This is draft documentation for the new Information Security Policy. We are actively developing this content and are soliciting feedback on it.
The UMASS Amherst Information Security Policy specifies institutional information and research data will be categorized in alignment with federal regulations, contractual obligations, and information risk. Specific technical controls adhere to each category. Data stewards are responsible for the categorization of institutional information and research data under their purview. Custodians are responsible for using the appropriate security controls associated with each data category.
FIPS Publication 199 (FIPS-199) provides federal standards for categorizing information and information systems, and will be used by the University as a basis for Institutional Information, Research Data and Information System categorization.
In addition to the FIPS categories outlined below, there may be other tags assigned to institutional information and research data with special requirements, such as HIPAA, PCI, CUI. Controls may need to be augmented to address all the applicable requirements.
The categorization scheme defines three security objectives for information and information systems:
"Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information."
(i.e. The only people who have access to the information are the ones who should have access to it.)
"Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity."
(i.e. Information is attributable, accurate and reliable.)
"Ensuring timely and reliable access to and use of information."
(i.e. Information is available when you need it.)
The categorization scheme defines the following levels of potential impact to each of the security objectives. Any one of the potential impacts is sufficient to indicate the level.
In a situation where the impact varies among levels, Data Stewards should use the highest impact to determine the overall level.
The loss of confidentiality, integrity, or availability could have a minimal adverse effect on the campus. Potential impact might include:
- Minor harm to individuals
- Minor degradation in operational functions of an area
- Minor damage to assets
- Minor financial loss
- Minor impact to reputation
- Minor to negligible impact to missions
- May be somewhat difficult to recover from
The loss of confidentiality, integrity, or availability could have a significant adverse effect on the campus. Potential impact might include:
- Significant harm to individuals that does not involve loss of life or serious life-threatening injuries
- Significant degradation in operational functions that reduces the effectiveness of an area
- Significant damage to assets
- Significant financial loss
- Significant impact to reputation
- Significant impact to missions
- May be difficult but not impossible to recover from
The loss of confidentiality, integrity, or availability could have a severe or catastrophic adverse effect on the organization. Potential impact might include:
- Severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries
- Severe degradation in operational functions that critically reduces the effectiveness or completely disrupts an area
- Severe damage to assets
- Severe financial loss
- Severe impact to reputation
- Severe impact to missions
- May be very difficult or impossible to recover from
In some instances, where information is publicly available, there is no potential impact to the organization from a loss of confidentiality, therefore the confidentiality rating can be: N/A (Not Applicable). The N/A designation of potential impact only applies to the security objective of confidentiality and not any other level of importance to the university, for example general information, reputation, etc.