Title: Information Classification and Inventorying Information Systems Workshop
1Information Classification and Inventorying
Information Systems Workshop
2Information Classification
- Identify Types
- Identify the Designee(s)
- Evaluate Importance of
- Confidentiality
- Integrity
- Availability
- Classify
- Obtain Approval
- Communicate
3Information Classification
- Handouts
- SPICE EduGuide Information Classification
EG0003 - Information Classification Suggested Procedures
4Information Classification 1. Identify Types
- The medical record
- Patient claims or billing information with PHI
- Patient/physician appointment schedules patient
demography and insurance information - Physician patient care/patient management email
- Research information with PHI
- Department staff listing with Personal
Identification Information - Payroll with Personal Identification Information
- Benefactor information with Credit Card numbers
- Student names or UF Id with grades or financial
aid information or demography, race, religious
affiliation - De-identified clinical research information
- UF HSC endorsed and recommended general health
information for public - Animal Protocols
- Animal Medical Records
- Budget Information
- Financial Reports
- UF HSC Clinic and Physician directory, maps to
clinics - Benefactor Information with names and addresses
- On Call Schedules
Name in combination with Social security
number, or Drivers license number or Florida
Identification Card number, or Account number,
credit card number, or debit card number, in
combination with any required security code,
access code or password that would permit access
to an individuals financial account.
5Information Classification 2. Identify
Designee(s)
- Who are designees?
- People designated by the President as having
specific authorities, one of which is to
establish information classification for
information used in their college(s). This is a
Dean, Director or Department Chair and is Unit
determined for this responsibility. - Designee may delegate the authority to a
delegate in their organization, but retains
accountability.
6Information Classification 2. Identify
Designee(s)
- The medical record D. White, MD
- Patient claims or billing information with
PHI D. White, MD - Patient/physician appointment schedules D.
White, MD - Physician patient care/patient management
email D. White, MD - Research information with PHI D. White, MD
- Department staff listing with Personal
Identification Information T. Smith - Payroll with Personal Identification
Information T. Smith - Benefactor information with Credit Card
numbers A. Jones - Student names or UF Id with grades or financial
aid . A. Jones - De-identified clinical research information D.
White, MD - UF HSC endorsed and recommended general health
info. D. White, MD - Animal Protocols C. Adams
- Animal Medical Records C. Adams
- Budget Information M. Brown
- Financial Reports M. Brown
- UF HSC Clinic and Physician directory, maps to
clinics T. Smith - Benefactor Information with names and
addresses A. Jones - On Call Schedules T. Smith
-
7Information Classification 3. Evaluate
Importance of
- Confidentiality
- The medical record High
- Patient claims or billing information with
PHI High - Patient/physician appointment schedules High
- Physician patient care/patient management
email High - Research information with PHI High
- Department staff listing with Personal
Identification Info High - Payroll with Personal Identification
Information High - Benefactor information with Credit Card
numbers High - Student names or UF Id with grades or financial
aid High - De-identified clinical research
information Medium - UF HSC endorsed and recommended general health
info Low - Animal Protocols Medium
- Animal Medical Records Medium
- Budget Information Medium
- Financial Reports Low
- UF HSC Clinic and Physician directory, maps to
clinics Low - Benefactor Information with names and
addresses Low - On Call Schedules Medium
8Information Classification 3. Evaluate
Importance of
- Confidentiality Integrity
- The medical record High High
- Patient claims or billing information with
PHI High Medium - Patient/physician appointment schedules
High Medium - Physician patient care/patient management
email High High - Research information with PHI High High
- Department staff listing with Personal
Identification Info High Low - Payroll with Personal Identification
Information High Medium - Benefactor information with Credit Card
numbers High High - Student names or UF Id with grades or financial
aid High Medium - De-identified clinical research
information Medium High - UF HSC endorsed and recommended general health
info Low High - Animal Protocols Medium High
- Animal Medical Records Medium High
- Budget Information Medium Medium
- Financial Reports Low High
- UF HSC Clinic and Physician directory, maps to
clinics Low Medium - Benefactor Information with names and
addresses Low Medium - On Call Schedules Medium Medium
9Information Classification 3. Evaluate
Importance of
- Confidentiality Integrity Availabil
ity - The medical record High High High
- Patient claims or billing information with
PHI High Medium High - Patient/physician appointment schedules
High Medium High - Physician patient care/patient management
email High High High - Research information with PHI High High High
- Department staff listing with Personal
Identification Info High Low Low - Payroll with Personal Identification
Information High Medium High - Benefactor information with Credit Card
numbers High High Low - Student names or UF Id with grades or financial
aid High Medium Medium - De-identified clinical research
information Medium High Medium - UF HSC endorsed and recommended general health
info Low High Medium - Animal Protocols Medium High Medium
- Animal Medical Records Medium High High
- Budget Information Medium Medium Medium
- Financial Reports Low High Low
- UF HSC Clinic and Physician directory, maps to
clinics Low Medium Medium - Benefactor Information with names and
addresses Low Medium Low - On Call Schedules Medium Medium Medium
10Information Classification 4. Classify
Use these rules to classify your information
types as Restricted, Sensitive , Operational or
Unrestricted
11Information Classification 4. Classify
- Confidentiality Integrity
Availability Classification - The medical record High High High Restricted
- Patient claims or billing information with
PHI High Medium High Restricted - Patient/physician appointment schedules
High Medium High Restricted - Physician patient care/patient management
email High High High Restricted - Research information with PHI High High High Rest
ricted - Department staff listing with Personal Id Info
High Low Low Restricted - Payroll with Personal Identification
Information High Medium High Restricted - Benefactor information with Credit Card
numbers High High Low Restricted - Student names or UF Id with grades or financial
High Medium Medium Restricted - De-identified clinical research
information Medium High Medium Sensitive - UF HSC endorsed general health info
Low High Medium Sensitive - Animal Protocols Medium High Medium Sensitive
- Animal Medical Records Medium High High Sensitiv
e - Budget Information Medium Medium Medium Sensitiv
e - Financial Reports Low High Low Sensitive
- UF HSC Clinic and Physician directory, maps
Low Medium Medium Operational - Benefactor Info with names and addresses Low Mediu
m Low Operational - On Call Schedules Medium Medium Medium Operation
al
12Information Classification 5. Obtain Approvals
- The medical record Restricted D. White, MD
- Patient claims or billing information with
PHI Restricted D. White, MD - Patient/physician appointment schedules
Restricted D. White, MD - Physician patient care/patient management
email Restricted D. White, MD - Research information with PHI Restricted D.
White, MD - Department staff listing with Personal
Identification Info Restricted T. Smith - Payroll with Personal Identification
Information Restricted T. Smith - Benefactor information with Credit Card
numbers Restricted A. Jones - Student names or UF Id with grades or financial
aid . Restricted A. Jones - De-identified clinical research
information Sensitive D. White, MD - UF HSC endorsed and recommended general health
info. Sensitive D. White, MD - Animal Protocols Sensitive C. Adams
- Animal Medical Records Sensitive C. Adams
- Budget Information Sensitive M. Brown
- Financial Reports Sensitive M. Brown
- UF HSC Clinic and Physician directory, maps to
clinics Oper. T. Smith - Benefactor Information with names and
addresses Oper. A. Jones - On Call Schedules Oper. T. Smith
-
13Information Classification 5. Communicate
- WHO NEEDS TO KNOW?
- Information custodians
- System administrators
- Application developers and support staff
- Vendors
- Users
14Information Classification Communicate
- HOW CAN WE TELL THEM?
- Post on departmental web site announce
- Print and distribute (i.e. small laminated cards,
bulletin board display, posters) - Department staff meetings
- Reminders
- Label
- Forms
- Footers in electronic and printed documents
- Footers on application screens/web pages
- Signs in physical locations
- Restricted Area
- Authorized Personnel Only
15Information Classification Other Uses
- Educated users are our allies
- Security controls design decisions, for example
- Needs for redundancy if importance of
availability is low, the cost of redundancy can
be avoided. - Where to place authentication and authorization
controls if information needs to be highly
accurate (integrity is high) but widely
accessible (confidentiality is low), we would
restrict who may change or publish the
information, but not who may access the
information for viewing (i.e. general health
information published on an HSC web site, for
community use.)
16Questions?
17Information Systems Inventory
- Why Inventory?
- What is an Information System?
- Device Inventory
- Software Inventory
- Mission Crucial Systems
18Information Systems Inventory Handouts
- Device and Software Inventory Template
- Crucial Information Systems Inventory Template
19Why Inventory?
- Cant protect it if you dont know
- What you have
- Where it is
- Avoid friendly fire (from incident response team)
- Document ownership and accountability
- Improve service
20Information System Definition
- An interconnected set of information resources
under the same direct management control that
shares common functionality. A system normally
includes hardware, software, information, data,
applications, communications, and people.
National Institute of Standards and Technology,
Computer Security Division. Code of Federal
Regulations Part 164, Subpart C, 164.304
Definitions.
21What Does an Information System Look Like?
22What Does an Information System Look Like?
Networked User Workstations
Servers
23DevicesServers and Workstations
- Unique Identifier (machine or DNS name, static
IP, MAC address) - OS
- Type (desktop, mobile, server, networking,
security appliance) - User (if end user workstation)
- System Administrator
- Location
- Is it Crucial?
- Does it store restricted information?
24End User Workstation Software Inventory Strategies
- Search and destroy
- Armed with unauthorized/permitted software lists,
and policy requiring restricted information to be
secured, eliminate rather than inventory
workstation software (note user involvement is
required.) - Promote desktop as access devices versus storage
- To the extent possible, everything on a
workstation should be dispensible
25Software
- Product names (versus every software program)
- Installation Date
- Version
- Processes Restricted Information?
- Device(s) where installed
- Is it Crucial?
- Type (Office automation, application, data,
interface, infrastructure, security control) - Life cycle status (development, alpha/beta,
implementation, general avail, to be replace,
retired) - Developer (who are the bug fixes and updates
coming from?) - Support contact if different from you
26Crucial Information Systems Inventory
- Information System Name
- Business function
- Restricted Information?
- Unique identity of each of the servers that make
up the information system - Location
- External information system dependencies
- Contact
- ISM
- System Administrator
- Recoverability Objective
- Contingency Plan status
27Crucial Information Systems Registered with the
HSC Security Office
- Will not be disconnected without contact with ISM
or System Administrator - Must have a 7x24 contact
- Must have a contingency plan to
- recover expediently from a compromised host or a
malicious virus - Be prepared to notify victims of a privacy breach
28Timing
- Information Classification
- Steps 1-4 (through classify) November 15, 2005
- Step 5 (approval) November 30, 2005
- Step 6 (communication to custodians, users)
- Campaign through end of January, 2006
- Reminders ongoing
- Crucial Information Systems
- Create inventory records December 31, 2005
- Report submitted to HSC Security Office
December 31, 2005
Required for HSC Risk Assessment in January,
2006
29Questions?