Information Classification and Inventorying Information Systems Workshop

1
Information Classification and Inventorying
Information Systems Workshop

• October, 2005

2
Information Classification

• Identify Types
• Identify the Designee(s)
• Evaluate Importance of
• Confidentiality
• Integrity
• Availability
• Classify
• Obtain Approval
• Communicate

3
Information Classification

• Handouts
• SPICE EduGuide Information Classification
  EG0003
• Information Classification Suggested Procedures

4
Information Classification 1. Identify Types

• The medical record
• Patient claims or billing information with PHI
• Patient/physician appointment schedules patient
  demography and insurance information
• Physician patient care/patient management email
• Research information with PHI
• Department staff listing with Personal
  Identification Information
• Payroll with Personal Identification Information
• Benefactor information with Credit Card numbers
• Student names or UF Id with grades or financial
  aid information or demography, race, religious
  affiliation
• De-identified clinical research information
• UF HSC endorsed and recommended general health
  information for public
• Animal Protocols
• Animal Medical Records
• Budget Information
• Financial Reports
• UF HSC Clinic and Physician directory, maps to
  clinics
• Benefactor Information with names and addresses
• On Call Schedules

Name in combination with Social security
number, or Drivers license number or Florida
Identification Card number, or Account number,
credit card number, or debit card number, in
combination with any required security code,
access code or password that would permit access
to an individuals financial account.
5
Information Classification 2. Identify
Designee(s)

• Who are designees?
• People designated by the President as having
  specific authorities, one of which is to
  establish information classification for
  information used in their college(s). This is a
  Dean, Director or Department Chair and is Unit
  determined for this responsibility.
• Designee may delegate the authority to a
  delegate in their organization, but retains
  accountability.

6
Information Classification 2. Identify
Designee(s)

• The medical record D. White, MD
• Patient claims or billing information with
  PHI D. White, MD
• Patient/physician appointment schedules D.
  White, MD
• Physician patient care/patient management
  email D. White, MD
• Research information with PHI D. White, MD
• Department staff listing with Personal
  Identification Information T. Smith
• Payroll with Personal Identification
  Information T. Smith
• Benefactor information with Credit Card
  numbers A. Jones
• Student names or UF Id with grades or financial
  aid . A. Jones
• De-identified clinical research information D.
  White, MD
• UF HSC endorsed and recommended general health
  info. D. White, MD
• Animal Protocols C. Adams
• Animal Medical Records C. Adams
• Budget Information M. Brown
• Financial Reports M. Brown
• UF HSC Clinic and Physician directory, maps to
  clinics T. Smith
• Benefactor Information with names and
  addresses A. Jones
• On Call Schedules T. Smith

7
Information Classification 3. Evaluate
Importance of

• Confidentiality
• The medical record High
• Patient claims or billing information with
  PHI High
• Patient/physician appointment schedules High
• Physician patient care/patient management
  email High
• Research information with PHI High
• Department staff listing with Personal
  Identification Info High
• Payroll with Personal Identification
  Information High
• Benefactor information with Credit Card
  numbers High
• Student names or UF Id with grades or financial
  aid High
• De-identified clinical research
  information Medium
• UF HSC endorsed and recommended general health
  info Low
• Animal Protocols Medium
• Animal Medical Records Medium
• Budget Information Medium
• Financial Reports Low
• UF HSC Clinic and Physician directory, maps to
  clinics Low
• Benefactor Information with names and
  addresses Low
• On Call Schedules Medium

8
Information Classification 3. Evaluate
Importance of

• Confidentiality Integrity
• The medical record High High
• Patient claims or billing information with
  PHI High Medium
• Patient/physician appointment schedules
  High Medium
• Physician patient care/patient management
  email High High
• Research information with PHI High High
• Department staff listing with Personal
  Identification Info High Low
• Payroll with Personal Identification
  Information High Medium
• Benefactor information with Credit Card
  numbers High High
• Student names or UF Id with grades or financial
  aid High Medium
• De-identified clinical research
  information Medium High
• UF HSC endorsed and recommended general health
  info Low High
• Animal Protocols Medium High
• Animal Medical Records Medium High
• Budget Information Medium Medium
• Financial Reports Low High
• UF HSC Clinic and Physician directory, maps to
  clinics Low Medium
• Benefactor Information with names and
  addresses Low Medium
• On Call Schedules Medium Medium

9
Information Classification 3. Evaluate
Importance of

• Confidentiality Integrity Availabil
  ity
• The medical record High High High
• Patient claims or billing information with
  PHI High Medium High
• Patient/physician appointment schedules
  High Medium High
• Physician patient care/patient management
  email High High High
• Research information with PHI High High High
• Department staff listing with Personal
  Identification Info High Low Low
• Payroll with Personal Identification
  Information High Medium High
• Benefactor information with Credit Card
  numbers High High Low
• Student names or UF Id with grades or financial
  aid High Medium Medium
• De-identified clinical research
  information Medium High Medium
• UF HSC endorsed and recommended general health
  info Low High Medium
• Animal Protocols Medium High Medium
• Animal Medical Records Medium High High
• Budget Information Medium Medium Medium
• Financial Reports Low High Low
• UF HSC Clinic and Physician directory, maps to
  clinics Low Medium Medium
• Benefactor Information with names and
  addresses Low Medium Low
• On Call Schedules Medium Medium Medium

10
Information Classification 4. Classify
Use these rules to classify your information
types as Restricted, Sensitive , Operational or
Unrestricted
11
Information Classification 4. Classify

• Confidentiality Integrity
  Availability Classification
• The medical record High High High Restricted
• Patient claims or billing information with
  PHI High Medium High Restricted
• Patient/physician appointment schedules
  High Medium High Restricted
• Physician patient care/patient management
  email High High High Restricted
• Research information with PHI High High High Rest
  ricted
• Department staff listing with Personal Id Info
  High Low Low Restricted
• Payroll with Personal Identification
  Information High Medium High Restricted
• Benefactor information with Credit Card
  numbers High High Low Restricted
• Student names or UF Id with grades or financial
  High Medium Medium Restricted
• De-identified clinical research
  information Medium High Medium Sensitive
• UF HSC endorsed general health info
  Low High Medium Sensitive
• Animal Protocols Medium High Medium Sensitive
• Animal Medical Records Medium High High Sensitiv
  e
• Budget Information Medium Medium Medium Sensitiv
  e
• Financial Reports Low High Low Sensitive
• UF HSC Clinic and Physician directory, maps
  Low Medium Medium Operational
• Benefactor Info with names and addresses Low Mediu
  m Low Operational
• On Call Schedules Medium Medium Medium Operation
  al

12
Information Classification 5. Obtain Approvals

• The medical record Restricted D. White, MD
• Patient claims or billing information with
  PHI Restricted D. White, MD
• Patient/physician appointment schedules
  Restricted D. White, MD
• Physician patient care/patient management
  email Restricted D. White, MD
• Research information with PHI Restricted D.
  White, MD
• Department staff listing with Personal
  Identification Info Restricted T. Smith
• Payroll with Personal Identification
  Information Restricted T. Smith
• Benefactor information with Credit Card
  numbers Restricted A. Jones
• Student names or UF Id with grades or financial
  aid . Restricted A. Jones
• De-identified clinical research
  information Sensitive D. White, MD
• UF HSC endorsed and recommended general health
  info. Sensitive D. White, MD
• Animal Protocols Sensitive C. Adams
• Animal Medical Records Sensitive C. Adams
• Budget Information Sensitive M. Brown
• Financial Reports Sensitive M. Brown
• UF HSC Clinic and Physician directory, maps to
  clinics Oper. T. Smith
• Benefactor Information with names and
  addresses Oper. A. Jones
• On Call Schedules Oper. T. Smith

13
Information Classification 5. Communicate

• WHO NEEDS TO KNOW?
• Information custodians
• System administrators
• Application developers and support staff
• Vendors
• Users

14
Information Classification Communicate

• HOW CAN WE TELL THEM?
• Post on departmental web site announce
• Print and distribute (i.e. small laminated cards,
  bulletin board display, posters)
• Department staff meetings
• Reminders
• Label
• Forms
• Footers in electronic and printed documents
• Footers on application screens/web pages
• Signs in physical locations
• Restricted Area
• Authorized Personnel Only

15
Information Classification Other Uses

• Educated users are our allies
• Security controls design decisions, for example
• Needs for redundancy if importance of
  availability is low, the cost of redundancy can
  be avoided.
• Where to place authentication and authorization
  controls if information needs to be highly
  accurate (integrity is high) but widely
  accessible (confidentiality is low), we would
  restrict who may change or publish the
  information, but not who may access the
  information for viewing (i.e. general health
  information published on an HSC web site, for
  community use.)

16
Questions?
17
Information Systems Inventory

• Why Inventory?
• What is an Information System?
• Device Inventory
• Software Inventory
• Mission Crucial Systems

18
Information Systems Inventory Handouts

• Device and Software Inventory Template
• Crucial Information Systems Inventory Template

19
Why Inventory?

• Cant protect it if you dont know
• What you have
• Where it is
• Avoid friendly fire (from incident response team)
• Document ownership and accountability
• Improve service

20
Information System Definition

• An interconnected set of information resources
  under the same direct management control that
  shares common functionality. A system normally
  includes hardware, software, information, data,
  applications, communications, and people.

National Institute of Standards and Technology,
Computer Security Division. Code of Federal
Regulations Part 164, Subpart C, 164.304
Definitions.
21
What Does an Information System Look Like?
22
What Does an Information System Look Like?
Networked User Workstations
Servers
23
DevicesServers and Workstations

• Unique Identifier (machine or DNS name, static
  IP, MAC address)
• OS
• Type (desktop, mobile, server, networking,
  security appliance)
• User (if end user workstation)
• System Administrator
• Location
• Is it Crucial?
• Does it store restricted information?

24
End User Workstation Software Inventory Strategies

• Search and destroy
• Armed with unauthorized/permitted software lists,
  and policy requiring restricted information to be
  secured, eliminate rather than inventory
  workstation software (note user involvement is
  required.)
• Promote desktop as access devices versus storage
• To the extent possible, everything on a
  workstation should be dispensible

25
Software

• Product names (versus every software program)
• Installation Date
• Version
• Processes Restricted Information?
• Device(s) where installed
• Is it Crucial?
• Type (Office automation, application, data,
  interface, infrastructure, security control)
• Life cycle status (development, alpha/beta,
  implementation, general avail, to be replace,
  retired)
• Developer (who are the bug fixes and updates
  coming from?)
• Support contact if different from you

26
Crucial Information Systems Inventory

• Information System Name
• Business function
• Restricted Information?
• Unique identity of each of the servers that make
  up the information system
• Location
• External information system dependencies
• Contact
• ISM
• System Administrator
• Recoverability Objective
• Contingency Plan status

27
Crucial Information Systems Registered with the
HSC Security Office

• Will not be disconnected without contact with ISM
  or System Administrator
• Must have a 7x24 contact
• Must have a contingency plan to
• recover expediently from a compromised host or a
  malicious virus
• Be prepared to notify victims of a privacy breach

28
Timing

• Information Classification
• Steps 1-4 (through classify) November 15, 2005
• Step 5 (approval) November 30, 2005
• Step 6 (communication to custodians, users)
• Campaign through end of January, 2006
• Reminders ongoing
• Crucial Information Systems
• Create inventory records December 31, 2005
• Report submitted to HSC Security Office
  December 31, 2005

Required for HSC Risk Assessment in January,
2006
29
Questions?