Information Technology Services

Security Controls by Information Sensitivity

Protections based on UC BFB IS-3 Relevant section in (parentheses)		Level of Sensitivity: The degree of adverse affect that may result from unauthorized access or disclosure			Maps to IS-3 assessment line number
		High Restricted Data	Moderate Confidential Data [1]	Low or None Non-Confidential Data	Maps to IS-3 assessment line number
Minimum Network Connectivity Requirements (IV):
1.	1. Access control measures for controlled electronic information resources (III.C.2.b; IV.A)*	Required	Required	Required	36, 52
	2. Encrypted transmission of restricted data including passwords**(III.C.2.b.i; III.C.2.g; IV.B)	Required	Required	Required	47, 53
	3. Software updates / patch management(III.C.2.c.iv; IV.C)	Required	Required	Required	43, 54
	4. Malicious software protection (III.C.2.c.iii; IV.D)	Required	Required	Required	42, 55
	5. Removal of unnecessary services(IV.E)	Required	Required	Required	56
	6. Host-based firewalls(III.C.2.d; IV.F)	Required	Required	Required	42, 57
	7. No unauthorized email relays (IV.G)	Required	Required	Required	58
	8. No unauthorized, unauthenticated proxy servers (IV.H)	Required	Required	Required	59
	9. Physical security and session timeout(III.C.2.b.ii; III.C.3.b; IV.I)	Required	Required	Required	37, 49, 60
	10. Security audit agents (may be required based on level of risk)*** (III.C.2.f, Appendix D)	May be required	May be required	May be required	N/A
	* Note: IS-3 scope limited to access control measures for networked devices IS-3 scope limited to encrypted authentication. * Not included in IS-3
Additional Administrative Controls
2.	Risk assessment, asset inventory and classification; Identification of systems storing and accessing data (III.B)	Required for PII, ePHI, PCI; otherwise recommended	Recommended	Recommended	18, 20
3.	Additional controls for transferring, distributing, and downloading data (III.C, 4th paragraph; III.C.2.g)	Required	Recommended		47
4.	Authorization required for access, including privileged access(III.C.1.a; III.C.2.b)	Required	Required		22
5.	Control privileged access through defined procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties(III.C.1; III.C. 2.b.iii)	Required	Recommended		38, 40
6.	Background checks(III.C.1.b; III.F)	Required			23
7.	Third party agreements with data security language (III.F)	Required	Recommended		33
8.	Take appropriate personnel/disciplinary action for violations of law or policy (III.C.1.c)	Required	Required	Required	24
Additional Operational Controls
9.	Secure and accountable means of authorization and authentication(III.C.2.a)	Required	Required		15
10.	Prompt modification or termination of access or access levels in response to authorization chances(III.C.1)	Required	Required		22
11.	UCSC password guidelines and password vulnerability assessment (III.C.2.b.i)	Required	Recommended	Recommended	36
12.	Delete, redact or de-identify data whenever possible (III.C, third paragraph)	Recommended	Recommended		18
13.	Minimize data stored on portable devices(III.C.3.e)	Recommended	Recommended		50
14.	Education and security awareness training(III.E)	Required	Recommended	Recommended	13
15.	Incident response planning and notification procedures(III.D)	Required	Required	Required	31
16.	Controls for test, training and development systems(III.C.2.c.v.)	Required	Recommended		26
17.	Access and activity audit and logging procedures, including access attempts and privileged access(III.C.2.b.iii; III.C.2.f; Appendix D)	Required where mandated by legislative or regulatory requirements (e.g. ePHI, PCI), or as deemed appropriate;otherwise recommended	Recommended		38, 45
18.	Application security: System and application development standards, application vulnerability assessment (II I.C.2.c.v)	Required for PCI; otherwise recommended	Recommended		26
19.	Authorized, documented change management procedures (III.C.2.e)	Required for security-related changes and essential resources	Required for essential resources;otherwise recommended	Required for essential resources;otherwise recommended	27
20.	Backup systems supporting essential activities (III.C.2.c.ii)	Required	Required	Required	41
Additional Technical Controls
21.	Network firewalls and IDS/IPS (III.C.2.d)	Required for restricted or essential systems	Recommended		57
22.	Encryption: stored data(III.C.2.g; Appendix E) transmitted data(III.C.2.g; Appendix E) backups where physical security is at risk(III.C.2.c.ii; Appendix E) protective measures such as encryption for data on portable devices and media(III.C.2.g; (III.C.3.e) appropriate encryption key management to ensure the availability of encrypted authoritative information(III.C.2.g; Appendix E)	Encryption or other compensating controls required	Encryption or other compensating controls recommended		47, 53
Additional Physical Controls
23.	Physical access controls; Facility access controls (III.C.3.b)	Required	Recommended	Recommended	49
24.	Disposal and re-use: Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed(III.C.3.d)	Required	Recommended	Recommended just in case	49
25.	Physical security for portable devices and media (III.C.3.e)	Required	Recommended	Recommended	50
26.	Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks(III.C.3.c)	Required	Required for financial instruments;otherwise recommended		49
27.	Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks (III.C.3.c)	Required	Required for financial instruments;otherwise recommended		N/A
28.	Risk mitigation for emergency conditions and procedures to protect restricted data during emergency mode operations (III.B.2 Availability; III.C.3.a)	Required	Recommended		29
Other Legal and Regulatory Requirements
29.	HIPAA Security Rule / UCSC Practices for HIPAA Security Rule Compliance	Required for all ePHI	N/A	N/A	62
30.	Payment Card Industry Data Security Standard (PCI DSS)	Required for all sensitive credit cardholder data	N/A	N/A	63

--------------------------------
[1] The degree of sensitivity determines applicability of recommendations

Rev. 7/14/08