Protections based on
UC BFB IS-3
Relevant section in green |
Level of Sensitivity: The degree of adverse affect that may result from unauthorized access or disclosure |
Maps to IS-3 assessment line number
|
High
Restricted Data |
Moderate
Confidential Data [1] |
Low or None
Non-Confidential Data |
Minimum Network Connectivity Requirements (IV): |
| 1. |
1. Access control measures for controlled electronic information resources (III.C.2.b; IV.A)* |
Required |
Required |
Required |
36, 52 |
| 2. Encrypted transmission of restricted data including passwords** (III.C.2.b.i; III.C.2.g; IV.B) |
Required |
Required |
Required |
47, 53 |
| 3. Software updates / patch management (III.C.2.c.iv; IV.C) |
Required |
Required |
Required |
43, 54 |
| 4. Malicious software protection (III.C.2.c.iii; IV.D) |
Required |
Required |
Required |
42, 55 |
| 5. Removal of unnecessary services (IV.E) |
Required |
Required |
Required |
56 |
| 6. Host-based firewalls (III.C.2.d; IV.F) |
Required |
Required |
Required |
42, 57 |
| 7. No unauthorized email relays (IV.G) |
Required |
Required |
Required |
58 |
| 8. No unauthorized, unauthenticated proxy servers (IV.H) |
Required |
Required |
Required |
59 |
9. Physical security and session timeout (III.C.2.b.ii;
III.C.3.b; IV.I) |
Required |
Required |
Required |
37, 49, 60 |
| 10. Security audit agents (may be required based on level of risk)*** (III.C.2.f, Appendix D) |
May be required |
May be required |
May be required |
N/A |
* Note: IS-3 scope limited to access control measures for networked devices
** IS-3 scope limited to encrypted authentication.
*** Not included in IS-3 |
Additional Administrative Controls |
| 2. |
Risk assessment, asset inventory and classification; Identification of systems storing and accessing data (III.B) |
Required for PII, ePHI, PCI; otherwise recommended |
Recommended |
Recommended |
18, 20 |
| 3. |
Additional controls for transferring, distributing, and downloading data (III.C, 4th paragraph; III.C.2.g) |
Required |
Recommended |
|
47 |
| 4. |
Authorization required for access, including privileged access (III.C.1.a; III.C.2.b) |
Required |
Required |
|
22 |
| 5. |
Control privileged access through defined procedures for providing privileged accounts, review of personnel assignments for appropriate classification, security responsibilities, and separation of duties (III.C.1; III.C.
2.b.iii) |
Required |
Recommended |
|
38, 40 |
| 6. |
Background checks (III.C.1.b; III.F) |
Required |
|
|
23 |
| 7. |
Third party agreements with data security language (III.F) |
Required |
Recommended |
|
33 |
| 8. |
Take appropriate personnel/disciplinary action for violations of law or policy (III.C.1.c) |
Required |
Required |
Required |
24 |
Additional Operational Controls |
| 9. |
Secure and accountable means of authorization and authentication (III.C.2.a) |
Required |
Required |
|
15 |
| 10. |
Prompt modification or termination of access or access levels in response to authorization chances (III.C.1) |
Required |
Required |
|
22 |
| 11. |
UCSC password guidelines and password vulnerability assessment (III.C.2.b.i) |
Required |
Recommended |
Recommended |
36 |
| 12. |
Delete, redact or de-identify data whenever possible (III.C,
third paragraph) |
Recommended |
Recommended |
|
18 |
| 13. |
Minimize data stored on portable devices (III.C.3.e) |
Recommended |
Recommended |
|
50 |
| 14. |
Education and security awareness training (III.E) |
Required |
Recommended |
Recommended |
13 |
| 15. |
Incident response planning and notification procedures (III.D) |
Required |
Required |
Required |
31 |
| 16. |
Controls for test, training and development systems (III.C.2.c.v.) |
Required |
Recommended |
|
26 |
| 17. |
Access and activity audit and logging procedures, including access attempts and privileged access (III.C.2.b.iii; III.C.2.f; Appendix D) |
Required where mandated by legislative or regulatory requirements (e.g. ePHI, PCI), or as deemed appropriate; otherwise recommended |
Recommended |
|
38, 45 |
| 18. |
Application security:
System and application development standards, application vulnerability assessment (II I.C.2.c.v) |
Required for PCI; otherwise recommended |
Recommended |
|
26 |
| 19. |
Authorized, documented change management procedures (III.C.2.e) |
Required for security-related changes and essential resources |
Required for essential resources; otherwise recommended |
Required for essential resources; otherwise recommended |
27 |
| 20. |
Backup systems supporting essential activities (III.C.2.c.ii) |
Required |
Required |
Required |
41 |
Additional Technical Controls |
| 21. |
Network firewalls and IDS/IPS (III.C.2.d) |
Required for restricted or essential systems |
Recommended |
|
57 |
| 22. |
Encryption:
- stored data (III.C.2.g; Appendix E)
- transmitted data (III.C.2.g; Appendix E)
- backups where physical security is at risk (III.C.2.c.ii;
Appendix E)
- protective measures such as encryption for data on portable devices and media (III.C.2.g; (III.C.3.e)
- appropriate encryption key management to ensure the availability of encrypted authoritative information (III.C.2.g; Appendix E)
|
Encryption or other compensating controls required |
Encryption or other compensating controls recommended |
|
47, 53 |
Additional Physical Controls |
| 23. |
Physical access controls; Facility access controls (III.C.3.b) |
Required |
Recommended |
Recommended |
49 |
| 24. |
Disposal and re-use:
Securely remove or destroy data before equipment or electronic media is re-deployed, recycled or disposed (III.C.3.d) |
Required |
Recommended |
Recommended just in case |
49 |
| 25. |
Physical security for portable devices and media (III.C.3.e) |
Required |
Recommended |
Recommended |
50 |
| 26. |
Track reassignment or movement of devices and stock inventories, including financial instruments, such as check stock and produced checks (III.C.3.c) |
Required |
Required for financial instruments; otherwise recommended |
|
49 |
| 27. |
Document repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks (III.C.3.c) |
Required |
Required for financial instruments; otherwise recommended |
|
N/A |
| 28. |
Risk mitigation for emergency conditions and procedures to protect restricted data during emergency mode operations (III.B.2 Availability; III.C.3.a) |
Required |
Recommended |
|
29 |
Other Legal and Regulatory Requirements |
| 29. |
HIPAA Security Rule / UCSC Practices for HIPAA Security Rule Compliance |
Required for all ePHI |
N/A |
N/A |
62 |
| 30. |
Payment Card Industry Data Security Standard (PCI DSS) |
Required for all sensitive credit cardholder data |
N/A |
N/A |
63 |
