  1. Access control measures for controlled electronic information resources*
  2. Encrypted transmission of restricted data including passwords**
  3. Software updates / patch management
  4. Malicious software protection
  5. Removal of unnecessary services
  6. Host-based firewalls
  7. No unauthorized email relays
  8. No unauthorized, unauthenticated proxy servers
  9. Physical security and session timeout
  10. Security audit agents (may be required based on level of risk)***

* Note: IS-3 scope limited to access control measures for networked devices
** IS-3 scope limited to encrypted authentication.
*** Not included in IS-3

Required

Required

Required

Additional Administrative Controls
2.

Risk assessment, asset inventory and classification; Identification of systems storing and accessing data

Required for PII, ePHI, PCI; otherwise recommended

Recommended

Recommended
3.

Additional controls for transferring, distributing, and downloading data

Required

Recommended

 

4.

Authorization required for access, including privileged access

Required

Required

 
5.

Control privileged access through defined procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties

Required

Recommended

 
6.

Background checks

Required

 

 
7.

Third party agreements with data security language

Required

Recommended

 
8.

Take appropriate personnel/disciplinary action for violations of law or policy

Required

Required

Required

Additional Operational Controls
9.

Secure and accountable means of authorization and authentication

Required

Required

 

10.

Prompt modification or termination of access or access levels in response to authorization chances

Required

Required

 

11.

UCSC password guidelines and password vulnerability assessment

Required

Recommended

Recommended
12.

Delete, redact or de-identify data whenever possible

Recommended

Recommended

 

13.

Minimize data stored on portable devices

Recommended

Recommended

 

14.

Education and security awareness training

Required

Recommended

Recommended
15.

Incident response planning and notification procedures

Required

Required

Required
16.

Controls for test, training and development systems

Required

Recommended

 

17.

Access and activity audit and logging procedures, including access attempts and privileged access

Required where mandated by legislative or regulatory requirements (e.g. ePHI, PCI), or as deemed appropriate; otherwise recommended

Recommended

 

18.

Application security:
System and application development standards, application vulnerability assessment

Required for PCI; otherwise recommended

Recommended

 

19.

Authorized, documented change management procedures

Required for security-related changes and essential resources

Required for essential resources; otherwise recommended

Required for essential resources; otherwise recommended
20.

Backup systems supporting essential activities

Required

Required

Required

Additional Technical Controls
21.

Network firewalls and IDS/IPS

Required for restricted or essential systems

Recommended

 

22. Encryption:
  • stored data
  • transmitted data
  • backups where physical security is at risk
  • protective measures such as encryption for data on portable devices and media
  • appropriate encryption key management to ensure the availability of encrypted authoritative information

Encryption or other compensating controls required

Encryption or other compensating controls recommended

 

Additional Physical Controls
23.

Physical access controls; Facility access controls

Required

Recommended

Recommended
24.

Disposal and re-use:
Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed

Required

Recommended

Recommended just in case
25.

Physical security for portable devices and media

Required

Recommended

Recommended
26.

Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks

Required

Required for financial instruments; otherwise recommended

 
27.

Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks

Required

Required for financial instruments; otherwise recommended

 
28.

Risk mitigation for emergency conditions and procedures to protect restricted data during emergency mode operations

Required

Recommended

 

Other Legal and Regulatory Requirements
29.

HIPAA Security Rule / UCSC Practices for HIPAA Security Rule Compliance

Required for all ePHI

N/A

N/A
30.

Payment Card Industry Data Security Standard (PCI DSS)

Required for all sensitive credit cardholder data

N/A

N/A

 

--------------------------------
[1] The degree of sensitivity determines applicability of recommendations

 

Rev. 7/14/08