Information System Security Categorization
- Amanda Griffith
- Shannon Artimez
The WVU Information Security Policy identifies that Information Technology Services is responsible for establishing the rules to safeguard the hardware, software, and information systems utilized at WVU. The governance established by ITS applies to all units, faculty, staff, affiliates, and vendors with access to WVU systems and data. In support of a risk-based approach to security, WVU will classify information systems in one of three security categories and provide the minimum security requirements within each category. At a high level, the security category of an information system is based on the type of data within the system and its criticality to the operations of the University.
System Criticality | Data Classification | |||
|---|---|---|---|---|
Sensitive | Confidential | Internal | Public | |
Mission Critical | High | High | High | High |
Core | High | Moderate | Moderate | Moderate |
Business Critical | High | Moderate | Moderate | Low |
Operational | High | Moderate | Low | Low |
The WVU Data Classification Policy establishes the rules that govern the classification of information generated through the academic, administrative, research, and outreach activities conducted at WVU into four categories: Sensitive, Confidential, Internal, and Public. The WVU Information Security Policy identifies the criticality of information systems into four categories: mission critical, core, business critical, and operational.
The following table provides a examples that can be used to assist in selecting a security category for an information system. For assistance classifying the information system you manage, review the information provided in the Security Objectives section or contact Information Security Services at infosec@mail.wvu.edu.
| Level 3 - High | Level 2 - Moderate | Level 1 - Low |
|---|---|---|---|
Impact on WVU’s mission | Potential impact | Mild impact | None |
Impact on WVU’s reputation | Significant risk | Moderate risk | At most a minimal risk |
Impact on WVU’s finances | Significant impact | Mild impact | None |
Risk to the security of other systems protecting data | Significant impact | Mild impact | None |
Risk to life safety | Potential risk | None | None |
Data Classification | Confidential/Sensitive | Internal/Confidential | Public |
Minimum Security Requirements
The table below identifies the minimum security requirements for a WVU system or application based on the classification of the data stored within the system and/or the system’s criticality. Security requirements are based on implemented technology governance and are organized below based on the NIST Cybersecurity Framework
Icon Key: Required Recommended Prohibited Not Required
Asset Management
Governance: University-Owned Device Standard, Secure Server Standard, Information Security Policy, Sensitive Data Policy
Security Control | High | Moderate | Low |
|---|---|---|---|
Maintain inventory of computers that identifies criticality of device or data being stored on it. Sensitive Data must NEVER be stored on a computer. |
|
| |
Maintain inventory of systems being used and managed by WVU that identifies classification of data stored within. |
|
| |
Maintain inventory of servers being used and managed by WVU that identifies purpose of server and classification of data stored on server. |
|
|
|
Develop, document, and periodically update system security plans. |
|
|
|
Business Environment
Governance: Vendor Security and Compliance/Technology Procurement Standard (pending development), Risk Assessment Standard
Security Control | High | Moderate | Low |
|---|---|---|---|
Adhere to WVU IT Purchase process |
|
| |
Require security assessment prior to purchase |
|
|
|
Assess vendor security compliance every three years, at minimum |
|
|
|
Risk Assessment
Governance: Information Security Policy, Compliance Exception Management Standard, Risk Assessment Standard, PHI Privacy Policy, PHI Protection Standard
Security Control | High | Moderate | Low |
|---|---|---|---|
Annual risk assessment conducted |
|
|
|
Risk assessment conducted every 3 years |
|
|
|
Document architectural layout of the environment |
|
|
|
Develop post-assessment plans to reduce risks to acceptable levels |
|
|
|
Prioritize remediation/mitigation of risks identified based on severity |
|
|
|
Authorize acceptance of unmitigated risks |
|
|
|
Identity Management & Access Control
Governance: Identity & Access Management Policy, Identity & Authentication Management Standard, Access Management Standard, Remote Access Standard, Sensitive Data Protection Standard, University-Owned Device Standard, Data Center Policy, Data Center Security Standard, Secure Server Standard, Physical Access Management Standard, Password Standard
Security Control | High | Moderate | Low |
|---|---|---|---|
Authentication is required to access systems |
|
|
|
Enterprise Directory Services (SSO) is required for authentication |
|
|
|
Two-Factor authentication (2FA) is required for users to access systems Use of campus VPN can be leveraged to ensure 2FA. |
|
|
|
Two-Factor authentication (2FA) is required for privileged access to systems |
|
|
|
Two-Factor authentication (2FA) is required for all remote access solutions |
|
|
|
All passwords must meet Password Standard |
|
|
|
Manage passwords for privileged Service Accounts in password vault |
|
|
|
Manage passwords for privileged Shared Application Accounts in privileged access management tool |
|
|
|
Manage passwords for Shared Application Accounts with non-privileged access in password vault |
|
|
|
Use of restrictive VPN that requires use of a University Devices to conduct privileged access |
|
|
|
Two-Factor authentication (2FA) required for non-local maintenance solutions. Individuals must actively accept remote sessions. |
|
|
|
Access granted on principle of Least Privilege |
|
|
|
Review accounts annually and remove individuals who no longer require access |
|
|
|
Implement host-based firewalls to block all inbound traffic not required for use of computer and/or server |
|
|
|
Computer must use session lock after 15 min of inactivity |
|
|
|
Physically secure servers within a University Data Center |
|
|
|
Physically secure servers within Secure Server Room |
|
|
|
Backup media must be secured from unauthorized physical access |
|
|
|
Printer securely configured in a restricted-access location with authorized person available to receive printout immediately, or printer is password-protected |
|
|
|
Awareness & Training
Governance: Information Security Policy
Security Control | High | Moderate | Low |
|---|---|---|---|
Users must receive training to perform their duties |
|
|
|
Privileged users receive training to understand their roles and responsibilities |
|
|
|
Data Security
Governance: Data Center Security Standard, Secure Server Standard, University-Owned Device Standard, Data Destruction & Media Sanitization Standard
Security Control | High | Moderate | Low |
|---|---|---|---|
Server housed in University Data Center whole-disk encrypted |
|
|
|
Server housed in server rooms whole-disk encrypted |
|
|
|
Server not in server room/device whole-disk encrypted |
|
|
|
Development and testing environments of systems storing data are separate from production environment |
|
|
|
Information Protection Processes and Procedures
Governance: Information Security Policy, Password Standard, Secure Server Standard, Data Center Security Policy
Security Control | High | Moderate | Low |
|---|---|---|---|
Follow established SDLC processes |
|
|
|
Follow established configuration change control processes |
|
|
|
Develop a business continuity plan/disaster recovery plan |
|
|
|
Business continuity plan/disaster recovery plan tested annually |
|
|
|
Data backed up outside of a University Data Center |
|
|
|
Device sanitized appropriately before transfer or reuse |
|
|
|
Security Continuous Monitoring
Governance: University-Owned Device Standard, Secure Server Standard, Log Retention Standard [draft]
Security Control | High | Moderate | Low |
|---|---|---|---|
Anti-virus installed and running Real-Time scanning |
|
|
|
Send logs to Security Event Management (SIEM) system (Splunk) |
|
|
|
Automate alerting on logging failures |
|
|
|
Retain logs for 1 year or no less than 90 days for High/Moderate and 90 days for Low |
|
|
|
Vulnerability Management
Governance: Vulnerability Management Standard
Security Control | High | Moderate | Low |
|---|---|---|---|
Authenticated vulnerability scans required monthly |
|
|
|
Critical Patches implemented within 30 days |
|
|
|
Prioritize remediation/mitigation based on severity, risk, and likelihood |
|
|
|
Implement alternative security controls for vulnerabilities that cannot be remediated |
|
|
|