Information Security Standards

Introduction to the Information Security Standards, Objectives, Request to Standard exceptions. The article includes links to the standards for system with restricted data and system with confidential/internal data.  There is also a glossary at the end of the article

Detailed Information

I. Introduction of Standards

Information Security Standards support the security posture of the University of Maine System (“the University”). These Standards specify a required level of attainment of University security controls, and prescribe ways in which the University will enforce the Information Security Policy.

University entities may adopt supplemental standards, so long as they do not lessen or contradict the University Information Security Policy and these Standards.

Standards are consistent with, and derived from, recognized standards organizations, including but not limited to, the National Institute of Standards (NIST), International Organization for Standards (ISO), and Federal Information Processing Standards (FIPS).

II. Security Objectives

The security objectives for information and information systems are:

CONFIDENTIALITY: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.

INTEGRITY: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.

AVAILABILITY: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.

III. Standards

The UMS Security Standards are based on NIST 800-171; however, not all controls are currently required, resulting in gaps in the numbering sequence. 

The applicable standards are per the data classification as identified in APL VI-I: Data Classification

The following are Standards for attainment of University Information Security Policy controls:

       A. Security Standards for Systems with Restricted Data

       B. Security Standards for Systems with Confidential or Internal Data

      

IV.  Exceptions to Standards

Information security and support considerations such as regulatory compliance, confidentiality, data integrity and availability are most easily met when University users employ centrally supported standards. However, it is understood that standards may not always be feasible or appropriate for a user/dept/campus. Exceptions from these Standards may be considered when there is a justifiable business and/or research case, resources are sufficient to properly implement and maintain the alternate configuration, the exception process is followed, and other University policies and standards are upheld.

Request for exception from Standards

Users will submit a Standards Exception Request to their supervisor or Department Chair. The supervisor or Department Chair will then decide if there is a business case for the exception, and forward to the Information Security Office to determine if it is a pre-approved exception, and/or if it meets the criteria for pre-approval. If it is not one of the pre-approved exceptions, the Information Security Office will either authorize the exception, or submit the Standards Exception Request to authorizing individual(s). If the Standards Exception Request is approved, then it is determined if the entity requesting the exception has access to sensitive data. If yes, then the request will be authorized by an identified and designated individual or entity.

Information included for exceptions requests

The Exception Request should contain the following information:

• For which System(s) is/are the Exception Request?
• What is the reason an exception is being requested? What is the business case?
• Who/What is requesting the exception?
• Is the exception intended to be short term, or permanent?
• By when is the exception needed?

Questions that will be considered upon receiving a request:

• What is the estimated impact/risk?
• Is there another way to effectively handle the business case?
• What methods are available to roll back the exception if needed?
• Has the the exception been tested?
• Is it technically feasible?
• Is it practical to maintain?
• Is there a financial cost involved in the exception?
• What is the time schedule for implementation?

V.  Contact Information

For questions or comments on these Standards, please contact the Information Security Office at infosecurity@maine.edu or 207-581-9105.

VI.  Glossary of Terms

Accountability: A process of holding users responsible for actions performed on an information system.

Adverse Effect: A harmful or abnormal result. These are defined examples in FIPS 199 with potential of impact (LOW MODERATE or HIGH) with respect to the likelihood of compromise.

Limited adverse effect: The loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.

Serious adverse effect: The loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.

Severe or catastrophic adverse effect: The loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

Alternative work site: Any working area that is attached to the wide area network either through a public switched data network or through the Internet.

Audit: An independent examination of security controls associated with a representative subset of organizational information systems to determine the operating effectiveness of system controls; to ensure compliance with established policy and operational procedures; and to recommend changes in controls, policy, or procedures where needed.

Authentication: Verification of the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system; see Identification.

Authorization: Access privileges granted to a user, program, or process.

Availability: Timely, reliable access to information and information services for authorized users.

Baseline security requirements: A description of the minimum security requirements necessary for an information system to enforce the security policy and maintain an acceptable risk level.

Compromise: The disclosure of sensitive information to persons not authorized to receive such information.

Confidentiality: The preservation of authorized restrictions on information access and disclosure.

Configuration management: A structured process of managing and controlling changes to hardware, software, firmware, communications, and documentation throughout the system development life cycle.

Cryptography: The process of rendering plain text information unreadable and restoring such unreadable information to a readable form.

Data: A representation of facts, concepts, information, or instruction suitable for communication, processing, or interpretation by people or information systems.

Decryption: The process of converting encrypted information into a readable form. This term is also referred to as deciphering.

Encryption: See Cryptography.

External network: Any network that resides outside the security perimeter established by the telecommunications system.

External information systems: See Non-Agency-Owned Equipment.

Firewall: Telecommunication device used to regulate logical access authorities between network systems.

Identification: A mechanism used to request access to system resources by providing a recognizable unique form of identification such as a Login ID, User ID, or token; see Authentication.

[User] Identifier: A unique string of characters used by an information system to identify a user or process for authentication.

Information: See Data.

Information system: A collection of computer hardware, software, firmware, applications, information, communications, and personnel organized to accomplish a specific function or set of functions under direct management control.

Integrity: The protection of information systems and information from unauthorized modification to ensure the quality, accuracy, completeness, nonrepudiation, and authenticity of information.

Internet: Two or more networks connected by a router; the world’s largest network, which uses TCP/IP to connect government, university, and commercial institutions.

[Cryptographic] Key: Information used to establish and periodically change the operations performed in cryptographic devices for the purpose of encrypting and decrypting information.

Least privilege: A security principle under which users or processes are assigned the most restrictive set of privileges necessary to perform routine job responsibilities.

Malicious code (Malware): Rogue computer programs designed to inflict a magnitude of harm by diminishing the confidentiality, integrity, and availability of information systems and information.

Network: A communications infrastructure and all components attached thereto whose primary objective is to transfer information among a collection of interconnected systems. Examples of networks include local area networks, wide area networks, metropolitan area networks, and wireless area networks.

Non-Agency-Owned Equipment: Any technology used to receive, process, store, or transmit information that is not owned and managed by the agency but is owned by a contractor and centrally managed by their own IT department.

Non-repudiation: The use of audit trails or secure messaging techniques to ensure the origin and validity of source and destination targets (i.e., senders and recipients of information cannot deny their actions).

Organization: An agency or, as appropriate, any of its operational elements.

Password: A private, protected, alphanumeric string used to authenticate users or processes to information system resources.

Potential impact: The loss of confidentiality, integrity, or availability that could be expected to have a limited adverse effect, a serious adverse effect, or a catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Privileged user: A user that has advanced privileges with respect to computer systems. Such users in general include administrators.

Protocol: A set of rules and standards governing the communication process between two or more network entities.

Risk: The potential adverse impact on the operation of information systems, which is affected by threat occurrences on organizational operations, assets, and people.

Risk assessment: The process of analyzing threats to and vulnerabilities of an information system to determine the potential magnitude of harm, and identify cost effective countermeasures to mitigate the impact of such threats and vulnerabilities.

Router: A device that forwards data packets between computer networks, creating an overlay internetwork.

Safeguard: Apply protective measures prescribed to enforce the security requirements specified for an information system; synonymous with security controls and countermeasures. Safeguards: protective Safeguard measures

Security policy: The set of laws, rules, directives and practices governing how organizations protect information systems and information.

System: See Information system.

Threat: An activity, event, or circumstance with the potential for causing harm to information system resources.

User: A person or process authorized to access an information system.

Voice over Internet Protocol (VoIP): A methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet protocol networks, such as the Internet.

Vulnerability: A known deficiency in an information system, which threat agents can exploit to gain unauthorized access to sensitive or classified information.