Table of contents
Purpose
All members of the university community share in the responsibility for protecting information resources to which they have access. The purpose of this document is to establish minimum standards and guidelines to protect against accidental or intentional damage or loss of data, interruption of university business, or the compromise of sensitive information.
Additional authority
The following federal laws and standards help guide the content of this document:
- Family Educational Rights and Privacy Act (FERPA).
- Gramm Leach Bliley Act (GLBA).
- Health Insurance Portability and Accountability Act (HIPAA).
- Payment Card Industry Data Security Standard (PCI-DSS).
- National Institute of Standards and Technology Special Publication 800 Series.
Scope
The IT-2 University of Maryland Data Classification Standard applies to all students, faculty, staff, contractors, consultants, temporary employees, guests, volunteers, and all other entities or individuals with access to sensitive information through University of Maryland or its affiliates. This standard also applies to all university information resources, including those used by the university under license or contract.
Definitions
Sensitive information is defined as information that is classified in the top two tiers of IT-2: Data Classification Standard.
Standards
All members of the university community are users of University of Maryland's information resources, even if they have no responsibility for managing the resources.
Users include students, faculty, staff, contractors, consultants, temporary employees, and guests. Users are responsible for protecting the information resources to which they have access. Their responsibilities cover both computerized and non-computerized information and information technology devices (e.g. paper, reports, books, film, microfiche, microfilms, recordings, computers, removable storage media, printers, phones, fax machines, etc.) that they use or possess. Users must follow the information security practices set by the CIO, as well as any additional departmental or other applicable information security practices.
Users are expected to be familiar with and adhere to all university policies and exercise good judgment in the protection of information resources. They must be familiar with this document and other information-related policies, approved practices, standards and guidelines, including but not limited to the university’s standards regarding acceptable use, access and privacy.
Requirements
Physical security
Departments and users must provide physical security for all information technology devices at all times. Physical security must be provided at an appropriate level based on the criticality and sensitivity of data stored and/or processed by the devices. Departments and users must be aware that some data types may require specific physical security controls be in place in order to comply with federal laws and standards.
- Keep devices and equipment in locked areas.
- Keep servers and related equipment in a space protected by at least two factor authentication. Ensure individuals with physical access are approved and reviewed quarterly (e.g. swipe card plus a numbered code that must be entered to unlock the door).
- Review physical access permissions regularly to ensure all faculty and staff with access still have a business need for such access. Reviews must be conducted at least annually for most areas and quarterly for higher security areas such as data centers.
- Do not leave laptops and other portable devices unattended.
- Use CCTV systems to monitor entry points for higher security areas such as data centers.
Access to information
Access to sensitive information must be restricted, electronically and physically, to only persons with a documented business reason for such access. Administrators with the authority to grant access must receive and retain requests to add users. This request must include the business reason for granting the access along with any details regarding expiration of the access if it is meant to be only temporary. Additionally, users must be required to sign a non-disclosure agreement (NDA) before their access to the sensitive information is granted. Administrators must conduct regular reviews of system access (at least annually) to ensure all users are still active employees and still require access to the information.
Access to sensitive information must be protected through the use of Multi-Factor Authentication (MFA). User accounts must require the use of strong passphrases that adhere to the USM IT Security Standards. The university’s Central Authentication System (CAS) is the expected mechanism for achieving these requirements. Alternative authentication systems must be approved by the University Chief Information Security Officer.
Information storage
Sensitive information must be kept in a place that provides a high level of protection against unauthorized access and must not be removed from the university.
- All sensitive information must be stored according to its Data Classification Standard. Whenever information from different levels is commingled, it shall be secured according to the highest level of classification present.
- Box organizational accounts may be used depending on the data types being stored. These accounts allow for additional security to be configured in order to prevent document sharing and further limit who has the ability to view, edit, and download documents. Additional information on Box organizational accounts is available through ServiceNow.
- Other university-approved storage solutions may be available upon request to accommodate data types not allowed within Box organizational accounts.
- Unless no alternative identifiers are available, do not store data using sensitive information as identifiers.
- Effective November 1, 2021, encryption consistent with federal and university standards is required for sensitive information stored electronically on all computers. Devices must be encrypted using full disk encryption where technically feasible.
- Sensitive information stored on any portable device must be encrypted since these devices are vulnerable to theft and loss.
Distribution and transmission of information
Sensitive information that is transmitted electronically, transported physically, or spoken in conversation must be appropriately protected from unauthorized interception. For electronic transmissions, utilize encrypted transmission methods (e.g. HTTPS for web content). Do not transmit sensitive information via email unless using a university-approved secure messaging system. Ensure that sensitive information is only ever distributed to persons or institutions with a documented business reason to receive such information. When sensitive information is shared using a shared storage solution (e.g. Box organizational account or Secure Share), ensure that those users it is shared with cannot in turn share the information with additional users that should not have access.
When sensitive information must be shared with another institution, ensure that it is done so by applying the highest security controls utilized by the two institutions. For example, if the University of Maryland requires stricter security than the institution the information is being shared with then the University of Maryland's security controls must be applied.
Destruction and disposal of information and devices
Sensitive information must be disposed of in such manner as to ensure it cannot be retrieved and recovered by unauthorized persons. Physical documents containing sensitive information must be shredded prior to disposal. Electronic information must be securely deleted from all locations where stored (i.e. hard drive, network, cloud, etc.) when no longer needed or no longer valid. On Mac computers be sure to use the Secure Empty Trash option. On Windows-based computers, users may use the built-in Cipher or SDelete commands, or they may instead utilize appropriate third-party tools.
When hard drives or other devices known to have contained sensitive information reach end-of-life, utilize a secure destruction method to destroy the devices and ensure that information cannot be recovered. The university’s Division of Information Technology offers a free Storage Destruction Service to campus that satisfies this.
Computer security best practices
System administrators and users must follow a set of computer security best practices to help minimize risk of exposure or loss of sensitive information.
- Maintain up-to-date software and firmware. Device operating systems, firmware, and any applications installed on the device must be kept up to date at all times. Utilize automatic update functionality wherever technically feasible. If software or firmware cannot be updated automatically then ensure an automatic alert can be generated when a new update is ready for installation.
- Utilize virus and malicious code protection. Where technically feasible, install and utilize anti-virus/anti-malware protections. These protections, commonly in the form of software, must be kept up to date at all times. Utilize automatic update functionality to do this.
- Do not leave device unlocked when unattended. Users must either log out or enable a screen lock any time they leave devices unattended. Devices must also make use of an automatic screensaver or screen lock, where technically feasible, that is configured to lock the device after a set period of inactivity.
- Log out of applications and networks when finished. Some applications are configured to allow users back in automatically without the need to login up to several minutes after the application has been closed. To prevent this, users must log out of their user accounts before closing all applications used to access sensitive information.
- Configure automatic backups for all sensitive data. Sensitive information must be backed up regularly to help ensure its availability in the event of a system outage or other adverse event. Backup information must be transmitted to its storage location using an appropriate encryption method. These backups must be stored in a location that is physically separate from the system from which it originates to protect against loss from natural disaster, fire, or theft. The backup storage location must also employ proper environmental controls necessary to protect the integrity of the backups (e.g. proper HVAC, humidity, and power protections). Annually, backups must be tested to ensure information is recoverable and that backups are occurring as expected.
- Do not retain sensitive data beyond what is needed. Sensitive data must be deleted/destroyed when no longer needed, no longer valid, or at the end of its retention period.
Incident handling and reporting
Users must report suspected compromises of information resources, including contamination by computer viruses and phishing attempts, to their manager and the IT Security Operations Center (soc@umd.edu, 301-226-HACK) who in turn will proceed in accordance with the Incident Response Procedure. Incidents must be reported on the same business day users become aware of the compromise.
Additional information regarding reporting a security incident is provided by the Handle and Report IT Security Incidents article.
Security awareness
DIT shall provide appropriate security awareness training to all faculty and staff members with access to sensitive information. This training must be provided at the start of employment with the university as well as regularly (at least annually) as a refresher. Training must cover current and common threats as well as appropriate user behaviors. The university provides many free video resources through the LinkedIn Learning.
Accessing sensitive information while traveling
Apply the following practices, in addition to all others listed in this document, when accessing sensitive information while traveling:
- Do not store sensitive information on devices when traveling. Make sure all such information is securely removed from devices before traveling. Sensitive information may be stored within a secure storage solution that is remotely accessible (e.g. Box organizational account).
- When traveling abroad: Be aware of any applicable export control or other federal regulations that govern the access and storage of sensitive information types from users outside the United States. The university’s Export Compliance Office can offer additional assistance.
- Sensitive information must only be accessed from a trusted computer (e.g. a university-issued laptop) when traveling.
- Users should always connect to the University's GlobalProtect Virtual Private Network (VPN) to ensure a secure connection is established.
- When connecting to sensitive information, avoid using public Wi-Fi to do so. Utilize a secure means for sending and receiving information such as encrypted web sites or virtual private networks.
- Additional information is available through the Devices & Data Security.
Enforcement
Violations of this standard will be handled consistent with university disciplinary procedures applicable to the relevant individuals or departments. Failure to comply with this standard may also result in the suspension of access to network resources until standards have been met. Should University of Maryland incur monetary fines or other incidental expenses from security breaches, the university may recoup these costs from the non-compliant department, school, or auxiliary organization.
Version information
Version: 3.0
Date: 05 November 2020