Description
Corresponding Texas A&M System Classification: Confidential
The university classification for Confidential data is aligned with Texas Administrative Code §202.74: “Information that must be protected from unauthorized disclosure or public release based on state or federal law or other legal agreement”.
Applicability
-
Examples of Confidential data include (but are not limited to):
-
PERSONAL DATA
-
● Student information covered under the Family Educational Rights and Privacy Act (FERPA) in accordance with SAP 13.02.99.M0.01
● Sensitive personal information as defined by Texas Government Code §521.002
● Government-issued identification numbers (e.g. SSN, drivers license, passport numbers)
-
-
HEALTH DATA
-
● Protected health information covered under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
● Personal health records not otherwise covered under HIPAA (e.g., HR records for individuals with disabilities)
-
-
FINANCIAL DATA
-
RESEARCH DATA
-
● Export controlled information covered under the International Traffic in Arms Regulation (ITAR) or Export Administration Regulations (EAR)
● Human subject data and IRB-controlled research data
● Most research data as defined by SAP 15.99.03.M1.03: “the recorded factual material commonly accepted in the scientific community as necessary to validate research findings.”
-
-
ADMINISTRATIVE DATA
-
● Records pertaining to information security process and protocols
● Authentication credentials or verifiers (e.g. passwords, passphrases, biometric information, private encryption keys, etc)
● Research Compliance & Administration records (contracts, grants, IRB documentation)
● Recordings or data from surveillance cameras (AVST installations)
-
Implementation
-
1
ACCESS
-
1.1
Access to Confidential data shall be limited to those with a documented business need, as determined by the Data Steward or a Data Manager.
-
1.2
In accordance with security control SA-4, access to Confidential data must be granted only by explicit authorization. Documentation of that authorization shall be maintained by the Data Steward or a Data Manager.
-
1.3
In accordance with security control AC-3, access to Confidential data must be managed, monitored, and logged.
-
1.4
In accordance with security controls AU-6 and AU-11, access logs should be available for auditing and review, and retained for a time sufficient to support investigations of information security events.
-
1.5
In accordance with security control AC-19, any mobile computing device containing Confidential data must be protected from unauthorized access by passwords or other means.
-
1.6
In accordance with security control IA-2, multifactor authentication is required to access Confidential data across the network.
-
1.7
In accordance with security control MA-2, any Confidential data must be removed from associated media before equipment is removed from university facilities for off-site maintenance or repair.
-
1.1
-
2
STORAGE
-
2.1
All information resources that store or process confidential information are defined as moderate impact resources at minimum. In accordance with SAP 29.01.03.M0.05, those information resources must reside in a Texas A&M enterprise data center.
-
2.2
In accordance with security controls RA-2, AC-19, and SC-13, Confidential data must be encrypted in storage.
-
2.3
In accordance with security controls AC-19 and MP-7, any removable computer media containing Confidential data must be encrypted.
-
2.4
In accordance with security control MP-6, computer media containing Confidential data must be protected prior to release to a third party.
-
2.5
In accordance with security control AC-19, unattended devices containing Confidential data must be kept physically secured.
-
2.6
In accordance with security control AC-19, any information resource containing Confidential data must be encrypted, updated, and protected with anti-virus software and a personal firewall—even personally-owned equipment.
-
2.7
In accordance with security control CM-3, information resources containing Confidential data must implement a documented change control process
-
2.1
-
3
TRANSMISSION
-
4
MONITORING
-
4.1
In accordance with security controls SI-4, AU-2, AU-3, AU-4, AU-5, and AU-6, information systems containing Confidential data must enable effective logging and monitoring of system and security events.
-
4.2
In accordance with security control AU-9, security logs must be protected from tampering and unauthorized access.
-
4.3
In accordance with security control AU-11, security logs must be retained for a time sufficient to support investigations of information security events.
-
4.4
In accordance with security control RA-2, information resources containing Confidential data must use data loss prevention software that is provided and managed by the Technology Services.
-
4.1
-
5
INCIDENT REPORTING
-
5.1
In accordance with security control IR-6, any known or suspected unauthorized disclosure of Confidential data must be reported to the CISO.
-
5.2
In accordance with security control IR-8, any known or suspected instance of unauthorized access or use of Confidential data must be reported to the CISO.
-
5.1
-
6
DISPOSAL