Description

This classification level is used for data that can likely result in criminal or civil penalties if inappropriately handled. This is the highest level of classification for data, and use is limited to explicitly designated individuals with a stringent business requirement. Data in this category is specifically protected by federal or state law, and is typically subject to exacting breach notification requirements. Data in this category is never subject to release under open records laws, but may still be released due to a legal discovery process or court order.
Guidance

Corresponding Texas A&M System Classification: Confidential

Applicability

  • Examples of Critical data include (but are not limited to):

  • PERSONAL DATA

    • ● Information covered under a witness protection program
      ● Child welfare and legal information and minors (juvenile justice, foster care and/or adoptions)

  • HEALTH DATA

    • ● Certain individually identifiable medical records and genetic information, categorized as extremely sensitive

  • RESEARCH DATA

    • ● Information classified under the Atomic Energy Act of 1954
      ● Highly classified research
      ● Information covered by the Invention Secrecy Act of 1951
      ● Research information classified as Level 5 by an Institutional Review Board (IRB) or otherwise required to be stored or processed in a high security environment

  • ADMINISTRATIVE DATA

Implementation

  • 1

    ACCESS

    • 1.1

      Access to Critical data shall be limited to those with a documented business need, as determined by the Data Steward or a Data Manager.

    • 1.2

      In accordance with security control SA-4, access to Critical data must be granted only by explicit authorization.

    • 1.3

      Documentation of access authorization shall be maintained by the Data Steward or a Data Manager.

    • 1.4

      In accordance with security control AC-3, access to Critical data must be managed, monitored, and logged.

    • 1.5

      In accordance with security controls AU-6 and AU-11, access logs should be available for auditing and review, and retained for a time sufficient to support investigations of information security events.

    • 1.6

      In accordance with security control AC-19, any mobile computing device containing Critical data must be protected from unauthorized access by passwords or other means.

    • 1.7

      In accordance with security control IA-2, multifactor authentication is required to access Critical data.

    • 1.8

      In accordance with security control MA-2, any Critical data must be removed from associated media before equipment is removed from university facilities for off-site maintenance or repair.

    • 1.9

      In accordance with security control AC-4, access to Critical data must be controlled within a system and between interconnected systems.

    • 1.10

      In accordance with security controls AC-11, AC-12, and SC-10, information resources with Critical data must prevent access to the resource or terminate user sessions after a period of inactivity.

    • 1.11

      In accordance with security control PE-17, access to Critical data from alternate work sites must be strictly controlled and monitored.

    • 1.12

      In accordance with security control SC-2, information resources containing Critical data separate user functionality from system management functionality.

    • 1.13

      In accordance with security control SC-4, information resources containing Critical data prevent unauthorized transfer of information via shared system resources (e.g., registers, main memory, storage, etc).

  • 2

    STORAGE

    • 2.1

      All information resources that store or process Critical information are defined as high impact resources. In accordance with SAP 29.01.03.M0.05, those information resources must reside in a Texas A&M enterprise data center.

    • 2.2

      Any information resources that store or process Controlled Unclassified Data must reside in the TAMUS Secure Computing Enclave as specified in System Regulation 15.05.02.

    • 2.3

      In accordance with security controls RA-2, AC-19, and SC-13, Critical data must be encrypted in storage.

    • 2.4

      In accordance with security controls AC-19 and MP-7, any removable computer media containing Critical data must be encrypted.

    • 2.5

      In accordance with security control MP-6, computer media containing Critical data must be protected prior to release to a third party.

    • 2.6

      In accordance with security control AC-19, unattended devices containing Critical data must be kept physically secured.

    • 2.7

      In accordance with security control AC-19, any information resource containing Critical data must be encrypted, updated, and protected with anti-virus software and a personal firewall—even personally-owned equipment.

    • 2.8

      In accordance with security control CM-3, information resources containing Critical data must implement a documented change control process.

    • 2.9

      In accordance with security control CM-5, physical and logical changes to the information resource are managed with a change control process.

    • 2.10

      In accordance with security control SC-28, information resources containing Critical data protect the integrity of the information at rest.

  • 3

    TRANSMISSION

    • 3.1

      In accordance with security controls SC-8 and SC-13, Critical data must be encrypted in transit.

    • 3.2

      In accordance with security control SC-8 and SAP 16.99.99.M0.28, Critical data transmitted in an email message must be encrypted.

    • 3.3

      In accordance with security control IA-3, information resources accessing Critical data across a network must be uniquely identified and authenticated.

    • 3.4

      In accordance with security control SC-23, Critical data transmitted across a network is protected at a session, versus packet level (e.g., end-to-end encryption).

  • 4

    MONITORING

    • 4.1

      In accordance with security controls SI-4, AU-2, AU-3, AU-4, AU-5, and AU-6, information resources containing Critical data must enable effective logging and monitoring of system and security events.

    • 4.2

      In accordance with security control AU-9, security logs must be protected from tampering and unauthorized access.

    • 4.3

      In accordance with security control AU-11, security logs must be retained for a time sufficient to support investigations of information security events.

    • 4.4

      In accordance with security control RA-2, information resources containing Critical data must use data loss prevention software that is provided and managed by the Division of IT.

    • 4.5

      In accordance with security control AU-7, information resources containing Critical data must provide logging capabilities that support investigations of information security events, and ensure that the original content and time ordering of logs remains unaltered.

    • 4.6

      In accordance with security control MA-3, information resources containing Critical data control and monitor the use of system maintenance tools.

  • 5

    INCIDENT REPORTING

    • 5.1

      In accordance with security control IR-6, any known or suspected unauthorized disclosure of Critical data must be reported to the CISO.

    • 5.2

      In accordance with security control IR-8, any known or suspected instance of unauthorized access or use of Critical data must be reported to the CISO.

    • 5.3

      In accordance with security control IR-3, the incident response capability of the organization is tested periodically.

  • 6

    DISPOSAL

    • 6.1

      In accordance with security control MP-6 and MA-2, information resources containing Critical data must be sanitized prior to disposal or surplus.

  • 7

    OTHER

    • 7.1

      Information systems containing Critical data must be reported to the office of the Chief Information Security Officer (CISO).

    • 7.2

      In accordance with security control MP-3, media containing Critical data must be marked to indicate distribution and handling requirements.

    • 7.3

      In accordance with security control MP-4 and MP-5, media containing Critical data must be physically protected during storage and transportation

    • 7.4

      In accordance with security control PE-4, physical access to transmission media (e.g., cabling, wiring closets, etc.) used for Critical data must be controlled and monitored.

    • 7.5

      In accordance with security control PE-5, physical access to output devices (e.g., monitors, printers, copiers, etc.) used with Critical data must be controlled and monitored.

    • 7.6

      In accordance with security control SA-8, information resources used to store or process Critical data must be designed, developed, and implemented using documented security engineering principles.

    • 7.7

      In accordance with security control SC-18, mobile code technologies used to store or process Critical data must be controlled and monitored.

    • 7.8

      In accordance with security control SC-19, Voice over Internet Protocol (VoIP) technologies used to store or process Critical data must be controlled and monitored.