INFORMATION SECURITY STANDARDS
COMPLIANCE CHECKLISTS
The following checklists are based on the University of Arizona Information Security Standards. They have been designed to assist university departments and colleges in complying with minimum requirements. The checklists should be used in tandem with the standards.
Avoid collection of SSNs of any university-related person and its use as an identifier except as required by law
INFORMATION SECURITY STANDARDS
COMPLIANCE CHECKLIST
CONFIDENTIAL
Standard Compliance* Action Plan
Management Responsibilities for Information Security (IS-S400)
1. Hiring Process
In posted job vacancies, indicate whether the advertised position has access to sensitive information and systems
In posted job vacancies, indicate whether the applicant will be subject to a criminal background check
Include position requirements about information security when screening candidates
Include questions in the reference check inquiries about access to confidential university data, as well as related misconduct
Prior to hire, conduct criminal background checks in accordance with university policies as they relate to personnel with access to confidential university data and other mission critical university resources
2. Post Hiring
Provide training for new employees on confidentiality of student records, personnel information, financial information, medical information, research, and other types of confidential university data with which they will have contact, and consequences of not following the information security policies and procedures
Have access controls to confidential university data and other mission critical university resources that deny employees access until appropriate information security training is completed
Conduct annual refresher training on access and responsibilities relating to confidential university data and other mission critical university resources
Require employees to sign an appropriate statement acknowledging their responsibilities regarding access and protection of confidential university data and other mission critical university resources
3. Supervision
Immediately inform employees about changes in university or departmental information security policies or protocols
Review job announcements, promotions, change of job responsibilities, and employee transfers to ensure that access to confidential university data is appropriate to each position.
Review access privileges at least annually and revoke access for all employees who do not have a business need for access to confidential university data
Annually review notices, policies, and procedures related to non-disclosure, security and privacy.
Performance assessments and competencies specifically related to proper handling of confidential university data are completed annually.
Ensure that supervisors are aware of their information security and privacy obligations
4. Internal Promotion or Transfer
Review and change access privileges based on job related and need-to-know criteria
Train newly hired or transferred employees in accordance with information security guidelines and criteria appropriate for their new job as determined by their supervisor
Conduct background checks and/or finger print checks for internal promotion and transferred employees in accordance with university policy
5. Voluntary Separation (e.g., Resignation, Retirement)
As of separation date, revoke all types of access rights to include building access, individual’s computer systems, information access privileges, and computer system accounts, with exceptions approved by management and documented
As of separation date, require the return of office and building access keys, cards, and ID badges, with exceptions approved by management and documented
As of separation date, require return of all university data and documentation, with exceptions approved by management and documented
As of separation date, require return of all resources provided to employee, with exceptions approved by management and documented
As of separation date, complete the transfer of ownership of all online (active and archived) files or libraries, with exceptions approved by management and documented
Change computer/network systems for shared account passwords to which the individual has access
Reformat individual’s computer workstation according to security standards if it is to be discarded
Evaluate and cleanse/format reassigned computers based on differences in user role
Inform appropriate staff of change in individual’s status
Obtain signatures of a non-disclosure agreement if appropriate to protect sensitive research or other important university data
6. Involuntary Separation (e.g., as a result of funding cuts or restructuring, or for cause)
Escort individuals while they pack their belongings and leave facilities
Notify university police as appropriate
View full checklist in .xls
http://security.arizona.edu/files/compliancechecklist.xls
Standards for Security Categorization of
Federal Information and Information Systems
______________________________________________________
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8900
1 PURPOSE
The E-Government Act of 2002 (Public Law 107-347), passed by the one hundred and seventh Congress and signed into law by the President in December 2002, recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA), tasked NIST with responsibilities for standards and guidelines, including the development of:
•
Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;
•
Guidelines recommending the types of information and information systems to be included in each category; and
•
Minimum information security requirements (i.e., management, operational, and technical controls), for information and information systems in each such category.
FIPS Publication 199 addresses the first task cited—to develop standards for categorizing information and information systems. Security categorization standards for information and information systems provide a common framework and understanding for expressing security that, for the federal government, promotes: (i) effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities; and (ii) consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices. Subsequent NIST standards and guidelines will address the second and third tasks cited.
2 APPLICABILITY
These standards shall apply to: (i) all information within the federal government other than that information that has been determined pursuant to Executive Order 12958, as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status; and (ii) all federal information systems other than those information systems designated as national security systems as defined in 44 United States Code Section 3542(b)(2). Agency officials shall use the security categorizations described in FIPS Publication 199 whenever there is a federal requirement to provide such a categorization of information or information systems. Additional security designators may be developed and used at agency discretion. State, local, and tribal governments as well as private sector organizations comprising the critical infrastructure of the United States may consider the use of these standards as appropriate. These standards are effective upon approval by the Secretary of Commerce.
3 CATEGORIZATION OF INFORMATION AND INFORMATION SYSTEMS
This publication establishes security categories for both information1 and information systems. The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.
Security Objectives
The FISMA defines three security objectives for information and information systems:
CONFIDENTIALITY
“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542]
A loss of confidentiality is the unauthorized disclosure of information.
INTEGRITY
“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542]
A loss of integrity is the unauthorized modification or destruction of information.
AVAILABILITY
“Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC. 3542]
A loss of availability is the disruption of access to or use of information or an information system.
Potential Impact on Organizations and Individuals
FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The application of these definitions must take place within the context of each organization and the overall national interest.
The potential impact is LOW if—
? The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.2
AMPLIFICATION: A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.
The potential impact is MODERATE if—
The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
AMPLIFICATION: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.
View full details here:
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
Other sites of interest: