Principle 3: Security is asset management

In information technology, we identify the assets used to conduct business transactions. We know the type of information being used, the servers that store and process that information, and who should be using the information. We also consider the value of the information and understand the controls and procedures to protect it. This is asset management.

The management of a system should include controls and procedures that secure information by considering how to Classify Information. Based on those classifications, the concepts of Least Privilege and Separation of Duties can be implemented. These concepts will help to limit who can access the information.

Classifying information

Determining the security of information requires an understanding of what you are trying to protect.

The Office of Cyberecurity currently classifies information as Restricted, Sensitve, Internal or Public. The text below describes the classifications and the information types associated with them.

Restricted information

Personal Identifiable Information (PII) and Protected Health Information (PHI) as defined by Wisconsin Statute 134.98 and the Health Insurance Portability and Accountability Act (HIPAA).

Examples:

  • Social Security number
  • Drivers license or state identification number
  • Financial account numbers
  • DNA profiles
  • Biometric Data
  • Protected Health Information (PHI)

Sensitive information

Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the University, affiliates or research projects.  Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals.

Internal information

Information that is accessible only to those with a reason to know it.

Examples:

  • Employees Benefit Statement
  • Unpublished research data
  • A student’s financial aid statement

Some information custodians may elect to protect their internal data, such as unpublished research information, with the same security controls and procedures used to protect Restricted Information.

Public information

Information that is intended to be accessed by the general public.

Examples:

  • Timetable
  • Women’s Basketball schedule
  • Campus directory

Read about Restricted data security standards.

Least privilege

Most people, without even really thinking about it, have implemented the concept of least privilege. If you lend your car to a friend, for example, you don’t give him or her your wallet or your house keys. Your friend gets the minimum necessary rights (ignition key) to access your car and only retains those rights for the shortest time necessary. That’s the principle of least privilege.

Least privilege applies also to information. Individuals should only receive the minimum privileges needed to access, modify, or delete information, and they should retain those privileges for the shortest duration possible.

To manage information access in the business application, the system may implement privilege management. A payroll clerk’s access privilege might be to send money to your bank account. The clerk, however, does not have the privilege to withdraw money from your account. Privileges are granted through controls such as Roles, Permission Lists, and Access Control Lists.

Separation of duties

Separation of Duties, also sometimes called segregation of duties, organizes security so that a single person cannot carry out and conceal errors and/or irregularities as they perform their activities.

Staff working on a major software project, for example, should not have individual access to the production environment. That access should be shared to ensure transparency and adequate testing. Separation of duties can prevent information breaches caused by malicious behavior and by human error.