PLEASE NOTE: This policy is published as binding draft while under campus review. If you would like to submit feedback on the draft policy and related documents, please use the feedback form.
The Foundational Information Security Controls specify institutional information and research data will be categorized in alignment with federal regulations, contractual obligations, and information risk. Specific technical controls adhere to each category. Data stewards are responsible for the categorization of institutional information and research data under their purview. Custodians are responsible for using the appropriate security controls associated with each data category.
FIPS Publication 199 (FIPS-199) provides federal standards for categorizing information and information systems, and will be used by the University as a basis for Institutional Information, Research Data and Information System categorization.
In addition to the FIPS categories outlined below, there may be other tags assigned to institutional information and research data with special requirements, such as HIPAA, PCI, CUI. Controls may need to be augmented to address all the applicable requirements.
1. Security Objectives
The categorization scheme defines three security objectives for information and information systems:
"Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information."
(i.e. The only people who have access to the information are the ones who should have access to it.)
"Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity."
(i.e. Information is attributable, accurate and reliable.)
"Ensuring timely and reliable access to and use of information."
(i.e. Information is available when you need it.)
2. Potential Impact
The categorization scheme defines the following levels of potential impact to each of the security objectives. Any one of the potential impacts is sufficient to indicate the level.
In a situation where the impact varies among levels, Data Stewards should use the highest impact to determine the overall level.
Examples and baseline security controls that apply to each category are included, but not intended as an exhaustive list of information and data types or control standards for each category.
The loss of confidentiality, integrity, or availability could have a minimal adverse effect on the campus. Potential impact might include:
- Minor harm to individuals
- Minor degradation in operational functions of an area
- Minor damage to assets
- Minor financial loss
- Minor impact to reputation
- Minor to negligible impact to missions
- May be somewhat difficult to recover from
Security Controls for Low
Institutional information and research data categorized as Low shall be protected at a minimum with the . Additional controls may be specified by law, regulation, and/or data use and research agreements, and Data Stewards.
Examples for Low:
- Staff meeting notes
- Business process documentation
The loss of confidentiality, integrity, or availability could have a significant adverse effect on the campus. Potential impact might include:
- Significant harm to individuals that does not involve loss of life or serious life-threatening injuries
- Significant degradation in operational functions that reduces the effectiveness of an area
- Significant damage to assets
- Significant financial loss
- Significant impact to reputation
- Significant impact to missions
- May be difficult but not impossible to recover from
Security Controls for Moderate
Institutional information and research data categorized as Moderate shall be protected at a minimum with the Foundational Information Security Controls. Additional controls may be specified by law, regulation, and/or data use and research agreements, and Data Stewards.
Examples for Moderate:
- Education records under FERPA [Family Educational Rights & Privacy Act]:
- Any current or past student’s: Grades, class schedule, advising record, degree progress, academic load, class and grade rosters University bill and payments, Financial Aid application and awards, loan information, sponsorship and scholarship information, UMassPass transactions, housing assignments, holds, and service indicators, etc.
- Restricted directory information. Note: Under FERPA, directory information is public unless a student chooses to withhold it.
- Under University policy:
- Applicants’ names, test scores, recommendations, and other application materials
The loss of confidentiality, integrity, or availability could have a severe or catastrophic adverse effect on the organization. Potential impact might include:
- Severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries
- Severe degradation in operational functions that critically reduces the effectiveness or completely disrupts an area
- Severe damage to assets
- Severe financial loss
- Severe impact to reputation
- Severe impact to missions
- May be very difficult or impossible to recover from
Security Controls for High
Institutional information and research data categorized as High shall be protected at a minimum with the Foundational Information Security Controls, including encryption at rest and in transit. Additional controls may be specified by law, regulation, and/or data use and research agreements, and Data Stewards.
Examples for High:
- Medical records
PHI (Protected Health Information) as defined Under HIPAA/HITEC (Health Insurance Portability & Accountability Act / Health Information Technology for Economic and Clinical Health Act)
- Personal information (under M.G.L. 93H, Massachusetts data breach law)
An individual's name in combination with:
- Social Security Number
- Driver’s License Number
- State Identification Card Number
- Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.
- Financial information
- Credit card numbers (under PCI-DSS, M.G.L 93H)
- Bank account numbers (under M.G.L 93H)
- Other financial records: e.g., debit and other financial account numbers. (Under M.G.L 93H)
- Protected Research Data
Research data that has specific compliance requirements through law, regulations, data user agreements, research contracts, etc.
N/A (Not Applicable)
In some instances, where information is publicly available, there is no potential impact to the organization from a loss of confidentiality, therefore the confidentiality rating can be: N/A (Not Applicable). The N/A designation of potential impact only applies to the security objective of confidentiality and not any other level of importance to the University, for example general information, reputation, etc. It refers to public information the University does not have a legal, regulatory, policy, or contractual obligation to keep confidential.
Examples of N/A:
- Student directory information (unless restricted), as defined by the University.
- Campus maps
3. Related Documents
- ITS-006: Information Security Policy
- Information Management
- Information Security Controls
- Institutional Information, Research Data and Information Systems Categorization Process
The UMass campuses strive to maintain consistent IT policies. The Information Security Policy and related documents have been adopted with permission from UMass Amherst.