Purpose of these Guidelines
This document serves as a guide for IT personnel to help them understand the obligations laid out in Data and System Security Measures (www.nyu.edu/its/policies/sec_datasys.html).
Scope of these Guidelines
The Data and Computer Security Policy (www.nyu.edu/its/policies/sec_compdata.html) requires that computers and data be protected in a manner appropriate to their level of importance. The Basic, Intermediate, Advanced, and Data Security Measures provide guidance on what safeguards are considered reasonable and appropriate for computer and data resources of each level of criticality.
Statement/Description of the Guidelines
The Security Measures are designed to provide resiliency against the current and rapidly changing threat landscape, and today includes complex and targeted attacks that are often focused on theft of data. They are also designed to provide a sound foundation from which to address external compliance regulations, both legal and contractual, the number and complexity of which continue to grow at a rapid pace. The Measures have been created with consideration of industry best practices, external compliance requirements, and existing NYU policy. This document serves as a guide for IT personnel, to help them understand the obligations laid out in the Security Measures. Questions regarding this document should be sent to ITS Technology Security Services at firstname.lastname@example.org.
- Covered Systems
The Measures are applicable to a wide variety of IT resources which are connected to NYU-NET or are used for any NYU business purpose. A system may be any IT resource to which the safeguards outlined in Security Measures may be applied. Examples of systems include, but are not limited to:
- Desktop, laptop, or server computers running general purpose operating systems such as Windows, Mac OS, and Unix
- Mobile devices, such as PDAs and cell phones, to the extent that they interact with NYU resources, such as email
- Network server applications, such as an FTP-server application
- Web applications, such as a wiki
All of the above systems may perform their own authentication and authorization, logging and auditing, and have their own configurations which must be managed, and each of them are a considered a compliance object to be protected
In order to minimize IT security risk, it is recommended that you integrate compliance auditing into your existing inventory management and auditing framework. Auditing requirements for external standards, such as HIPAA or PCI, are not affected by this document.
In some cases, a system may be incapable of implementing a control required by this policy. In such cases, the exception should be documented and approved by the appropriate chain of authority. For High Criticality systems managed by ITS, this involves the Risk Review Process. Information about the Risk Review Process is available from ITS Technology Security Services: email@example.com.
- Compliance Requirements
This section outlines how the various security policies and measures fit together from the perspective of a system administrator attempting to determine the compliance requirements for a system that they manage.
- The first step is to classify the system and the data it processes according to the Data and Computer Security Policy (www.nyu.edu/its/policies/sec_compdata.html), including the Reference for Data and System Classification (www.nyu.edu/its/policies/sec_ref.html). These documents provide a framework for describing the importance of information technology systems and data. They outline three system classifications that represent how severe the impact would be to the University if a system or piece of data were accessed without authorization, or were unavailable to perform its function. The Data and System Security Measures (www.nyu.edu/its/policies/sec_datasys.html) rely on these classifications to determine what requirements are applicable.
- The second step is to apply the appropriate system controls, based on that system classification. There are three levels of security measures, which correspond to the three system classification levels and define the security measures that must be applied to each class of system.
- In addition to the security measures for systems, there are security measures for handling non-public data. A workstation is able to store small amounts of restricted data and continue to be classified as a low criticality system, but the restricted data stored on that system remains important and must be protected. The Data Handling Security Measures define protections that "follow the data" and must always be applied regardless of whether the data is on a high, medium, or low criticality system. The protections defined in the Data Handling Security Measures are cumulative with the security measures for systems.
The measures are additive, meaning that a low criticality system must implement only the Basic Security Measures, while a high criticality system must implement the Basic, Intermediate, and Advanced Security Measures in order to be compliant. Whenever requirements for different measures conflict, the requirements in the stricter measures take precedence.
Availability: A statement about the need for a system to be operational and accessible by the people who need to use it. There are three categories:
- High: Systems in this category have the highest availability requirements of any group of NYU systems.
- Medium: Systems in this category have the above average availability requirements compared to other NYU systems.
- Standard: Systems in this category have no special availability requirements.
Data Classification Table: Classifies data types that are commonly used at NYU according to the impact to the University if they are disclosed without authorization. There are four categories of data:
- Restricted Data: A category in the Data Classification Table (www.nyu.edu/its/policies/data-classification.html). Unauthorized disclosure of data in this category would have a large impact on the University.
- Protected Data: Unauthorized disclosure of data in this category would have a moderate impact on the University.
- Confidential Data: Unauthorized disclosure of data in this category would have a low impact on the University.
- Public Data: Disclosure of data in this category would have no impact on the University; it is intended for public distribution.
Data Steward: Data Stewards are typically operational managers in a functional area with day-to-day responsibilities for managing business processes and establishing the business rules for the production transaction systems and are appointed by the respective Data Trustees. The Data Steward will be responsible for developing an overall data access plan following the categorization in the Reference for Data and System Classification (www.nyu.edu/its/policies/sec_ref.html). See definition and explanation in the University Data Management Policy (www.nyu.edu/its/policies/datamgmt.html).
Personal Workstations: Personal workstations typically do not have network accessible services, and are typically accessed by a single user at a time.
Security Measure: Defines the security controls that must be implemented to achieve compliance.
Server: Servers are characterized by the presence of network accessible services, they are typically accessed simultaneously by many remote users concurrently, via the network services they provide.
System: An information technology resource that can be classified and to which security controls listed in a security measure may be applied. A system may be a workstation, laptop, server, web application, database, or similar.
System Classification: A framework for classifying the relative importance of NYU systems based on their data processing and availability requirements. There are three classes of criticality:
- High: Systems in this category are of the greatest importance to the University.
- Medium: Systems in this category are of moderate importance to the University.
- Low: Systems in this category are of average importance to the University.
- Policy on Responsible Use of NYU Computers and Data (www.nyu.edu/about/policies-guidelines-compliance/policies-and-guidelines/responsible-use-of-nyu-computers-and-data-policy-on.html)
- University Data Management Policy (www.nyu.edu/its/policies/datamgmt.html)
- Data and Computer Security Policy (www.nyu.edu/its/policies/sec_compdata.html)
- Data and System Security Measures (www.nyu.edu/its/policies/sec_datasys.html)
- Security Guidelines for Desktop and Laptop Computers (www.nyu.edu/its/policies/sec_desktoplaptop.html)
- Reference for Data and System Classification (www.nyu.edu/its/policies/sec_datasys.html)
- Personally Identifiable Information Policy (www.nyu.edu/its/policies/pii.html)
Send questions or comments to: firstname.lastname@example.org.
November 1, 2010
Page last reviewed: November 1, 2010