Purpose
Category D1 research data includes data which the University is obligated to protect in accordance with the Department of Defense Cybersecurity Maturity Model Certification and National Institute of Standards and Technology (NIST) Special Publication 800-171. Category D1 data is also subject to State of Oklahoma Policy, Standards, Procedures, and Guidelines (PSPG).
The National Institute for Standards and Technology (NIST) Cybersecurity Framework maps to supporting controls identified in the NIST Special Publication 800-171. Additional guidance for Data Stewards and Asset Administrators for secure configuration of systems is supported by the Center for Internet Security (CIS) benchmarks.
Asset Inventory:
- Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.
System Interconnections:
- Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
- Use Interconnection System Agreements to authorize dedicated connections from an internal system to external systems.
- Document the interface characteristics, security requirements, and the nature of the information communicated for each interconnection. Include ISAs with annual risk assessments.
Risk Assessment:
- Respond to finding from security and privacy assessments, monitoring, and audits in accordance with university accepted risk tolerance.
- Receive IT security alerts and advisories from internal and external sources.
- Identify and evaluate alerts for reporting security threats that may impact the university.
Account Management:
- Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
- Centralize account management through a directory or identity services.
- Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.
- Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
- Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
- Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Access Control for Mobile Devices:
- Enforce automatic lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.
- Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Least Privilege:
- Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Separation of Duties:
- Implement separation of the development, test and operational environments either logically or physically:
- Run development and operational software, where possible, on different computer processors, or in different domains and directories;
- Separate development and testing activities;
- Restrict access to compilers, editors, and other system utilities from operational systems when not required; and
- Use different logon procedures for operational, test, and development systems, to reduce risk of error. Users should use different passwords for these systems.
- Use the account or access privilege most appropriate for the requirements of the work being performed (e.g., user account vs. administrator account).
- Maintain a list(s) of personnel who have administrator or special access accounts for systems or data. Review the list at least annually.
Boundary Protection:
- Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
- Ensure that connections to external networks or systems occur only through managed interfaces consisting of boundary protection devices arranged in accordance with an approved security architecture.
Identifier Management:
- Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
- Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator accounts, and service accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Identification and Authentication:
- Uniquely identify and authenticate all users. Implement multi-factor authentication based on risk management decisions for access to privileged or non-privileged accounts.
- Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using multi-factor authentication (MFA) and a 14-character password for accounts not using MFA.
- Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
- Require MFA for remote network access. Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.
Protection of Information at Rest:
- Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.
Transmission Confidentiality and Integrity:
- Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).
Cryptographic Key Management:
- Manage cryptographic keys using automated mechanisms with supporting procedures where feasible. When automated mechanisms are not feasible, manual key management may be used along with sufficient supporting procedures and documentation. Secure public and private keys. Maintain availability of information in the event of the loss of cryptographic keys by users. Recovery of encryption keys should be part of business continuity planning with the exception of data used by a single individual.
Data Loss Prevention (DLP):
- Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the data inventory.
Media Protection:
- Securely dispose of data as outlined in documented data management processes. Ensure the disposal process and method are commensurate with the data sensitivity.
- Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.
- Protect removable media and restrict its use based on risk management decisions.
- Encrypt data on removable media.
- Disable autorun and autoplay auto-execute functionality for removable media.
Vulnerability Scanning:
- Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
- Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Flaw Remediation:
- Test software and firmware updates related to security flaw remediation for effectiveness and potential side effects before installation.
- Perform application updates on enterprise assets through automated patch management on a monthly, or frequent, basis.
Audit and Accountability:
- Establish and maintain a documented audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.
- Monitor and review audit logs as risk management decisions warrant. Maintain a sufficient history of logs to permit an audit of the system by logging and tracing activities of individuals through the system. Enable alarm and alert functions where available.
- Provide log records upon request.
- Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.
- Configure systems to generate an alert in the event of an audit failure and when the maximum capacity for audit logs is reached.
- Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
- Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance with the documented audit log management process. Example integrations include leverage a SIEM tool to centralize multiple log sources.
Configuration Management:
- Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
- Develop and implement a consistent process to be used for system changes that includes change documentation, security impact analysis, and review and approval.
- Maintain records of configuration changes to the system to be available for review, if needed.
- Test, validate, and document configuration changes before installing them on production systems where available.
System Development Life Cycle:
- Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Design, develop, configure, and operate systems within a security framework to ensure the confidentiality, integrity, and availability through the system life cycle.
- Define and document information security roles and responsibilities.
- Apply security controls based on the classification of data that is stored or processed by the software or system.
- Integrate risk management into the life cycle from conception to development to operation and then finally to disposition.
- Ensure that lifecycle activities are documented and maintained.
- Assessment of information security risk should be included in all phases of the system development life cycle or acquisition process to produce the desired outcome with meeting security requirements.
- Leverage vetted modules or services for application security components, such as identity management, encryption, and audit and logging. Using platform features in critical security functions will reduce developers’ workload and minimize the likelihood of design or implementation errors.
- Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to the applications.
- Use only standardized, currently accepted, and extensively review encryption algorithms.
- Operating systems also provide mechanisms to create and maintain secure audit logs.
Information System Backup:
- Perform automated backups of in-scope assets. Run backups weekly, or more frequently, based on the sensitivity of the data.
- Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements.
Physical and Environmental Protection:
- Develop, approve, and maintain a list of individuals with access to facilities, including:
- Issuing access credentials
- Reviewing access lists annually
- Removing access when it is no longer needed.
- Change combinations and keys when keys are lost, combinations are compromised, or individuals are transferred or terminated.
- Verify individual access authorization before granting access to the facility.
- Secure and maintain an inventory of keys, combinations, and other physical access devices.
- Maintain visitor access logs. Review visitor access log records annually and in response to a physical security incident.
- Review physical access logs periodically based on risk management decisions.
- Coordinate results of reviews and investigations with incident response teams.
- Deploy and maintain appropriate emergency lighting that covers emergency exists and evacuation routes that activate automatically in the event of a power outage or disruption and provide notification to appropriate staff.
- Deploy and maintain master shutoff valves to protect the systems from water damage and ensure the valves are easily accessible, functioning properly, and known to key personnel.
- Monitor temperature and humidity within data centers and maintain temperature and humidity at acceptable levels.
- Support fire suppression and detection devices/systems with an independent energy source.
IT Disaster Recovery:
- Develop an IT Disaster Recovery Plan that contains: a Business Impact Analysis and Recovery Procedures for major events.
- Review the plan every two (2) years.
- Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review documentation annually, or when significant changes occur that could impact this Safeguard.
- Periodically test backup and/or recovery media to ensure the validity of the recovery media and process.
Maintenance:
- Establish a process to authorize personnel who can conduct maintenance activities.
- Ensure that non-escorted personnel performing maintenance have required access authorizations and designate authorized personnel to supervise the maintenance activities of personnel who do not have authorization.
- Schedule, perform, document, and review records of maintenance, repairs, or software patching.
- Approve and monitor all maintenance activities, whether performed on site or remotely.
- Explicitly approve the removal of systems or system components (e.g., hard drives) from OU facilities for off-site maintenance or repairs.
- Sanitize equipment to remove all regulated data from associated media prior to removal from OU facilities for off-site maintenance or repairs.
- Check all potentially impacted security controls to verify that the controls are still functioning properly after maintenance or repair actions.
- Review, approve, and monitor nonlocal maintenance and diagnostic activities.
- Allow the use of nonlocal maintenance and diagnostic tools in accordance with OU policy.
- Maintain records for nonlocal maintenance and diagnostic activities.
- Terminate session and network connections when nonlocal maintenance is completed.
- Employ strong authentication for nonlocal maintenance and diagnostic sessions.
Least Functionality:
- Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations will not solely include documentation, but also policy and design components.
- Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.
- Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
Remote Access:
- Manage access control for assets remotely connecting to enterprise resources.
- Determine amount of access to enterprise resources based on:
- Up-to-date anti-malware software installed
- Configuration compliance with secure configuration processes
- Ensuring the operating system and applications are up-to-date
- Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).
Wireless Access:
- Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).
Incident Handling:
- Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, service vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date.
- Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action.
User-Installed Software:
- Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications.
- Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently.
- Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
Malicious Code Protection:
- Deploy and maintain anti-malware software on all enterprise assets.
- Configure anti-malware software to automatically scan removable media.
Mobile Code:
- Detect unauthorized mobile code (e.g., Java, JavaScript, ActiveX, Postscript, etc.).
- Monitor and manage mobile code.
Delivery and Removal:
- Document, authorize, monitor, and control system components delivered to or removed from facilities.
Boundary Protection:
- Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.
Governance:
- Mission/Business Process Definition: Identify potential business impacts with consideration for security and resulting risk.
Open Records Request
- Data can be provided upon request with approval from the OU Open Records Office.
Copying and Printing
- Data should only be printed when there is a legitimate need.
- Printed materials must be marked appropriately. See CUI Marking Guideline.
- Paper copies of data must be limited to individuals authorized to access the data.
- Paper copies should not be left unattended where others may see them.
- Unauthorized access to printed materials must be prevented by locking doors, cabinets, etc.
Retention and Disposal
- Data shall be retained in accordance with the State of Oklahoma General Records Disposition Schedule for State Universities and Colleges or contractual obligations.
- Copies of records may be destroyed when they are no longer required for administrative purposes.
- Data shall be deleted and rendered unrecoverable using a DoD 3-pass secure deletion technique.
- Printed materials or paper copies shall be destroyed by the shredding method.
Revision, Review, and Approval History
- October 2023: OU IT Governance, Risk, and Compliance: Initial draft, opened for comments
- January 2024: OU IT Governance, Risk, and Compliance: Comment period closed
- January 2024: Office of the Provost, Health Sciences: Standard reviewed, comments submitted
- January 2024: Office of Compliance: Standard reviewed, comments submitted
- February 2024: OU IT Governance, Risk, and Compliance: Replaced "Data Risk Assessment" with "IT Risk Assessment". Added risk acceptance must be in writing from departmental leadership. Added clarification to Endpoint Environment encryption.
- March 2024: OU IT Governance, Risk, and Compliance: Added Granting Access and Sharing statements. Added Exchanging with Third Parties statements. These statements align with the Identity and Access Management Policy.
- July 2024: Revised Data Protection Standard to align with NIST Cybersecurity Framework, Center for Internet Security Critical Controls, and the HIPAA Security Rule.