Examples of Critical data include (but are not limited to):

PERSONAL DATA

• ● Information covered under a witness protection program
  ● Child welfare and legal information and minors (juvenile justice, foster care and/or adoptions)

HEALTH DATA

• ● Certain individually identifiable medical records and genetic information, categorized as extremely sensitive

RESEARCH DATA

• ● Information classified under the Atomic Energy Act of 1954
  ● Highly classified research
  ● Information covered by the Invention Secrecy Act of 1951
  ● Research information classified as Level 5 by an Institutional Review Board (IRB) or otherwise required to be stored or processed in a high security environment
  

ADMINISTRATIVE DATA

• ● Classified National Security Information per Executive Order 13526
  ● Passwords for Department of Defense (DoD) or Department of State (DoS) workers or contractors
  ● Classified information relating to defense articles and defense services
  ● Controlled Unclassified Information received from a federal agency (regulated under 32 CFR Part 2002).

ACCESS

• 1.1

  Access to Critical data shall be limited to those with a documented business need, as determined by the Data Steward or a Data Manager.

• 1.2

  In accordance with security control SA-4, access to Critical data must be granted only by explicit authorization.

• 1.3

  Documentation of access authorization shall be maintained by the Data Steward or a Data Manager.

• 1.4

  In accordance with security control AC-3, access to Critical data must be managed, monitored, and logged.

• 1.5

  In accordance with security controls AU-6 and AU-11, access logs should be available for auditing and review, and retained for a time sufficient to support investigations of information security events.

• 1.6

  In accordance with security control AC-19, any mobile computing device containing Critical data must be protected from unauthorized access by passwords or other means.

• 1.7

  In accordance with security control IA-2, multifactor authentication is required to access Critical data.

• 1.8

  In accordance with security control MA-2, any Critical data must be removed from associated media before equipment is removed from university facilities for off-site maintenance or repair.

• 1.9

  In accordance with security control AC-4, access to Critical data must be controlled within a system and between interconnected systems.

• 1.10

  In accordance with security controls AC-11, AC-12, and SC-10, information resources with Critical data must prevent access to the resource or terminate user sessions after a period of inactivity.

• 1.11

  In accordance with security control PE-17, access to Critical data from alternate work sites must be strictly controlled and monitored.

• 1.12

  In accordance with security control SC-2, information resources containing Critical data separate user functionality from system management functionality.

• 1.13

  In accordance with security control SC-4, information resources containing Critical data prevent unauthorized transfer of information via shared system resources (e.g., registers, main memory, storage, etc).

STORAGE

• 2.1

  All information resources that store or process Critical information are defined as high impact resources. In accordance with SAP 29.01.03.M0.05, those information resources must reside in a Texas A&M enterprise data center.

• 2.2

  Any information resources that store or process Controlled Unclassified Data must reside in the TAMUS Secure Computing Enclave as specified in System Regulation 15.05.02.

• 2.3

  In accordance with security controls RA-2, AC-19, and SC-13, Critical data must be encrypted in storage.

• 2.4

  In accordance with security controls AC-19 and MP-7, any removable computer media containing Critical data must be encrypted.

• 2.5

  In accordance with security control MP-6, computer media containing Critical data must be protected prior to release to a third party.

• 2.6

  In accordance with security control AC-19, unattended devices containing Critical data must be kept physically secured.

• 2.7

  In accordance with security control AC-19, any information resource containing Critical data must be encrypted, updated, and protected with anti-virus software and a personal firewall—even personally-owned equipment.

• 2.8

  In accordance with security control CM-3, information resources containing Critical data must implement a documented change control process.

• 2.9

  In accordance with security control CM-5, physical and logical changes to the information resource are managed with a change control process.

• 2.10

  In accordance with security control SC-28, information resources containing Critical data protect the integrity of the information at rest.

TRANSMISSION

• 3.1

  In accordance with security controls SC-8 and SC-13, Critical data must be encrypted in transit.

• 3.2

  In accordance with security control SC-8 and SAP 16.99.99.M0.28, Critical data transmitted in an email message must be encrypted.

• 3.3

  In accordance with security control IA-3, information resources accessing Critical data across a network must be uniquely identified and authenticated.

• 3.4

  In accordance with security control SC-23, Critical data transmitted across a network is protected at a session, versus packet level (e.g., end-to-end encryption).

MONITORING

• 4.1

  In accordance with security controls SI-4, AU-2, AU-3, AU-4, AU-5, and AU-6, information resources containing Critical data must enable effective logging and monitoring of system and security events.

• 4.2

  In accordance with security control AU-9, security logs must be protected from tampering and unauthorized access.

• 4.3

  In accordance with security control AU-11, security logs must be retained for a time sufficient to support investigations of information security events.

• 4.4

  In accordance with security control RA-2, information resources containing Critical data must use data loss prevention software that is provided and managed by the Technology Services.

• 4.5

  In accordance with security control AU-7, information resources containing Critical data must provide logging capabilities that support investigations of information security events, and ensure that the original content and time ordering of logs remains unaltered.

• 4.6

  In accordance with security control MA-3, information resources containing Critical data control and monitor the use of system maintenance tools.

INCIDENT REPORTING

• 5.1

  In accordance with security control IR-6, any known or suspected unauthorized disclosure of Critical data must be reported to the CISO.

• 5.2

  In accordance with security control IR-8, any known or suspected instance of unauthorized access or use of Critical data must be reported to the CISO.

• 5.3

  In accordance with security control IR-3, the incident response capability of the organization is tested periodically.

DISPOSAL

• 6.1

  In accordance with security control MP-6 and MA-2, information resources containing Critical data must be sanitized prior to disposal or surplus.

OTHER

• 7.1

  Information systems containing Critical data must be reported to the office of the Chief Information Security Officer (CISO).

• 7.2

  In accordance with security control MP-3, media containing Critical data must be marked to indicate distribution and handling requirements.

• 7.3

  In accordance with security control MP-4 and MP-5, media containing Critical data must be physically protected during storage and transportation

• 7.4

  In accordance with security control PE-4, physical access to transmission media (e.g., cabling, wiring closets, etc.) used for Critical data must be controlled and monitored.

• 7.5

  In accordance with security control PE-5, physical access to output devices (e.g., monitors, printers, copiers, etc.) used with Critical data must be controlled and monitored.

• 7.6

  In accordance with security control SA-8, information resources used to store or process Critical data must be designed, developed, and implemented using documented security engineering principles.

• 7.7

  In accordance with security control SC-18, mobile code technologies used to store or process Critical data must be controlled and monitored.

• 7.8

  In accordance with security control SC-19, Voice over Internet Protocol (VoIP) technologies used to store or process Critical data must be controlled and monitored.