System Criticality | Data Classification | |||
|---|---|---|---|---|
Sensitive | Confidential | Internal | Public | |
Mission Critical | Level 3 | Level 3 | Level 3 | Level 3 |
Core | Level 3 | Level 2 | Level 2 | Level 2 |
Business Critical | Level 3 | Level 2 | Level 2 | Level 1 |
Operational | Level 3 | Level 2 | Level 1 | Level 1 |
The WVU Data Classification Policy establishes the rules that govern the classification of information generated through the academic, administrative, research, and outreach activities conducted at WVU into four categories: Sensitive, Confidential, Internal, and Public.
The WVU Information Security Policy identifies that Information Technology Services is responsible for establishing the rules to safeguard the hardware, software, and information systems utilized at WVU. The governance established by ITS applies to all units, faculty, staff, affiliates, and vendors with access to WVU systems and data. The table below identifies the minimum security requirements for a WVU system or application based on the classification of the data stored within the system and/or the system’s criticality. Security requirements are based on implemented technology governance and are organized below based on the NIST Cybersecurity Framework
Security Category = [Confidentiality impact + Integrity impact + Availability impact]
Confidentiality means preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.
Integrity means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.
Availability mean ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.
Level 1 - Low | Level 2 - Moderate | Level 3 - High | |
|---|---|---|---|
Impact on WVU’s mission | None | No impact | Potential impact |
Impact on WVU’s reputation | At most a minimal risk | Moderate risk | Significant risk |
Impact on WVU’s finances | None | Mild impact | Significant impact |
Risk to the security of other systems protecting data | None | Mild impact | Significant impact |
Risk to life safety | None | None | Potential risk |
Data Classification | Public | Internal/Confidential | Confidential/Sensitive |
Icon Key: 
Required ☑ Recommended 
Prohibited⬜ Not Required
Asset Management
Governance: University-Owned Device Standard, Secure Server Standard, Information Security Policy, Sensitive Data Policy
Security Control | High | Moderate | Low |
|---|---|---|---|
Maintain inventory of computers that identifies criticality of device or data being stored on it. Sensitive Data must NEVER be stored on a computer. |
|
|
|
Maintain inventory of systems being used and managed by WVU that identifies classification of data stored within. |
|
|
|
Maintain inventory of servers being used and managed by WVU that identifies purpose of server and classification of data stored on server. |
|
|
|
Develop, document, and periodically update system security plans. |
| ☑ | ⬜ |
Business Environment
Governance: Vendor Security and Compliance/Technology Procurement Standard (pending development), Risk Assessment Standard
Security Control | High | Moderate | Low |
|---|---|---|---|
Adhere to WVU IT Purchase process |
|
|
|
Require security assessment prior to purchase |
| ☑ | ⬜ |
Assess vendor security compliance every three years, at minimum |
|
| ☑ |
Risk Assessment
Governance: Information Security Policy, Compliance Exception Management Standard, Risk Assessment Standard, PHI Privacy Policy, PHI Protection Standard
Security Control | High | Moderate | Low |
|---|---|---|---|
Annual risk assessment conducted |
| ⬜ | ⬜ |
Risk assessment conducted every 3 years | ⬜ |
| ⬜ |
Document architectural layout of the environment |
| ☑ | ☑ |
Develop post-assessment plans to reduce risks to acceptable levels |
|
|
|
Prioritize remediation/mitigation of risks identified based on severity |
|
|
|
Authorize acceptance of unmitigated risks |
|
|
|
Identity Management & Access Control
Governance: Identity & Access Management Policy, Identity & Authentication Management Standard, Access Management Standard, Remote Access Standard, Sensitive Data Protection Standard, University-Owned Device Standard, Data Center Policy, Data Center Security Standard, Secure Server Standard, Physical Access Management Standard, Password Standard
Security Control | High | Moderate | Low |
|---|---|---|---|
Authentication is required to access systems |
|
|
|
Enterprise Directory Services (SSO) is required for authentication |
|
| ☑ |
Two-Factor authentication (2FA) is required for users to access systems Use of campus VPN can be leveraged to ensure 2FA. |
|
| ☑ |
Two-Factor authentication (2FA) is required for privileged access to systems Use of campus VPN can be leveraged to ensure 2FA. |
|
|
|
Two-Factor authentication (2FA) is required for all remote access solutions Use of campus VPN can be leveraged to ensure 2FA. |
|
|
|
All passwords must meet Password Standard |
|
|
|
Manage passwords for privileged Service Accounts in password vault |
|
|
|
Manage passwords for privileged Shared Application Accounts in privileged access management tool |
|
|
|
Manage passwords for Shared Application Accounts with non-privileged access in password vault |
|
|
|
Use of restrictive VPN that requires use of a University Devices to conduct privileged access |
|
|
|
Two-Factor authentication (2FA) required for non-local maintenance solutions. Individuals must actively accept remote sessions. |
|
|
|
Access granted on principle of Least Privilege |
|
|
|
Review accounts annually and remove individuals who no longer require access |
|
| ☑ |
Implement host-based firewalls to block all inbound traffic not required for use of computer and/or server |
|
|
|
Computer must use session lock after 15 min of inactivity |
|
| ☑ |
Physically secure servers within a University Data Center | ☑ | ☑ | ☑ |
Physically secure servers within Secure Server Room |
|
|
|
Backup media must be secured from unauthorized physical access |
|
|
|
Printer securely configured in a restricted-access location with authorized person available to receive printout immediately, or printer is password-protected |
| ⬜ | ⬜ |
Awareness & Training
Governance: Information Security Policy
Security Control | High | Moderate | Low |
|---|---|---|---|
Users must receive training to perform their duties |
|
| ☑ |
Privileged users receive training to understand their roles and responsibilities |
|
| ☑ |
Data Security
Governance: Data Center Security Standard, Secure Server Standard, University-Owned Device Standard, Data Destruction & Media Sanitization Standard
Security Control | High | Moderate | Low |
|---|---|---|---|
Server housed in University Data Center whole-disk encrypted | ⬜ | ⬜ | ⬜ |
Server housed in server rooms whole-disk encrypted |
|
| ☑ |
Server not in server room/device whole-disk encrypted Servers storing Sensitive Data must be in housed with a secured server room. |
|
|
|
Development and testing environments of systems storing data are separate from production environment |
| ☑ | ☑ |
Information Protection Processes and Procedures
Governance: Information Security Policy, Password Standard, Secure Server Standard, Data Center Security Policy
Security Control | High | Moderate | Low |
|---|---|---|---|
Follow established SDLC processes |
| ☑ | ☑ |
Follow established configuration change control processes |
| ☑ | ☑ |
Develop a business continuity plan/disaster recovery plan | ☑ | ☑ | ☑ |
Business continuity plan/disaster recovery plan tested annually | ☑ | ☑ | ☑ |
Data backed up outside of a University Data Center |
| ☑ | ☑ |
Device sanitized appropriately before transfer or reuse |
|
|
|
Security Continuous Monitoring
Governance: University-Owned Device Standard, Secure Server Standard, Log Retention Standard [draft]
Security Control | High | Moderate | Low |
|---|---|---|---|
Anti-virus installed and running Real-Time scanning |
|
|
|
Send logs to Security Event Management (SIEM) system (Splunk) |
| ☑ | ☑ |
Automate alerting on logging failures |
| ☑ | ⬜ |
Retain logs for 1 year or no less than 90 days for High/Moderate and 90 days for Low |
|
| ☑ |
Vulnerability Management
Governance: Vulnerability Management Standard
Security Control | High | Moderate | Low |
|---|---|---|---|
Authenticated vulnerability scans required monthly |
| ☑ | ⬜ |
Critical Patches implemented within 30 days |
|
|
|
Prioritize remediation/mitigation based on severity, risk, and likelihood |
|
|
|
Implement alternative security controls for vulnerabilities that cannot be remediated |
|
|
|
Add Comment