| MU Network Zone |
Public services zone
|
TigerNet2 or behind a departmental firewall that is maintained by the Division of Information Technology
Behind an IDS or IPS system
|
Secure server zone or e-commerce zone
Behind an IDS or IPS system
|
Individuals managing or accessing NSI data are responsible for complying with the requirements for levels 1, 2, and 3, National Security Decision Directives and other Federal Government directives for data and systems that are classified, and security procedures specified by the source agency that provides the information.
|
| Physical Security Requirements |
Secure customer entrance or reception area
System must be locked or logged out when unattended
|
Secure customer entrance or reception area
MU Data Center recommended
System must be locked or logged out when unattended
|
MU Data Center required
|
See above
|
|
Data Access Requirements
|
No requirement for viewing
Access to modify data must be limited to authorized individuals
Authentication required for modification
|
Access must be limited to authorized individuals
Authentication is required
|
Access must be limited to authorized individuals
Authentication is required
Transmission via secure protocols only and can not be done via e-mail
|
See above
|
|
Granting Permission and Access Levels
|
No restriction for viewing
Owner for modification permissions
|
Owner with approval from his or her supervisor
|
Owner with approval from his or her supervisor
Confidentiality agreement required
|
See above
|
|
Storage Requirements
|
None
|
Data should be stored on a secure server not an individual's machine
The Division of IT Server, Hosting and Administration services recommended
|
Data must be stored on a secure server not an individual's machine
Division of IT Server, Hosting and Administration services recommended
|
See above
|
|
Training Requirements
|
Division of IT Security Awareness training recommended
|
Division of IT Security Awareness training required
|
Division of IT Security Awareness training required
|
See above
|
|
Data Disposal Guidelines
|
Format hard drive
|
Software that writes over all sectors of the hard drive
|
Software that writes over all sectors of the hard drive multiple times
|
See above
|
|
System Security Guidelines
|
Division of IT general best practices
|
Division of IT general best practices and operating system specific best practices (consult your IT Pro)
Industry standard application security best practices
|
Division of IT general best practices and and operating system specific best practices (consult your IT Pro)
Industry standard application security best practices
|
See above
|
|
Remote Access Requirements
|
No restrictions
|
Restricted to local network and VPN (secure VPN pool is required if the system is behind TigerNet2)
|
Restricted to local network and secure VPN pool
|
See above
|
|
Backup/Disaster Recovery
|
Backups should be performed daily
|
Backups should be performed daily
At least two backups should be kept
It is strongly advised that at least one backup be stored off-site
|
Backups should be performed daily
At least three backups should be kept
Two copies of the backup should be stored at two separate off-site locations
|
See above
|
|
Copying/Printing
|
No restrictions
|
Data should only be printed when there is a legitimate need
Copies must be limited to the individuals with a need to know
Data should not be sent to an unattended printer or left sitting on a printer
Copies must be shredded upon disposal
|
Data should only be printed when a hard copy is required
Copies must be limited to individuals who are authorized to view the information and have signed a confidentiality agreement
Data should not be sent to an unattended printer or left sitting on a printer
Copies must have a cover sheet indicating that the data is restricted
Copies must be shredded upon disposal
|
See above
|
|
Audit Schedule
|
Schedule with ISAM if needed
|
Recommended
|
Yearly
|
See above
|
