Update

The University of Colorado is in the process of transitioning from this multicampus standard for high risk IT systems to newer, campus-specific standards. Each campus has a separate process and timeline for this transition, so please contact your campus information security teams for current information on the applicable standards for your work.

Summary

It is the responsibility of IT service providers and IT staff to implement systems in accordance with university security standards. The standards described in this document apply to all IT services which maintain or process highly-confidential data or can be considered as highly critical based on the University of Colorado Process for Data Classification and System Security Categorization. These standards supplement, not supersede, the University Baseline Security Standards.

Download Document

Table of Contents

1. High Impact Baseline Security Controls for Information Systems

It is the responsibility of IT service providers and IT staff to implement systems in accordance with university security standards. The standards described in this document apply to all IT services which maintain or process highly-confidential data or can be considered as highly critical based on the University of Colorado Process for Data Classification and System Security Categorization[1]. These standards supplement, not supersede, the University Baseline Security Standards[2]. 

Highly Confidential Data

Data elements that require protection under laws, regulations, contracts, relevant legal agreements and/or require the institution to provide notification of unauthorized disclosure/security incidents to affected individuals, government agencies or media.

This information that is only for the “eyes of the authorized individuals” in any form including paper or electronic. This information is prohibited from being (1) transmitted or stored without encryption.  (2) Handled on networks or systems without appropriate firewall, monitoring, logging, patching, anti-malware and related security controls.

The following are the most common examples of data types under the “Highly Confidential” information category:

  • Protected Health Information
  • Social Security Numbers
  • Payment Card Numbers
  • Financial Account Numbers; including University account numbers, student account numbers, and Faculty and Staff Direct Deposit account numbers
  • Driver’s License numbers
  • Health Insurance Policy ID Numbers
  • Level 4 and 5 of Student data  (SSN, NID, Financial Aid (except work study), Loan and Bank Account Numbers, Health Information, Disability, Race, Ethnicity, Citizenship, Legal Presence, Visas, Religion)

Highly Critical Service

An IT service or system is considered highly critical when potential impact is high if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. 

A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (1) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (2) result in major damage to organizational assets; (3) result in major financial loss; or (4) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

CU uses the following as guides for defining impact:

  • Financial – direct or indirect monetary costs to the institution where liability must be transferred to an organization which is external to the campus, as the institution is unable to incur the assessed high end of the cost for the risk; this would include for e.g. Use of an insurance carrier
  • Reputation – when the impact results in negative press coverage and/or major political pressure on institutional reputation on a national or international scale
  • Safety – when the impact places campus community members at imminent risk for injury
  • Legal – when the impact results in significant legal and/or regulatory compliance action against the institution or business.
  • Strategic – is in direct support of campus or university leadership strategic plans.

1.1 Access Control

1.1.1 AC-2 Account Management Additional Controls

1.1.2 AC-6 Least Privilege

1.1.3 AC-11 Session Lock

1.1.4 AC-17 Remote Access

1.1.5 AC-19 Access Control for Mobile Devices

1.1.6 AC-20 Use of External Information Systems

1.2 Awareness and Training

1.2.1 AT-2 Security Awareness

1.3 Audit and Accountability

1.3.1 AU-2 Audit Events

1.3.2 AU-2 Content of Audit Records

1.3.3 AU-6 Audit Review, Analysis, and Reporting

1.3.4 AU-8 Time Stamps

1.3.5 AU-9 Protection of Audit Records

1.3.6 AU-10 Non Repudiation

1.3.7 AU-12 Audit Generation

1.4 Security Assessment and Authorization

1.4.1 CA-2 Security Assessment

1.4.2 CA-8 Penetration Testing

1.4.3 CA-7 Continuous Monitoring

1.5 Configuration Management

1.5.2 CM-3 Configuration Change Control

1.5.3 CM-5 Access Restrictions for Change

1.5.4 CM-6 Configuration Settings

1.5.5 CM-7 Least Functionality

1.5.6 CM-8 Information System Component Inventory

1.6 Contigency Planning

1.6.1 CP-2 Contingency Plan

1.6.2 CP-4 Contingency Plan Testing

1.6.3 CP-6 Alternate Storage Site

1.6.4 CP-7 Alternate Processing Site

1.6.5 CP-8 Telecommunications Services

1.6.6 CP-10 Information System Recovery and Reconstitution

1.7 Identification and Authentication

1.7.1 IA-2 User Identification and Authentication (Organizational Users)

1.8 Incident Response

1.8.1 IR-4 Incident Handling

1.8.2 IR-5 Incident Monitoring

1.8.3 IR-6 Incident Reporting

1.9 Maintenance

1.9.1 MA-4 Non-Local Maintenance

1.10 Media Protection

1.10.1 MP-4 Media Transport

1.10.2 MP-7 Media Use

1.11 Physical and Environmental Protection

1.11.1 PE-13 Location of Information System Components

1.12 Planning

1.12.1 PL-2 System Security Plan

1.13 Personnel Security

1.13.1 PS-4 Personnel Termination

1.14 Risk Assessment

1.14.1 RA-5 Vulnerability Scanning

1.15 System and Services Aquisition

1.15.1 SA-4 Acquisitions

1.15.2 SA-15 Development Process, Standards, and Tools

1.15.3 SA-17 Developer Security Architecture and Design

1.16 System and Communications Protection

1.16.1 SC-7 Boundary Protection

1.16.2 SC-8 Transmission Confidentiality

1.17 System and Information Integrity

1.17.1 SI-3 Malicious Code Protection

1.17.2 SI-4 Information System Monitoring

1.17.3 SI-7 Software, Firmware and Information Integrity

2. Responsibility Matrix