IS-3 Electronic Information Security. Implementation Checklist

Transcription

1 ATTACHMENT 3 IS-3 Electronic Information Security Implementation Checklist Information Resources & Communications Office of the President March 30, 2000

2 TABLE OF CONTENTS INTRODUCTION TO TABLES...1 DEFINITION OF CATEGORIES...1 APPLICATIONS - DRAFT ASSIGNMENT...2 ASSUMPTIONS - RESTRICTED APPLICATIONS...3 ASSUMPTIONS - NON-RESTRICTED APPLICATIONS...4 REQUIRED ACTIONS - GENERAL LEVEL...5 ACTION PLAN - EIR SECURITY COORDINATORS...6 ACTION PLAN - EIR PROPRIETORS...7 ACTION PLAN - EIR CUSTODIANS...8

3 INTRODUCTION TO TABLES The Definition of Categories table summarizes the definitions (in Business and Finance Bulletin IS-3, Electronic Information Security) of criticality and sensitivity. It is provided here as a checklist to test the provisional assignment of applications to the 6 possible combinations of criticality and sensitivity. Applications - Draft Assignment makes a provisional assignment of applications to the 6 possible combinations of criticality and sensitivity in order to help EIR Security Coordinators identify likely EIR Proprietors of the most critical and sensitive electronic information resources. The first step in the Action Plan is for the EIR Security Coordinator to request a definitive assignment by the EIR Proprietors, who have ultimate responsibility, under IS-3, for electronic information resources in their jurisdiction. Assumptions - Restricted Applications and Assumptions - Non-Restricted Applications identify the assumptions that were made in the provisional assignment of applications to the 6 possible combinations of criticality and sensitivity. The purpose is to enable reviewers to evaluate the Implementation Plan more efficiently. Required Actions - General Level identifies the follow-up actions that are required for applications assigned to the 6 possible combinations of criticality and sensitivity. This is at the general rather than detailed level to put the actions in perspective. Action Plans-EIR Security Coordinators, -EIR Proprietors, and -EIR Custodians lists the actions that must be taken by various persons at each University location in order to implement Business and Finance Bulletin IS-3, Electronic Information Security. This lists compacts the items identified in the IS-3 Implementing Guidelines that was distributed in September,

4 DEFINITION OF CATEGORIES A Restricted The data includes information that personally identifies an individual or Unauthorized access, modification or loss of the data seriously affect the University, a business partner, or the public or The Proprietor has restricted the data. B Non-Restricted The data does not include information that personally identifies an individual and Unauthorized access, modification or loss of the data would not seriously affect the University, a business partner, or the public and The Proprietor has not restricted the data Essential Required Deferrable Failure of the resource to function correctly and on schedule could result in a major failure by a campus to perform mission-critical business functions, a significant loss of funds to a campus, or a significant liability or other legal exposure to a campus. Failure of the resource to function correctly and on schedule could result in a major failure by a campus to perform mission-critical business functions, a significant loss of funds to a campus, or a significant liability or other legal exposure to a campus. The operation of the campus could continue for some designated period of time without the function provided by the Information Resource and there is time for recovery should the Information Resource not perform correctly or on schedule. The operation of the campus could continue for some designated period of time without the function provided by the Information Resource and there is time for recovery should the Information Resource not perform correctly or on schedule. The campus could continue operation for an extended period of time without the Information Resource performing correctly or on schedule. The campus could continue operation for an extended period of time without the Information Resource performing correctly or on schedule. 1

5 APPLICATIONS - DRAFT ASSIGNMENT A Restricted Financial Aid Financial Payroll - Payments Retirement - Payments Benefits Enrollments Accounts Receivable Patient Patient Records Essential Required Deferrable Admissions Grades & Records Accounts Receivable - Registration And Course Financial Enrollment Financial Library Automation - Circulation Course Web Sites HR Systems Personnel Development (Donor Profiles) B Non-Restricted Financial Authentication Systems Emergency Telephone Systems Financial Accounts Payable (Campus) Campus Campus Telephone Network Library Automation - Public Access Financial General Ledger Purchasing Accounts Receivable General Budget System Investment System Investment Accounting Asset Management Buildings & Equipment Grant Proposals Grant Reporting 2

6 ASSUMPTIONS - RESTRICTED APPLICATIONS A Restricted Essential Required Deferrable Financial Aid - Assumes loss may be significant to recipient. Assumes Financial Aid can be unbundled from other student systems. Payroll-Payments, and Retirement-Payments - Assumes loss may be significant to recipient. Assumes other payroll and retirement functions are deferrable. Benefits Enrollments - Assumes benefits rights can be lost if enrollment is not timely. Assumes other benefit functions are deferrable. Admissions, Accounts Receivable-, Registration & Course Enrollment - Assumes student operations can function through designated recovery periods. Library Automation - Circulation, Course Web Sites - Assumes alternatives means could be used through designated recovery periods. Grades & Records - Assumes transcripts etc. are critical for only small numbers of records, which can be handled in alternative manner. HR Systems-Personnel - Includes all payroll, retirement, and benefit functions other than payments and enrollments. Development (Donor Profiles) - Assumes solicitations can continue for a time without profiles. Accounts Receivable- Patient - Assumes third party payments may be lost if billing is not timely. Patient Records - Assumes availability of patient records may be critical in some cases. 3

7 ASSUMPTIONS - NON-RESTRICTED APPLICATIONS B Non-Restricted Authentication Systems - Assumes breakdown of authentication might cause significant cost or liability to the University Essential Required Deferrable Emergency Telephone Systems - Assumes ETS facilities are distinct from normal telecommunications systems and must always be operative. Accounts Payable - Campus Assumes payables operations can function through designated recovery periods. Campus , Campus Telephone Network, and Library Automation - Public Access - Assumes alternatives means could be used through designated recovery periods. General Ledger, Purchasing, Accounts Receivable- General, Budget System, Investment System, Investment Accounting, Asset Management- Buildings & Equipment, Grant Proposals, Grant Reporting - No reason found to justify Essential or Required status. 4

8 REQUIRED ACTIONS - GENERAL LEVEL Essential Required Deferrable A Restricted Requires access security; Requires access security; Requires access security; Must be in Disaster May be in Disaster Need not be in Disaster B Non-Restricted Minimal security required; Minimal security required; Minimal security required; Must be in Disaster May be in Disaster Need not be in Disaster 5

9 ACTION PLAN - EIR SECURITY COORDINATORS Action 1. Survey Proprietors and Custodians to identify all Electronic Information Resources designated as essential. (See Risk Assessment) 2. Survey Proprietors and Custodians to identify all Electronic Information Resources designated as restricted. (See Risk Assessment) 3. Ensure that disaster plans are prepared for essential Electronic Information Resources and coordinate their inclusion in the overall campus disaster recovery plan. (See Disaster Recovery) 4. Ensure that backup procedures have been implemented for essential Electronic Information Resources. (See Disaster Recovery) 5. Review logical controls on essential and restricted Electronic Information Resources. (See Logical Security) 6. Develop campus guidelines for the physical security of Electronic Information Resources. (See Physical Security) 7. Establish guidelines for determining which positions have job responsibilities that directly support essential Electronic Information Resources. (See Managerial Security) 8. Ensure that Proprietors or Custodians, as appropriate, implement managerial security guidelines pertaining to those who have access to essential Electronic Information Resources. (See Managerial Security) 9. Designate a campus authority to track, take preventive measures against, and react to Intrusive Computer Software, such as computer viruses. (See Managerial Security) 10. Ensure that all security roles are filled for essential Electronic Information Resources. (See Managerial Security) Applicability 1A, 2A, 3A, 2A, 3A ALL ALL 6

10 ACTION PLAN - EIR PROPRIETORS Action Applicability 1. Identify all essential Electronic Information Resources in the control of the Proprietor. (See Risk Assessment) 2. Identify all restricted Electronic Information Resources in the control of the Proprietor. (See Risk 1A, 2A, 3A Assessment) 3. Become familiar with the security requirements for essential Electronic Information Resources. (See Risk Assessment) 4. Ensure that Custodians prepare and test disaster recovery plans for essential Electronic Information Resources in the control of the Proprietor. This may require coordination with the Custodian and the Coordinator. (See Disaster Recovery) 5. Ensure that Custodians implement backup procedures for essential Electronic Information Resources in the control of the Proprietor. This may require coordination with the Custodian and the Coordinator. (See Disaster Recovery) 6. Implement logical security controls on access to Electronic Information Resources as required by, 2A, 3A and consistent with guidelines set by the Coordinator. (See Logical Security) 7. Ensure that University and campus systems development guidelines are followed when the, 2A, 3A Custodian implements changes to essential and restricted software. (See Logical Security) 8. Implement the privacy requirements identified in UC policies. (See Logical Security) ALL 9. Modify data in essential Electronic Information Resources software only in accordance with University and campus systems development guidelines. (See Logical Security) 10. Notify Authorized Users not to transfer or download essential or restricted data from secure to nonsecure environments. (See Logical Security), 2A, 3A 11. Ensure conformance to campus guidelines for the physical security of Electronic Information, 2A, 3A Resources in the control of the department. (See Physical Security) 12. Implement managerial security guidelines that govern essential Electronic Information Resources in the control of the department. (See Managerial Security) 7

11 ACTION PLAN - EIR CUSTODIANS Action Applicability 1. Become familiar with the security requirements for essential Electronic Information Resources. (See Risk Assessment) 2. Prepare and test disaster recovery plans for essential Electronic Information Resources under the control of the department. This may require coordination with the Proprietor and the Coordinator. (See Disaster Recovery) 3. Implement backup procedures for essential Electronic Information Resources under the control of the department. This may require coordination with Proprietor and the Coordinator. (See Disaster Recovery) 4. Maintain systems logs, where feasible and appropriate, to monitor access to restricted and essential, 2A, 3A Electronic Information Resources. (See Logical Security) 5. Back up Electronic Information Resources according to the level of security required and in ALL conformance with University records retention guidelines. (See Logical Security) 6. Install communications access controls to limit unauthorized access to restricted and essential, 2A, 3A Electronic Information Resources. (See Logical Security) 7. Install encryption capability, where feasible, to prevent unauthorized access to restricted data 1A, 2A, 3A during transmission. (See Logical Security) 8. Implement procedures, commensurate with risk, to detect viruses, warn users, and take remedial, 2A, 3A action after a software intrusion. (See Logical Security) 9. Implement campus guidelines for the physical security of Electronic Information Resources. (See ALL Physical Security) 10. Test software used to provide access controls and access control points for connectivity. (See, 2A, 3A Managerial Security) 11. Ensure periodic, independent review of superuser logs. (See Managerial Security), 2A, 3A 8