Standard: ISO / Security requirements for working with sensitive data

Scope

• All faculty and staff working with sensitive University data

Rationale

Miami University's Information Security Office (ISO) requires these practices be followed by anyone creating, accessing, modifying, or storing sensitive information. This includes access from personal as well as managed and non-managed Miami devices. Miami's Information Security Office uses the term sensitive to refer to all data the ISO classifies as non-public, further stratified in ascending sensitivity levels as Internal-Only, Confidential, and Restricted. Additional detail can be found in the ISO Data Classification schema.

Basic guiding principles

Access to University systems and sensitive information should be done with care and minimal artifact retention.

• Least Privilege - permissions to view, create, modify, or delete data should be Restricted to only those necessary to complete job duties and functions
• Risk-based Approach - decision making in regard to controls, required processes, and prioritization of activities should take into account the likelihood and magnitude of impact of relevant potential adverse events (ISO Risk Assessment Matrix)
• Defense in Depth - the layering of mitigating security controls in such a way that should one fail, others will hold or limit the magnitude of impact for an adverse event
• Minimal Collection and Retention - the collection and storage of sensitive information should be minimized to only what is necessary and required to complete job duties and that data should only be retained for as long as necessary and required (Miami's Record Retention Manual)

Standard

Requirements for devices used to access or store sensitive data

In general, avoid storing or processing Restricted data on end-user devices (University-owned or personal); however, the ISO recognizes some business needs and job duties may require doing so. Some of the following device requirements should already be in place on devices managed by Miami's IT Support groups. If you are unsure about whether a device is managed or a control requirement is in place, reach out to your local IT Support to confirm.

• Configure settings on the device to auto-lock after no more than 20 minutes of inactivity
• Never leave the device unlocked and unattended when Confidential or Restricted data is viewable or easily accessible
• Never leave a mobile device unattended in a public location without reasonably security it physically
• Ensure the device screen is not visible to anyone not authorized to view data observable on screen
• Always store passwords securely, such as by use of a password management tool or an encrypted and password protected file
• Do not store passwords in web browsers or in any other insecure manner such as plain text or easily accessible
• Enable automatic patching and updating of operating systems and software. Patches and updates should be applied within 10 days of release if possible, but must not take longer than 30 days after release without a documented exception
• Configure Anti-virus / Anti-malware software to run and update automatically on a daily basis
• Configure settings on the device to require a password or biometric factor on start-up, login, and unlock. Miami's Password Standard contains additional details and requirements for password creation
• Use password protected SSH keys to access remote systems, where possible
• Limit the use of administrator permissions as much as possible. The ISO recognizes that users on personal devices frequently work in "admin mode", which is acceptable use
• Disable or remove any unnecessary user or system accounts
• Configure full-disk encryption, such as BitLocker or FileVault, on mobile devices (laptops, tablets, cell phones, etc) and end-user devices used to access or store Restricted data. This applies to personal devices as well, but if this presents a challenge reach out to the ISO at infosec@miamioh.edu for a solution or exemption.
• Configure mobile devices used to access Confidential* or Restricted data to auto-wipe after 10 failed login attempts
• Only access Restricted data from trusted networks. Untrusted networks include public Wi-Fi providers found in coffee shops, hotels, airports, etc. If the use of a public network is required and necessary, first connect to Miami's VPN service before accessing Restricted data
• Additional general considerations for personal devices:
  • Devices used to routinely access Confidential* or Restricted information should be dedicated to that purpose and not "shared" among family members
  • Devices used to routinely access Confidential* or Restricted information should not be used for higher risk activities (such as gaming, cavalier file sharing or web browsing) not associated with job duties
  • If a personal device used for accessing Confidential* or Restricted information must go out for repair, only reputable vendors with clear data protection policies should be used

Requirements for accessing, storing, or transmitting sensitive data

• Access to sensitive data must follow the need to know and least privilege principles
• Sensitive data should only be retained for as long as necessary and required
• Remove individual user access to sensitive data when no longer needed
• Only work with data that is required to perform job duties
• Remove copies of sensitive data when no longer needed
• Only use systems and applications explicitly approved for use with the classification level of the data involved
• When possible, redact sensitive information from a file before sharing, and be cautious that previous drafts may be stored within the file potentially containing the redacted information
• Whenever possible use multi-factor authentication for accessing sensitive information
• Restricted data should not be sent via email without additional protections. If sending via email is necessary and required, use a secure email platform or approved method
• Confidential* or Restricted data should not be stored on personal devices or removable media
• Never store Confidential* or Restricted data on non-encrypted media
• Only share Confidential* or Restricted data with appropriate and approved entities and never with a personal account
• When sharing files or links containing Confidential* or Restricted information, access should be set to specific users or groups ensuring only the smallest set of people have access
• Ensure any external collaborators are aware of and following MU policy and standards for safeguarding sensitive data and that they do not forward data without proper authorization. ISO recommends providing external collaborators that may work with Confidential or Restricted Miami data with links to Miami's policies and standards and a plan outlining how to meet those requirements at the outset of collaboration
• Limit the printing or creating of copies of Confidential* and Restricted data as much as possible. If necessary and required, ensure appropriate authorization and approval has been given by the relevant data owner(s) or steward(s) and implement sufficient controls to properly protect the data
• Only send Confidential* or Restricted information in an encrypted fashion utilizing strong (current and free of known vulnerabilities) cipher suites. The systems and applications approved for transferring sensitive data meet these encryption requirements

Responsibilities of those with access to sensitive information

• Stay alert; feel comfortable informing your supervisor if something happens that is not consistent with these requirements or is unexpected. Security is not a matter of blame, even if an incident results from a mistake made by an employee. The ISO values learning from mistakes and continuing to improve the security posture that protects the confidentiality, integrity, and availability of sensitive information
• Immediately notify Miami University's Information Security Office of:
  • Any suspicion of a compromised account or device used to access sensitive information
  • Any device used to access or store sensitive information that becomes lost or stolen
  • Any suspicion or knowledge of data misuse or a practice not aligning with the requirements outlined here
• Do not share data unless required for the other person to complete their job duties. Only share sensitive data with external parties after ensuring explicit approval from the appropriate data steward or the ISO
• Be prepared; be familiar with the required controls and recommended practices, how to verify they are in place, and how to identify and report a security event

Exceptions

• *Though student education records such as grades, completed assignments, and class schedules are considered Confidential, this kind of information is exempted from the specified requirements as noted
• Exceptions to any of these requirements must be approved by the Chief Information Security Officer

Questions, concerns and problems can be directed to the following:

• For computing help and support: Miami University HelpDesk
  • 513-529-7900 
  • ithelp@miamioh.edu
  • https://miamioh.edu/itchat
  • Divisional Resources
• For information security related issues: Miami University Information Security Office
  • infosec@miamioh.edu
  • For reporting time-sensitive, urgent security events, call 513-529-9732

Appendix

Related policies and standards:

• University Policy Library
• ISO Data Classification Schema
• Data Storage and Transfer Guidelines

Standard Administration

Next Review Date

• 11/1/2025

Responsible Officer

• Vice President for Information Technology & Chief Information Officer

Contact

• Assistant VP for IT Services Security, Compliance, and Risk Management

Approval(s) and Date(s)

• Initial Approval: 01 November 2024