Security Guidelines and Data Classification

1.0 Overview
2.0 University Data Classification
3.0 The Benefits of CIS Managed Servers
4.0 Brown University Security Tiers
5.0 Choosing a Security Tier
6.0 Additional Oversight of Research Data
7.0 Related Policy

1.0 Overview

As a Tier 1 research institution Brown University creates, collects, manages, uses and shares many types of data. As such, critical thinking and risk-based decisions must be made for the proper storage, access and security of data across the University.  This document will serve as support for making these decisions.

The service and data owner must take into consideration certain attributes before making the decision on moving to a Computing & Information Services (CIS) managed service and which security tier should be applied, such as the type and classification of data involved, and the access requirements that are needed.

2.0 University Data Classification

Brown currently (as of May 2015) has four levels of data classification:

  • Public: Information that can safely and appropriately be placed on external-facing websites and servers, with wide access from both Brown and the globe, with no risk to the University.
    • Examples include published research, department overviews, course catalogs, faculty and staff directory information, directory information about students who have not requested a FERPA block.
  • Internal: Daily functional data deemed not appropriate or necessary for public display.
    • Examples include academic collaboration, administrative information, management and operational data, University building plans, department information, draft research for comment, University shortIDs.
  • Confidential: Data and information that is confidential to the University, which is non-regulated, or protected by law or approved data use agreements.
    • Examples include non-regulated faculty research, corporation minutes, university financials records, FERPA data, personnel records, donor information, information used to establish identity.
  • Restricted: Information and data that is protected by law, regulation, and/or data use agreements.
    • Examples include personally identifiable information, PCI-DSS, FERPA, HIPAA, ePHI, Human Subject Data, identifiable financial or health information, high-risk research data.

3.0 The Benefits of CIS Managed Servers

CIS architects and manages the main University data center, which is considered to be a core competency and center of excellence of CIS.  CIS oversees >700 managed servers that service all areas of Brown, and are located in a highly secure and controlled data center, with redundant power, cooling and generation, fire suppression, backup and restore capabilities, and automated monitoring.

CIS provides server management that includes OS hardening during image build, centralized account provisioning/deprovisioning, OS patching and firmware updates, and the ability to quickly add storage, processing and server instances.

In addition, CIS provides centralized host-based and firewall IP rules, infrastructure and system monitoring with 24X7 escalation procedures, high availability through redundant network routers and switches, and load balancing.

Data protection includes data backup and recovery options, business continuity, and the availability for periodic security and vulnerability scanning.

4.0 Brown University Security Tiers

  • Base Level Tier: Appropriate for public information and some internal information.
    • CIS base-level, default managed server; less stringent security, and wide access; host based firewalls, no network based Access Control List (“ACL”) by default (but can be requested).
  • Intermediate Level Tier: Appropriate for internal information and some confidential information.
    • Includes the base-level controls, with network Access Control Lists for added security and more stringent access.
  • High Level Tier: Appropriate for confidential and some restricted information.
    • CIS-managed increased security for servers that control access to other servers, network equipment, databases and storage; ACL’s are standard.
  • Research / Restricted Level Tier: Specialized managed servers and storage for restricted and regulated research information; which can include the following:
    • A highly secure computing environment for sensitive and protected data, that is reviewed for HIPAA requirements.
    • Secure remote access, utilizing encrypted VPN (Virtual Private Networking) with two-step verification. Access to each virtual network can be limited to a single PI, or can be expanded to additional students or staff authorized by the PI.
    • Firewalls rules specific to the server, accessible from within the Brown campus network and to authorized external IPs on a case-by-case basis. All network connections to this area pass through two firewalls: a host-based firewall on the VPN server and a dedicated firewall in front of the VPN server.
    • Physical access, controlled by badge and sign-in with video surveillance, and stored in a locked rack in the CIS data center on the Brown campus. Only specific CIS staff have access to this locked rack.
    • Data transfer: All data transfers to and from this area must be authorized by CIS staff, and will take place through a staging area accessed with the SCP (Secure Copy) protocol using two-step verification. Once uploaded, data is only accessible from virtual machines within the data center.
    • Data encryption: all data will be encrypted both at rest and in transit.
    • Secure backups: data will be backed up per CIS standards, or to meet specific data use agreements. All backups will be encrypted.

5.0 Choosing a Security Tier

Choosing the appropriate security tier is the responsibility of the service owner. When deciding which security option is best, the service owner must address the security requirements of the service, and/or the requirements in the data use agreement, may consult with CIS and non-CIS experts to determine the appropriate tier.  When making the decision, some of the important considerations are:

  • What are the specific requirements that are mandated in the data use agreement?
  • What are the requirements relative to confidentiality or privacy of the data owner?
  • What is the risk to the university, or the data owner, if the data is exposed or breached?
  • What type of data resides on the machine?
  • What service is offered over the network?
  • Who is the audience (individual/named researchers, campus, world-wide)?
  • Who needs direct access (login) to the machine?
  • What are the applicable laws and regulations, such as HIPAA (Health Insurance Portability and Accountability Act), FERPA (Family Educational Rights and Privacy Act), FISMA (Federal Information Security Management Act), or PCI (payment card industry)?

6.0 Additional Oversight of Research Data

As a research institution, Brown collects, stores and utilizes large amounts of research data which may be restricted, confidential and protected. In addition to the stipulations on handling such data as outlined in this policy, guidance and oversight is provided by the Office of the Vice President of Research (OVPR). The OVPR, through the Office of Sponsored Projects (OSP) and the Research Protections Office (RPO), assists faculty in ensuring that research complies with institutional and federal standards, beginning with proposal preparation and review, and extending throughout the performance of the research and into evaluation and reporting of research results.  Additional guidance and support can be found on the Research Administration, Policies, Procedures & Forms page.

7.0 Related Policy

Policy on the Handling of Brown Restricted Information

Effective Date: February, 2016