The information below defines the baseline standards of care for Information Systems in use at Oregon State University. Baseline standards of care are system configuration and operational practices and procedures designed to protect the confidentiality, integrity, and availability of data housed on those systems.
These classifications are additive, meaning that a device needs to meet the standards of its classification level and those from any less restricted level also. Confidential information has the most restrictions, and unrestricted has the least.
Access to Unrestricted Information: No restriction for viewing, copying or printing. Departments determine protocol for modification of information.
Mobile Devices (systems utilizing an operating system designed specifically for mobile devices. Examples would include Android, iOS, Windows Phone, Firefox OS, Sailfish OS, Tizen, Ubuntu Touch OS, Blackberry)
Recommended: Current operating system with updates turned on.
Required Standards of Care for Sensitive Information includes all recommended and required standards for Unrestricted Information plus:
Access to Sensitive Information: Viewing and modification restricted to authorized individuals with a business need to know. Copying or Printing of Sensitive Information is limited to legitimate need, with copies limited to individuals with a business need to know.
Access to Sensitive Information is assigned by role pursuant to standards approved by the OSU Data Trustee
Access to Confidential Information: Viewing and modification restricted to authorized individuals with a business need to know. Copying or Printing of Confidential Information is limited to legitimate need, with copies limited to individuals with a business need to know, and must be labeled “Confidential.” A signed confidentiality agreement is required, both for accessing and viewing confidential information in any format.
Access to Confidential Information is assigned by role pursuant to standards approved by the OSU Data Trustee
Storage of Confidential Information on Paper or other physical media: Physical access to paper documents containing confidential information must be restricted to those who need the information to perform their responsibilities. Appropriate physical security, including door and cabinet locks, must be implemented.
Use of elevated privileges (administrative privileges) shall only be used when needed to perform an administrative task. Daily tasks must be performed using a normal user account.
Network Security: Systems housing or regularly accessing Confidential Information must be in isolated network segments, protected with a physical firewall or equivalent using a “default deny” rule set; firewall rule sets, including changes, must be approved by the Office of Information Security. An Intrusion Detection System (IDS) hosted by the Office of Information Security must monitor this segment. Systems within these segments cannot be visible to the entire Internet, nor to unprotected subnets. An inventory of systems authorized to be on that subnet will be kept and the subnet regularly scanned/monitored for unauthorized systems. The Office of Information Security will perform authenticated vulnerability scan of these networks quarterly and will inform cognizant support teams of scan results requiring corrective action; vulnerabilities will be addressed during the next normal patching cycle unless other remediation is established or an exception granted.
Transmission of Confidential Information: Under no circumstances shall Confidential Information be transmitted across an unsecured network in clear text. In particular, it should be noted that email is not by default an encrypted means of transmission and any Email containing confidential information is subject to this restriction.
For the occasional transfer of data via email, file attachments should be encrypted using, at a minimum, an 128-bit symmetric-key algorithm, such as the Advanced Encryption Standard (AES). Microsoft Office encryption meets this standard. Key (password) sharing must be through a different mechanism than that used for transmission, such as a phone call.
For departments that have a business need to transfer confidential information on a regular basis via email, the use of a program that utilizes both symmetric and asymmetric key encryptions, such as PGP or equivalent, is strongly recommended.