IT Service Provider Responsibilities for Protecting Electronic Restricted Data

Home UCSC Information Security Security & Technology Policies and Guidelines IT Service Provider Responsibilities for Protecting Electronic Restricted Data

| Introduction | Definitions | IT Service Provider responsibilities for protecting electronic restricted data | General practices for protecting electronic restricted data | Additional practices for Managers |

INTRODUCTION:

All individuals in the University community have a responsibility to protect restricted data under their jurisdiction or control (see definition below). This document outlines specific IT Service Provider responsibilities for the protection of this data. These responsibilities are above and beyond the general practices for protecting electronic restricted data, and assume that Service Providers are familiar with those practices. The information below does not supersede UC Business and Finance Bulletin IS-3 requirements for protection of restricted and essential data: http://www.ucop.edu/ucophome/policies/bfb/is3.pdf

Certain types of restricted data, such as electronic protected health information (ePHI) and credit card data (PCI), have specific protection requirements. For information, see ITS' Restricted Data Resources page at http://its.ucsc.edu/security_awareness/restricted_data_resources.php.

DEFINITIONS:

Restricted Data: The University of California has defined "restricted data" as "any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit." Please see UC Business and Finance Bulletin IS-3, Information Security, for a complete definition: http://www.ucop.edu/ucophome/policies/bfb/is3.pdf.

At UCSC, restricted data includes information whose unauthorized release or disclosure could be expected to have a severe or catastrophic effect on the University. This includes, but is not necessarily limited to

• Personal Identity Information (PII),
• Electronic protected health information (ePHI) protected by Federal HIPAA legislation,
• Credit card data regulated by the Payment Card Industry (PCI),
• Records of students with a "Non-Release of Public Information" (NRI) flag in UCSC's Academic Information System (AIS),
• Information relating to an ongoing criminal investigation,
• Court-ordered settlement agreements requiring non-disclosure,
• Information specifically identified by contract as restricted,
• Other information for which the degree of adverse affect that may result from unauthorized access or disclosure is high.

Glossary: Please see ITS' online glossary for additional information about these and other terms used in this document.

IT SERVICE PROVIDER RESPONSIBILITIES FOR PROTECTING ELECTRONIC RESTRICTED DATA
above and beyond the 'general practices for protecting electronic restricted data'.

IT Service Providers have the obligation to inform System/Data Stewards of the appropriate protections for their data and to provide relevant information, including legal, policy and industry requirements, and risk and cost trade-offs. System/Data Stewards have ultimate responsibility for the set of University electronic information under their jurisdiction. This includes responsibility for risk tolerance and cost/benefit decisions.

1. Authorization
2. Passwords and authentication
3. Session protection
4. Physical security
5. Other steps to avoid malicious computer software, viruses, spyware, and hackers
6. Transmission and remote access of restricted data
7. Transferring, distributing and downloading restricted data
8. Additional data management practices
9. Disposal and re-use of files, equipment and portable media containing restricted data
10. Security incidents and breaches
11. Disaster recovery and emergency procedures
12. Third party/vendor relationships
13. Additional hardening of systems storing and accessing restricted data
14. Log review and management
15. Review of policy and effectiveness of implementation

1. Authorization

• Ensure proper authorization, including a signed UCSC Access to Information Statement on file in the ITS Support Center for ITS employees, before providing access to systems containing or accessing restricted data.
• Respond promptly to requests to modify or terminate access to restricted data.
• Superuser accounts are authorized only for specified activities. If a service provider also needs standard access to restricted data, he or she must request and use a separate, non-superuser account. Alternatively, a mechanism to elevate privileges in a manner that can be tracked and audited may be utilized for superuser access.
  • When an account is closed, any related superuser access must also be closed.

2. Passwords and authentication

• Ensure unique user authentication for systems that contain or access restricted data. Shared accounts or passwords are not permitted.
• Ensure that systems and applications are configured to enforce secure authentication whenever possible.
• Ensure awareness of and appropriate adherence to the UCSC Password Strength and Security Standards. This includes making sure people you support are aware of the standards and helping them understand them if they need help. Internally, it also includes making sure you and other IT service providers you work with are aware of and are following the password standards for yourselves and for systems you support.
• Systems that contain restricted data are to be configured to thwart password-guessing attacks. This includes locking out users after an appropriate number of failed login attempts, as determined in consultation with the System Steward.

3. Session protection

Security mechanisms must be in place that prohibit or minimize the risk of unauthorized access to a working session. Measures such as locking screensavers, automatic logout, and/or other means of session protection should be operative on all restricted electronic information resources.

4. Physical security

• Establish procedures for secure storage, re-use and disposal of backups & electronic media containing restricted data.
• Inventory control: In conjunction with managers, and as applicable, implement and document procedures to track hardware and electronic media containing restricted data, including receipt, removal, reassignment and disposition.

5. Other steps to avoid malicious computer software, viruses, spyware, and hackers

• Patches and Anti-Virus (AV)/Anti-Spyware: Service providers with desktop support responsibilities should ensure that clients know how patches and AV/anti-spyware are managed, and are aware of their responsibilities, if any, as individuals for keeping them up to date.
• Firewalls and External Connectivity: Communications access controls, such as firewalls, must be present to limit unauthorized access to Restricted or Essential Electronic Information Resources across campus or University communication networks. These firewalls may be limited to protection at the appropriate subnet level. This protection should be implemented at both the system level and within the network.
  • Host-based firewalls are also strongly recommended and should also be utilized where possible as an additional layer of protection against unauthorized access and system compromise.
  • Workstations that contain or access electronic personal health information governed by HIPAA (ePHI) or sensitive credit cardholder data (PCI) are required to have host-based firewalls activated and properly configured. PCI regulations require firewalls that restrict both inbound and outbound traffic.
• Intrusion Detection Systems: UCSC employs a campus-level intrusion detection system (IDS) to help identify attempted or actual unauthorized intrusions. Contact ITS Security for information: security@ucsc.edu.

6. Transmission and remote access of restricted data

• Ensure secure remote access to systems that contain or access restricted data during provision of support functions.
• When setting up a client with the ability to access their UCSC workstation remotely, ensure proper configuration for secure access.
• Backups containing restricted data must be accessed and transmitted securely.

7. Transferring, distributing and downloading restricted data

When working with any system containing or accessing restricted data, including test and development systems, appropriate procedures and controls must be in place to ensure that the data is transferred and stored securely. Additionally, Services Providers who access restricted data via web browsers must clear web caches after accessing the data.

8. Additional data management practices

Additional protection for stored data includes encryption along with appropriate key management procedures. See IT Request tech-only FAQ #1043 for information about encryption tools.

IT service providers also have the responsibility for asking about the intended use of a system. If you are managing a system with known restricted data on it, you need to make sure the system is properly protected, has appropriate access controls, etc. People should be instructed not to store restricted data on the system if the necessary protections aren't in place. If someone else will be managing the system, you need to make sure whoever is managing it knows that restricted data is involved so they can protect it properly, and you need to make sure any parts you are responsible for are configured securely.

It is also a good idea to work with clients to sanitize their data so it doesn't meet the threshold of restricted data -- in cases where this is possible, of course.

9. Disposal and re-use of files, equipment and portable media containing restricted data

• Assist Users with the secure deletion of electronic restricted data.
  • See IT Request FAQ #533 (Mac) or FAQ #822 (PC) for secure deletion tools.
  • ITS Security also recommends and uses DBAN for secure full disk wipes.
• Ensure that restricted data is unusable and/or inaccessible prior to disposal or re-use of the system or electronic media containing it:
• When a system or portable media is recycled, transferred to another user, or otherwise re-used or discarded, all storage devices or all restricted data must either be overwritten multiple times in accordance with NIST standards, or destroyed, eliminating all possibility that any restricted data could be accessed.

10. Security incidents and breaches

• Service Providers shall report any IT security incident or suspected incident to the appropriate departmental manager or Divisional Liaison(s) and to UCSC IT Security: security@ucsc.edu.
• Document suspected security breaches involving restricted data according to the procedures outlined in the UCSC Implementation Plan for Protection of Electronic Personal Identity Information, Section IV.C.

11. Disaster recovery and emergency procedures

• Ensure that all identified critical restricted data is backed up regularly to a secure location. Also see Transmission and remote access of restricted data, above.
• Ensure that the protection of restricted data is maintained when providing service during emergency mode operations. This includes providing non-restricted data-related service on a system that contains or accesses restricted data.

12. Third party/vendor relationships

Ensure that contractors with access to restricted UCSC data, or systems that contain or access this data, are aware of their obligations for data security under the terms and conditions of their contract. Guidance in this area is available at http://its.ucsc.edu/security_awareness/appendixds.php.

13. Additional hardening of systems storing and accessing restricted data

• Systems identified as storing or accessing restricted data must be "hardened." In addition to the protections described in the general practices for protecting electronic restricted data, hardening includes:
  • Regular and timely installation of OS and third-party application security updates or "patches" and anti-virus/anti-spyware
    • Users must be made aware of their responsibility, if any, for updates.
  • Removal or disabling of unnecessary services
  • Strengthening of configuration settings
  • Removal or changing all of default passwords, including for administrator accounts
  • Disabling guest accounts
• In situations where there is a concern about the existence of temporary files containing restricted data, systems should be configured to flush or delete temp files, history, and web caches, as applicable, when the user logs out or shuts down.
  • The Service Provider is responsible for educating employees and management about procedures that must be followed in order for these protections to function.

14. Log review and management

• As mandated by law, policy or regulation, record and examine activity in systems that contain or access restricted data.
  • Logging should be enabled at the workstation, OS, and application/database level, where available, on devices that store or access restricted data, or provide access to locations that store restricted data or such devices.
  • Logs should include sufficient detail, such as records of all login attempts, to ensure that suspicious patterns of activity can be identified, and should be reviewed periodically as appropriate.
    • Wherever possible, logs should record:
      • System access
      • Failed and successful login attempts
      • Data access
      • Software or data modification
      • Elevation of privilege, successful or failed attempts
  • Logs indicating potential security problems are to be escalated to UCSC IT Security. Copies of relevant logs are to be saved until Security has completed its investigation. Security retains logs relevant to security incidents for at least six years.
• As logs themselves may contain sensitive information, such as account names, passwords, personal or financial information, and individual usage patterns, they and their backups must be stored securely.

15. Review of policy and effectiveness of implementation

Develop procedures for regular, periodic review and update of local implementation of these practices and of local policies developed in support of these practices.

• Document compliance activities and their effectiveness.

GLOSSARY:

Please see ITS' online glossary for information about terms used in this document.