• Policies, Procedures & Guidelines
• Best Practices & Resources
• Secure Passwords
• Training
• Incident Response
• Breach Notification
• ISRS Security Forms
• Steering Committee

Data Protection Standard

Introduction

Scope
Stewardship
Protection Levels
Security Perimeters
Security Zones
Data Labeling
Data Exposure
Cryptography
Exceptions

1.0 Introduction

1.1 Purpose

This document will establish a framework for the protection of MnSCU data assets. A Data Protection standard is the foundation upon which other core Information Security standards are constructed. This standard DOES NOT classify data. This standard establishes requirements for the protection of data consistent with relevant external data classification schemes.

1.2 Background

Various regulatory and legislative mandates classify data and define access requirements. MnSCU data may be subject to multiple mandates. New mandates may supersede current classification schemes. To meet the requirements of both existing and future mandates, extensible data protection levels must be defined and implemented. Defined protection levels allow data stewards to select appropriate protection levels commensurate with the access requirements of the data classification scheme.

2.0 Scope

2.1 Users

This standard shall apply to all users of MnSCU data.

2.2 Systems

This standard shall apply to all systems that process, handle, or transmit MnSCU data in any form.

3.0 Stewardship

Data stewardship is based on functional roles. An individual�s position in the organization may require them to fulfill multiple stewardship roles.

3.1 Data Owners

A Data owner is the role of an individual, who in the course of carrying out MnSCU official business, cause various data to be collected, stored and reported.

3.1.1 Responsibilities

Accuracy of data owned by them.

3.2 Data Custodian

A Data Custodian is the role of an individual responsible for the management of data resources within a particular application. Data Custodians are in physical or logical possession of MnSCU data.

3.2.1 Responsibilities

• Interprets data access requirements as it relates to the applications for which they have responsibility.
• Advises Data Owners and others on access issues as it relates to their applications.
• Establishes appropriate mechanisms for access to information stored within the systems for which they are responsible.
• Monitors access based on MnSCU policies and standards.

3.3 Authorized User

An Authorized User is the role of an employee, consultant, volunteer or other individual who needs access to MnSCU data to perform an activity on behalf of MnSCU. The individual may have access to any class of information, according to role.

3.3.1 Responsibilities

• Understands and adheres to applicable MnSCU Information Security standards and Acceptable Use policies.
• Validates access needs with Information Security Manager, including access changes as new roles are performed.
• Reports security violations to the Information Security Manager or designee.

3.4 Role changes

• Role changes shall require account deletion and/or password changes

4.0 Protection Levels

Protection levels are based upon defense in depth. Layered security allows tighter access controls commensurate with external data classification requirements.

The three protection levels are as follows:

4.1 UNRESTRICTED

• UNRESTRICTED data is accessible to anyone for any reason.

4.2 RESTRICTED

• RESTRICTED data is not accessible to the general public.
• RESTRICTED data is accessible to data subjects.
• RESTRICTED data is accessible to owners and authorized users.

4.3 PROTECTED

• PROTECTED data is not accessible to the general public
• PROTECTED data is accessible to owners and authorized users.

5.0 Security Perimeters

Custodial responsibilities require that MnSCU have physical and logical control over the infrastructure in which information assets reside. This physical and logical control shall be established by the creation and definition of a Security Perimeter. The Security Perimeter by definition defines physical and logical demarcation points. Documentation of a Security Perimeter unambiguously sets the boundaries within which risk is managed.

• The area within the Security Perimeter shall be considered controlled and secure. This defines your span of control
• The area external to the Security Perimeter shall be considered less secure and subject to increased risk management.

5.1 High Security Perimeter

High Security Perimeters shall be defined by the following features:

• Continuous physical edge barriers such as walls or fences
• Physical portals controlled by a minimum of single factor authentication
• Logical portals controlled by access control mechanisms.

5.2 Low Security Perimeter

Low Security Perimeters shall be defined by the following features:

• A physically definable demarcation point
• A logically definable demarcation point

In order to understand the boundaries and limitations of control, Information Security Managers shall define and document individual facility high and low security perimeter(s). These security perimeters shall also used in Security Risk Assessments and Incident Response plans.

An example physical security perimeter description:

• Walls floor and ceiling of 123 Main St, room 254

An example logical security perimeter description:

6.0 Security Zones

Data Access shall be protected by creation of Security Zones. A Security Zone is defined as the physical and logical boundary surrounding information assets that in any manner create, handle, store, or transmit information of a classification level defined as being within the zone. Security Zones allow understanding and identification of data protection requirements based upon data types resident within the zone. This ensures that information assets can be protected consistent with data protection level requirements.

6.1 General

• All MnSCU data shall be identified as being within a Security Zone based upon zone definitions.
• If data processing equipment is a member of multiple Security Zones, such as a server hosting both unrestricted and restricted data, the identification and requirements of the most restrictive Security Zone shall apply.
• Network devices shall be considered members of a RESTRICTED or PROTECTED zone by default due to the unpredictability of data to which they may be exposed.
• Passwords shall not be synchronized between zones.
• All logical paths to RESTRICTED and PROTECTED zones shall be protected by a network access control device approved by the Information Security Manager or designee.
• All Security Zones shall be reviewed and approved by the Information Security Manager on an annual basis.

6.2 UNRESTRICTED zone

The UNRESTRICTED zone shall include infrastructure elements that process or store UNRESTRICTED data.

6.2.1 Access

• Logical read-only access to data in an UNRESTRICTED zone shall be unrestricted.
• Logical write or delete access to data in an UNRESTRICTED zone shall be restricted to Data Owners or their authorized agents.
• Administrative access to an UNRESTRICTED zone shall be limited to roles approved by the Information Security Manager or designee.
• Physical access to UNRESTRICTED zone assets shall be limited to roles approved by the Information Security Manager or designee.
• Administrative access to an UNRESTRICTED zone shall be controlled by a minimum of single factor authentication.
• Physical access controls to UNRESTRICTED zone assets shall be established by the Information Security Manager or designee.
• All administrative logical access to an UNRESTRICTED zone asset shall be logged.

6.2.2 Storage

• There are no storage restrictions

6.2.3 Transmission

There are no transmission restrictions

6.3 RESTRICTED zone

The RESTRICTED zone shall include infrastructure elements that process or store RESTRICTED data.

6.3.1 Access

Logical read-only access to data in a RESTRICTED zone shall be limited to data subjects and Authorized Users.

Logical read, write or delete access to data in a RESTRICTED zone shall be limited to Data Owners or their authorized agents.

Administrative access to a RESTRICTED zone shall be limited to roles approved by the Information Security Manager or designee.

Physical access to RESTRICTED zone assets shall be limited to roles approved by the Information Security Manager or designee.

Administrative access to a RESTRICTED zone shall be controlled by a minimum of single factor authentication.

Physical access to RESTRICTED zone assets shall be controlled by a minimum of single factor authentication.

All administrative and physical access to a RESTRICTED zone shall be logged.

6.3.2 Storage

RESTRICTED data stored within a High Security Perimeter shall have no storage restrictions

RESTRICTED data stored external to a High Security Perimeter shall be encrypted.

6.3.3 Transmission

RESTRICTED data transmitted within a High Security Perimeter shall have no transmission restrictions

RESTRICTED data transmitted external to a High Security Perimeter shall be encrypted.

6.4 PROTECTED zone

The PROTECTED zone shall include infrastructure elements that process or store PROTECTED data

6.4.1 Access

• Logical read-only access to data in a PROTECTED zone shall be limited to Authorized Users.
• Logical read, write or delete access to data in a PROTECTED zone shall be limited to Data Owners or their authorized agents.
• Administrative access to a PROTECTED zone shall be limited to roles approved by the Information Security Manager or designee.
• Physical access to PROTECTED zone assets shall be limited to roles approved by the Information Security Manager or designee.
• Administrative access to a PROTECTED zone shall be controlled by a minimum of single factor authentication.
• Physical access to PROTECTED zone assets shall be controlled by a minimum of single factor authentication.
• All administrative and physical access to a PROTECTED zone shall be logged.

6.4.2 Storage

• PROTECTED data stored within a High Security Perimeter shall have no storage restrictions
• PROTECTED data stored external to a High Security Perimeter shall be encrypted.

6.4.3 Transmission

• PROTECTED data transmitted within a High Security Perimeter shall have no transmission restrictions
• PROTECTED data transmitted external to a High Security Perimeter shall be encrypted.

6.5 Zone example

Server MNSCU1 which hosts:

WWW data	UNRESTRICTED
Student data	RESTRICTED
Resultant Zone:	RESTRICTED (most restrictive)
Protection requirements:
Physical:	High Security Physical Perimeter Role based physical access with logging
Logical:	High Security Logical Perimeter Network based access control Role based administrative access with logging User authentication (authorization determined elsewhere) Data encryption when exiting the High Security Perimeter

7.0 Data Labeling

Labeling is for the primary purpose of communicating to those who encounter such data that it may have special handling requirements OR may have fallen outside protection efforts. Labels shall be simple and straightforward, imply obvious protection or be sufficient to prompt handlers or users to inquire as to the protection expectations.

7.1 Marking

All RESTRICTED and PROTECTED data shall be marked to unambiguously and clearly identify protection level.

7.1.1 Interactive User presentation screens

• User interactive forms or fields shall be marked to identify the data protection level.

7.1.2 Electronic Transmissions

7.1.2.1 E-Mail

• Protection levels shall be included within email subject lines.

7.1.2.2 FAX

• FAX transmissions shall include a cover sheet advising recipients as to protection level.

7.1.3 Hard copies

• Hard copies shall be marked to identify the data protection level on cover sheets, headers or footers.
• If the marking cannot be placed on the material itself, the container in which the information is kept shall be appropriately labeled.

7.1.4 Other Media

• Adhesive labels containing the protection level nomenclature shall be available and conspicuously affixed.
• If adhesive labels are not appropriate, marking with indelible markers or other substitutes shall be deemed appropriate.

8.0 Data Exposure

Data must be protected from unauthorized disclosure. Security measures must be employed regardless of the media on which information is stored, the systems that process it, the methods by which it is moved, or its life cycle.

8.1 Magnetic Media

• Magnetic storage media shall be completely overwritten before release for reuse.
• Magnetic storage media shall be completely overwritten or physically destroyed before release for disposal.
• Magnetic storage media sent out for repair shall only be released to vendors in which a current non-disclosure agreement is in force.

8.2 Non magnetic media

• All non-magnetic storage media containing RESTRICTED and PROTECTED data shall be either shredded before removal from within a high security perimeter, or securely transported and burned.

8.2.1 Media storage

• High Security Perimeters shall include a security container for temporary storage of information media waiting destruction and/or disposal.

8.3 Non-volatile RAM

• Devices containing non volatile RAM shall be cleared before transfer or disposal

8.4 Verbal communication

Verbal transmission of RESTRICTED or PROTECTED information may be subject to interception when transmitted via wireless telephones. RESTRICTED or PROTECTED information may be subject to eavesdropping in unsecured environments, such as open offices or live teleconferencing facilities. Individuals may pose as authorized users in order to fraudulently obtain RESTRICTED or PROTECTED information.

• Individuals verbally exchanging RESTRICTED or PROTECTED information shall take reasonable precautions to ensure the continued confidentiality of the information being exchanged.

8.5 Data reproduction

• Data reproduction shall be subject to intellectual property statutes, board and state policies, and any other binding and relevant statutes.
• RESTRICTED and PROTECTED data reproductions shall not be left unattended at reproduction devices.
• All reproduction devices such as printers, copiers, and FAX machines shall clear internal caches upon completion of reproduction jobs.

9.0 Cryptography

Cryptographic solutions may be used to preserve the confidentiality and validate the integrity of data. Cryptography may also serve as a method of non-repudiation.

9.1 General

• Cryptographic solutions shall be based on open cryptographic algorithms.
• Cryptographic products shall comply with all current export regulations.

9.2 Key Management

9.2.1 Generation

• Static keys shall not be embedded into devices or applications.
• Session keys shall be randomly generated.

9.2.2 Length

• Asymmetric keys shall be a minimum of 2048 bits
• Symmetric keys shall be a minimum of 128 bits

9.2.3 Lifetime

• Session keys shall not extend beyond the session lifetime.
• Private keys shall expire annually.

9.2.4 Exchange

• Symmetric keys shall be exchanged:
  • Manually
  • Via a standards based key exchange protocol

9.2.5 Distribution

• Asymmetric public keys shall be distributed by MnSCU Directory Services.
• Asymmetric private keys and Symmetric keys shall be distributed by:
  • secure email
  • telephone after identity verification
  • courier in double sealed envelope

9.2.6 Recovery

• All encryption solutions shall allow for key escrow

9.2.7 Storage

• Keys stored locally shall be encrypted and password protected
• Keys stored in escrow shall be in a locked container with access limited to the Information Security Director, Manager, or designee.

9.3 Data Integrity

• Message digests shall be utilized to verify message integrity.

9.4 Non-repudiation

• Asymmetric private keys shall be used for non-repudiation.

10.0 Exceptions

In rare instances there may be a need to override any rules contained within this standard.

10.1 Authorizations

• The Information Security Manager or designee shall authorize exceptions.