Overview
Category A data includes data that is legally regulated by the Health Insurance Portability and Accountability Act of 1996, Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, and Children’s Online Privacy Protection Act (COPPA). Category A data is also subject to State of Oklahoma Policy, Standards, Procedures, and Guidelines (PSPG).
The National Institute for Standards and Technology (NIST) Cybersecurity Framework maps to supporting controls identified in the HIPAA Security Rule 45 CFR Part 160 and Subparts A and C of Part 164. Additional guidance for Data Stewards and Asset Administrators for secure configuration of systems is supported by the Center for Internet Security (CIS) benchmarks.
Asset Inventory:
- Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.
- Develop and document an inventory of components that are employed in high or medium-risk systems. Review and update the inventory annually.
System Interconnections:
- Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
- Use Interconnection System Agreements to authorize dedicated connections from an internal system to external systems.
- Document the interface characteristics, security requirements, and the nature of the information communicated for each interconnection. Include ISAs with annual risk assessments.
Business Environment:
- Maintain alternate telecommunications, Internet, and electrical power services to avoid sharing a single point of failure.
- Provide redundant power equipment and power cabling paths for data center infrastructure and protect it from damage and destruction.
Contingency Plan
- Establish resilient requirements to support delivery of critical services.
Account Management:
- Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
- Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
- Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
- Access shall be limited to authorized University officials or agents with a legitimate academic or business interest and a need to know as outlined in University HIPAA Policies.
- Before granting access to external third parties, contractual agreements which outline responsibilities for security of the data shall be approved by the Office of Legal Counsel.
- Per the Identity and Access Management Policy, all access shall be approved by an appropriate Data Owner or Steward and tracked in a manner sufficient to be auditable.
- Access to Category A data must require multi-factor authentication, in accordance with the Identity and Access Management Policy.
- Staff, faculty, or student accounts must authenticate to Category A data, using an an approved authentication method, in accordance with the Identity and Access Management Policy.
- Data Owners and Stewards must review access to Category A data in accordance with the Identity and Access Management Policy.
- All interfaces used for sharing Category A data must be registered in the IT Asset Inventory, in accordance with the IT Asset Management Policy.
Access Control for Mobile Devices:
- Enforce automatic lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.
- Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.
- Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
- Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applications and data.
Least Privilege:
- Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Separation of Duties:
- Implement separation of the development, test and operational environments either logically or physically:
- Run development and operational software, where possible, on different computer processors, or in different domains and directories;
- Separate development and testing activities;
- Restrict access to compilers, editors, and other system utilities from operational systems when not required; and
- Use different logon procedures for operational, test, and development systems, to reduce risk of error. Users should use different passwords for these systems.
- Use the account or access privilege most appropriate for the requirements of the work being performed (e.g., user account vs. administrator account).
- Maintain a list(s) of personnel who have administrator or special access accounts for systems or data. Review the list at least annually.
Boundary Protection:
- Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
Identifier Management:
- Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Identification and Authentication:
- Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
- Require MFA for remote network access. Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.
Protection of Information at Rest:
- Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.
Transmission Confidentiality and Integrity:
- Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).
Media Protection:
- Securely dispose of data as outlined in documented data management processes. Ensure the disposal process and method are commensurate with the data sensitivity.
- Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
- Protect removable media and restrict its use based on risk management decisions.
- Encrypt data on removable media.
Audit and Accountability:
- Log sensitive data access, including modification and disposal.
- Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance with the documented audit log management process. Example integrations include leverage a SIEM tool to centralize multiple log sources.
- Retain audit logs across enterprise assets for a minimum of 90 days.
- Monitor and review audit logs as risk management decisions warrant. Maintain a sufficient history of logs to permit an audit of the system by logging and tracing activities of individuals through the system. Enable alarm and alert functions where available.
- Provide log records upon request.
- Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.
- Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Configuration Management:
- Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
- Develop and implement a consistent process to be used for system changes that includes change documentation, security impact analysis, and review and approval.
- Maintain records of configuration changes to the system to be available for review, if needed.
- Test, validate, and document configuration changes before installing them on production systems where available.
System Development Life Cycle:
- Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Design, develop, configure, and operate systems within a security framework to ensure the confidentiality, integrity, and availability through the system life cycle.
- Define and document information security roles and responsibilities.
- Apply security controls based on the classification of data that is stored or processed by the software or system.
- Integrate risk management into the life cycle from conception to development to operation and then finally to disposition.
- Ensure that lifecycle activities are documented and maintained.
- Assessment of information security risk should be included in all phases of the system development life cycle or acquisition process to produce the desired outcome with meeting security requirements.
- Leverage vetted modules or services for application security components, such as identity management, encryption, and audit and logging. Using platform features in critical security functions will reduce developers’ workload and minimize the likelihood of design or implementation errors.
- Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to the applications.
- Use only standardized, currently accepted, and extensively review encryption algorithms.
- Operating systems also provide mechanisms to create and maintain secure audit logs.
Information System Backup:
- Perform automated backups of in-scope assets. Run backups weekly, or more frequently, based on the sensitivity of the data.
- Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements.
Physical and Environmental Protection:
- Deploy and maintain appropriate emergency lighting that covers emergency exists and evacuation routes that activate automatically in the event of a power outage or disruption and provide notification to appropriate staff.
- Deploy and maintain master shutoff valves to protect the systems from water damage and ensure the valves are easily accessible, functioning properly, and known to key personnel.
- Monitor temperature and humidity within data centers and maintain temperature and humidity at acceptable levels.
- Support fire suppression and detection devices/systems with an independent energy source.
IT Disaster Recovery:
- Develop an IT Disaster Recovery Plan that contains: a Business Impact Analysis and Recovery Procedures for major events.
- Review the plan every two (2) years.
- Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review documentation annually, or when significant changes occur that could impact this Safeguard.
- Periodically test backup and/or recovery media to ensure the validity of the recovery media and process.
Flaw Remediation:
- Test software and firmware updates related to security flaw remediation for effectiveness and potential side effects before installation.
- Perform application updates on enterprise assets through automated patch management on a monthly, or frequent, basis.
Maintenance:
- Establish a process to authorize personnel who can conduct maintenance activities.
- Ensure that non-escorted personnel performing maintenance have required access authorizations and designate authorized personnel to supervise the maintenance activities of personnel who do not have authorization.
- Schedule, perform, document, and review records of maintenance, repairs, or software patching.
- Approve and monitor all maintenance activities, whether performed on site or remotely.
- Explicitly approve the removal of systems or system components (e.g., hard drives) from OU facilities for off-site maintenance or repairs.
- Sanitize equipment to remove all regulated data from associated media prior to removal from OU facilities for off-site maintenance or repairs.
- Check all potentially impacted security controls to verify that the controls are still functioning properly after maintenance or repair actions.
- Review, approve, and monitor nonlocal maintenance and diagnostic activities.
- Allow the use of nonlocal maintenance and diagnostic tools in accordance with OU policy.
- Maintain records for nonlocal maintenance and diagnostic activities.
- Terminate session and network connections when nonlocal maintenance is completed.
- Employ strong authentication for nonlocal maintenance and diagnostic sessions.
Least Functionality:
- Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations will not solely include documentation, but also policy and design components.
- Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.
Remote Access:
- Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).
Wireless Access:
- Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Incident Handling:
- Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, service vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date.
- Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action.
User-Installed Software:
- Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications.
- Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently.
- Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
Malicious Code Protection:
- Deploy and maintain anti-malware software on all enterprise assets.
- Configure anti-malware software to automatically scan removable media.
Mobile Code:
- Detect unauthorized mobile code (e.g., Java, JavaScript, ActiveX, Postscript, etc.).
- Monitor and manage mobile code.
Vulnerability Scanning:
- Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Delivery and Removal:
- Document, authorize, monitor, and control system components delivered to or removed from facilities.
Boundary Protection:
- Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.
Governance:
- Mission/Business Process Definition: Identify potential business impacts with consideration for security and resulting risk.
Open Records Request
- Category A data is typically not subject to open records disclosure. However, some open records requests can be fulfilled by redacting the sensitive portions of records.
- Data can be readily provided upon request with approval from the OU Open Records Office.
Email and other Messaging
- Messages shall only be sent to authorized individuals with a legitimate need to know.
- Messages shall be transmitted in an encrypted format by placing [SECURE] or [ENCRYPT] in the subject line.
Copying and Printing
- Data should only be printed when there is a legitimate need.
- Paper copies of data must be limited to individuals authorized to access the data.
- Paper copies should be labeled 'Confidential'.
- Paper copies should not be left unattended where others may see them.
- Unauthorized access to printed materials must be prevented by locking doors, cabinets, etc.
Retention and Disposal
- Data shall be retained in accordance with the State of Oklahoma General Records Disposition Schedule for State Universities and Colleges Section 8: Medical Clinic.
- Data shall be deleted and rendered unrecoverable using a DoD 3-pass secure deletion technique.
- Printed materials shall be destroyed in accordance with University HIPAA Policies.
Revision, Review, and Approval History
- October 2023: OU IT Governance, Risk, and Compliance: Initial draft, opened for comments
- January 2024: OU IT Governance, Risk, and Compliance: Comment period closed
- January 2024: Office of Compliance: Standard reviewed, comments submitted
- February 2024: OU IT Governance, Risk, and Compliance:Added University HIPAA Policies to the Data Collection and Use section. Included the term "accessible" to Electronic Display. Added "accessing" to Exchanging with Third Parties. Added "in transit" to Storing or Processing: Service Environment. Revised Storing or Processing: Endpoint Environment. Revised Disposal.
- March 2024: OU IT Governance, Risk, and Compliance: Added Granting Access and Sharing statements. Added Exchanging with Third Parties statements. These statements align with the Identity and Access Management Policy.
- March 2024: OU IT Governance, Risk, and Compliance: Added Storing or Processing: Server Environment statements from the OUHSC Information System Storage and Data Sharing Policy. Added Storing or Processing: Endpoint Environment statements from the OUHSC Information System Storage and Data Sharing Policy.
- July 2024: Revised Data Protection Standard to align with NIST Cybersecurity Framework, Center for Internet Security Critical Controls, and the HIPAA Security Rule.