Security Controls by Information Sensitivity



Protections based on 
UC BFB IS-3

Relevant section in (parentheses)

Level of Sensitivity: The degree of adverse affect that may result from unauthorized access or disclosure



Maps to IS-3 assessment line number

High
Restricted Data

Moderate 
Confidential Data [1]

Low or None
Non-Confidential Data

Minimum Network Connectivity Requirements (IV):

1.

1. Access control measures for controlled electronic information resources (III.C.2.b; IV.A)*

Required

Required

Required

36, 52
2. Encrypted transmission of restricted data including passwords**(III.C.2.b.i; III.C.2.g; IV.B) Required Required Required 47, 53
3. Software updates / patch management(III.C.2.c.iv; IV.C) Required Required Required 43, 54
4. Malicious software protection (III.C.2.c.iii; IV.D) Required Required Required 42, 55
5. Removal of unnecessary services(IV.E) Required Required Required 56
6. Host-based firewalls(III.C.2.d; IV.F) Required Required Required 42, 57
7. No unauthorized email relays (IV.G) Required Required Required 58
8. No unauthorized, unauthenticated proxy servers (IV.H) Required Required Required 59
9. Physical security and session timeout(III.C.2.b.ii;
III.C.3.b; IV.I)
Required Required Required 37, 49, 60
10. Security audit agents (may be required based on level of risk)*** (III.C.2.f, Appendix D) May be required May be required May be required N/A
* Note: IS-3 scope limited to access control measures for networked devices
** IS-3 scope limited to encrypted authentication.
*** Not included in IS-3

Additional Administrative Controls

2.

Risk assessment, asset inventory and classification; Identification of systems storing and accessing data (III.B)

Required for PII, ePHI, PCI; otherwise recommended

Recommended

Recommended

18, 20
3.

Additional controls for transferring, distributing, and downloading data (III.C, 4th paragraph; III.C.2.g)

Required

Recommended

 

47
4.

Authorization required for access, including privileged access(III.C.1.a; III.C.2.b)

Required

Required

22
5.

Control privileged access through defined procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties(III.C.1; III.C.
2.b.iii)

Required

Recommended

38, 40
6.

Background checks(III.C.1.b; III.F)

Required

 

23
7.

Third party agreements with data security language (III.F)

Required

Recommended

33
8.

Take appropriate personnel/disciplinary action for violations of law or policy (III.C.1.c)

Required

Required

Required

24

Additional Operational Controls

9.

Secure and accountable means of authorization and authentication(III.C.2.a)

Required

Required

 

15
10.

Prompt modification or termination of access or access levels in response to authorization chances(III.C.1)

Required

Required

 

22
11.

UCSC password guidelines and password vulnerability assessment (III.C.2.b.i)

Required

Recommended

Recommended

36
12.

Delete, redact or de-identify data whenever possible (III.C,
third paragraph)

Recommended

Recommended

 

18
13.

Minimize data stored on portable devices(III.C.3.e)

Recommended

Recommended

 

50
14.

Education and security awareness training(III.E)

Required

Recommended

Recommended

13
15.

Incident response planning and notification procedures(III.D)

Required

Required

Required

31
16.

Controls for test, training and development systems(III.C.2.c.v.)

Required

Recommended

26
17.

Access and activity audit and logging procedures, including access attempts and privileged access(III.C.2.b.iii; III.C.2.f; Appendix D)

Required where mandated by legislative or regulatory requirements (e.g. ePHI, PCI), or as deemed appropriate;otherwise recommended

Recommended

38, 45
18.

Application security: 
System and application development standards, application vulnerability assessment (II I.C.2.c.v)

Required for PCI; otherwise recommended

Recommended

26
19.

Authorized, documented change management procedures (III.C.2.e)

Required for security-related changes and essential resources

Required for essential resources;otherwise recommended

Required for essential resources;otherwise recommended

27
20.

Backup systems supporting essential activities (III.C.2.c.ii)

Required

Required

Required

41

Additional Technical Controls

21.

Network firewalls and IDS/IPS (III.C.2.d)

Required for restricted or essential systems

Recommended

57
22. Encryption:
  • stored data(III.C.2.g; Appendix E)
  • transmitted data(III.C.2.g; Appendix E)
  • backups where physical security is at risk(III.C.2.c.ii; 
    Appendix E)
  • protective measures such as encryption for data on portable devices and media(III.C.2.g; (III.C.3.e)
  • appropriate encryption key management to ensure the availability of encrypted authoritative information(III.C.2.g; Appendix E)

Encryption or other compensating controls required

Encryption or other compensating controls recommended

47, 53

Additional Physical Controls

23.

Physical access controls; Facility access controls (III.C.3.b)

Required

Recommended

Recommended

49
24.

Disposal and re-use:
Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed(III.C.3.d)

Required

Recommended

Recommended just in case

49
25.

Physical security for portable devices and media (III.C.3.e)

Required

Recommended

Recommended

50
26.

Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks(III.C.3.c)

Required

Required for financial instruments;otherwise recommended

49
27.

Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks (III.C.3.c)

Required

Required for financial instruments;otherwise recommended

N/A
28.

Risk mitigation for emergency conditions and procedures to protect restricted data during emergency mode operations (III.B.2 Availability; III.C.3.a)

Required

Recommended

29

Other Legal and Regulatory Requirements

29.

HIPAA Security Rule / UCSC Practices for HIPAA Security Rule Compliance

Required for all ePHI

N/A

N/A

62
30.

Payment Card Industry Data Security Standard (PCI DSS)

Required for all sensitive credit cardholder data

N/A

N/A

63

-------------------------------- 
[1] The degree of sensitivity determines applicability of recommendations


Rev. 7/14/08