Technical Standard Data Security Document Owner: Chief Security Officer Document ID: TS-Data Cat-001 Technical Area: Office of Information Security Effective Date: 2015-06-19 Version: 1.0 Last Reviewed Date: 2015 -06-18

1. Purpose: The purpose of this standard is to ensure that State of Colorado information assets are identified, categorized and protected throughout their lifecycles. Information must be properly managed from its creation to disposal. As with other assets, not all information has the same value or importance to the state and, therefore, requires different levels of protection. Information security categorization and data management are critical to translating such requirements into security controls, access control policies and implementation costs. The data security categories are based on the potential impact on an agency should certain events occur which jeopardize the information and information systems needed by the agency to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day business functions and protect individuals. Security categories are used in conjunction with vulnerability and threat information in assessing the risk to an agency. Data categorization involves close collaboration between business units and IT organizations to work through issues that go well beyond IT. The security categorization of data is a business function, not an IT function. The categorization of data is based on business rules along with federal and state regulations. This standard collectively applies to all information assets, including but not limited to electronic, multi-media, geospatial, paper and film. This standard supersedes Information Asset Classification Policy, Policy # DAT 100-00.

2. Scope - Organizations Affected This standard document applies to the Governors Office of (OIT) and all consolidated executive branch agencies that OIT serves.

3. References 3.1. C.R.S. § 24-37.5-401, et seq. 3.2. Senate Bill 08-155 as codified in C.R.S. § 24-37.5-101 et seq. 3.3. Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems Federal Information Processing Standard (FIPS) 200, “Minimum Security Requirements for Federal Information and Information Systems

Technical Standard Page 1 of 7 State of Colorado | Governor’s Office of Information Technology - Technical Standard Data Security Categorization Document Owner: Chief Information Security Officer Document ID: TS-Data Cat-001 Technical Area: Office of Information Security Effective Date: 2015-06-19 Version: 1.0 Last Reviewed Date: 2015 -06-18

3.4. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, rev. 4, “Recommended Security Controls for Federal Information Systems”

4. Definitions For the purposes of this document, refer to C.R.S. § 24-37.5-102 et seq. and the Colorado Information Security Program Policy Glossary for any terms not specifically defined herein. The Glossary is posted in the same location as the Colorado Information Security Policies.

4.1. Assurance: Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy. 4.2. Authentication Credential: A type of authenticator possessed by a user that provides a strong mechanism used to prove the credential holder’s identity. Examples include a user name and password, PKI certificate, or a Personal Identity Verification card. 4.3. Availability: The reliability and accessibility of data and resources to authorized individuals in a timely manner. 4.4. CIA: Confidentiality, Integrity, and Availability: the three security objectives for protection of information and information systems. 4.5. Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. 4.6. Critical Infrastructure: An application, including the physical or virtual system assets that provide critical services to the public and its operation serves a vital function to government, but does not impact life safety. 4.7. Essential Infrastructure: An application, including the physical or virtual system assets that provides essential services to the public which is so important to the agency that its loss or unavailability is unacceptable due to life safety issues. 4.8. Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. 4.9. Information Owner: Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

Technical Standard Page 2 of 7 State of Colorado | Governor’s Office of Information Technology - Technical Standard Data Security Categorization Document Owner: Chief Information Security Officer Document ID: TS-Data Cat-001 Technical Area: Office of Information Security Effective Date: 2015-06-19 Version: 1.0 Last Reviewed Date: 2015 -06-18

4.10. Information System: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. 4.11. Information System Owner: Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. All Agency information systems are required to have a System Owner. This person is responsible for system access approvals and for annual system access reviews. 4.12. Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. 4.13. Personally Identifiable Information (PII): Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). 4.14. Potential Impact: There are four (4) levels of potential impact on an agency or individual should there be a breach of security (i.e., a loss of confidentiality, integrity or availability). 4.15. Public Key Infrastructure (PKI): A service that provides cryptographic keys needed to perform digital signature-based identity verification, and to protect communications and storage of sensitive data. 4.16. Security Category: The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, individuals, other organizations, and the state. 4.17. Sensitive Information: Any information where the loss, misuse, unauthorized access to or modification of which could adversely affect the interest or the conduct of information systems, or the privacy to which individuals are entitled.

5. Standards 5.1. Asset Categorization Levels Each Information System Owner is required to identify its information assets for the purpose of defining its potential impact should there be a loss of data confidentiality, integrity and/or availability (CIA). Information System Owners must

Technical Standard Page 3 of 7 State of Colorado | Governor’s Office of Information Technology - Technical Standard Data Security Categorization Document Owner: Chief Information Security Officer Document ID: TS-Data Cat-001 Technical Area: Office of Information Security Effective Date: 2015-06-19 Version: 1.0 Last Reviewed Date: 2015 -06-18

use the categorization schema included in this standard to differentiate between various levels of sensitivity and value. All information assets must be categorized strictly according to their level of potential impact as follows. 5.1.1. Minimal (or Public): The loss of CIA could be expected to have a minimal adverse effect on agency operations, organizational assets or individuals. 5.2. Minimal impact data – also defined as ‘Public’ data - is characterized as having no distribution limitations and to which anonymous access is allowed. These data elements form information that is actively made publicly available by state government. This includes information regularly made available to the public via electronic, verbal or hardcopy media, and is governed under the Colorado Open Records Act (CORA) (C.R.S. § 24-72-201 to 24-72-309) which requires that most public records be open for inspection by the public. 5.3. Examples of the data security categorization of Minimal (or Public) include press releases, brochures, public access web sites and materials made for public consumption. 5.4. A minimal adverse effect means that, for example, the loss of confidentiality, integrity or availability might: (i) result in minimal harm to individuals. 5.5. The greatest security threat to this data is from unauthorized or unintentional alteration, distortion or destruction of this data. Security efforts appropriate to the criticality of the system containing this data must be taken to maintain its integrity. 5.5.1. Low: The potential impact is Low if the loss of CIA could be expected to have a limited adverse effect on agency operations, organizational assets or individuals. 5.6. Data with a Low impact categorization is the information that is made available through open records requests or other formal or legal processes. This category includes the majority of the data contained within the state government electronic . Direct access to this data is restricted to authenticated and authorized individuals who require access to the information in the course of performing their job duties. 5.7. Examples of the data security categorization of Low include (but are not limited to) most data elements in state personnel records, Personally Identifiable Information (PII), driver history records, firearm permits data, building code violations data and email addresses. 5.8. A limited adverse effect means that, for example, the loss of confidentiality, integrity or availability might: (i) cause a degradation in business functionality to an extent and duration that the agency is able to perform its primary functions, but the effectiveness

Technical Standard Page 4 of 7 State of Colorado | Governor’s Office of Information Technology - Technical Standard Data Security Categorization Document Owner: Chief Information Security Officer Document ID: TS-Data Cat-001 Technical Area: Office of Information Security Effective Date: 2015-06-19 Version: 1.0 Last Reviewed Date: 2015 -06-18

of the functions is noticeably reduced; (ii) result in minor damage to agency assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. 5.9. Security threats to data with a Low categorization include unauthorized access, alteration and destruction concerns. 5.9.1. Moderate: The potential impact is Moderate if the loss of CIA could be expected to have a serious adverse effect on agency operations, organizational assets or individuals. 5.10. These data elements are available only to internal authorized users and may be protected by federal and state regulations. Only individuals who require the information in the course of performing job functions intend moderate category data for use. These are the data elements removed from responses to information requests for reasons of privacy. 5.11. Examples of the data security categorization of Moderate include (but are not limited to) personnel, medical and similar data – e.g., salary data, social security information, Federal Tax Information (FTI), passwords, Social Security Administration (SSA), Health Insurance Portability and Accountability Act (HIPAA), employment history, incident response plans, financial information and applications – e.g., payroll, procurement, inventory and other financially related systems. 5.12. A serious adverse effect means that, for example, the loss of confidentiality, integrity or availability might: (i) cause a significant degradation in business functionality to an extent and duration that the agency is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to agency assets; (iii) result in significant financial loss; or (iv)result in significant harm to individuals that does not involve loss of life or serious life threatening injuries. 5.13. Security threats to this data include violation of privacy statutes and regulations in addition to unauthorized alteration or destruction. Access by unauthorized persons could cause financial loss or allow identify theft. Unauthorized disclosure could also provide significant gain to a vendor’s competitors. 5.13.1. High: The potential impact is High if the loss of CIA could be expected to have a severe or catastrophic adverse effect on agency operations, organizational assets or individuals. 5.14. These data elements are the most sensitive to integrity and confidentiality risks. Access is tightly restricted with the most stringent security safeguards implemented at the information system as well as the user level.

Technical Standard Page 5 of 7 State of Colorado | Governor’s Office of Information Technology - Technical Standard Data Security Categorization Document Owner: Chief Information Security Officer Document ID: TS-Data Cat-001 Technical Area: Office of Information Security Effective Date: 2015-06-19 Version: 1.0 Last Reviewed Date: 2015 -06-18

5.15. Examples of the data security categorization of High include (but are not limited to) information related to enforcement purposes, incident reports, reports of investigations. 5.16. A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity or availability might: (i) cause a severe degradation in or loss of business functionality to an extent and duration that the agency is not able to perform one or more of its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in major damage to agency assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. 5.17. Security threats to this data include violation of privacy statutes and regulations in addition to unauthorized alteration or destruction. Access by unauthorized persons could have severe financial or safety repercussions.

5.18. Data Storage and Transmission Matrix Category Data Type Stored Handling Transmitting (data at rest) Public Minimal impact No restrictions. No restrictions All public data Low Limited impact No restrictions. No restrictions Open records requests Moderate Serious impact Encrypted when stored Data must only be on removable media or transmitted or PII, FTI, HIPAA, SSA, portable systems, which transported when payroll are removed from a protected by an state-controlled area. approved encryption solution. When data is stored on electronic media or a mobile computer device, the data must be encrypted at all times during physical transport. Transmission by unencrypted e-mail is prohibited.

Technical Standard Page 6 of 7 State of Colorado | Governor’s Office of Information Technology - Technical Standard Data Security Categorization Document Owner: Chief Information Security Officer Document ID: TS-Data Cat-001 Technical Area: Office of Information Security Effective Date: 2015-06-19 Version: 1.0 Last Reviewed Date: 2015 -06-18

Category Data Type Stored Handling Transmitting (data at rest) High Severe or Encrypted when stored Data must only be catastrophic impact on state systems where transmitted or feasible. Encrypted transported when CJIS, incident reports, when stored on protected by an data related to law removable media or approved encryption enforcement purposes portable systems. solution. When data is Encrypted when stored stored on electronic on systems managed by media or a mobile a vendor performing computer device, the services for the state. data must be encrypted An encryption algorithm at all times during must protect CJIS data, physical transport. which is FIPS 140-2 Transmission by certified. unencrypted e-mail is prohibited. An encryption algorithm that is FIPS 140-2 certified must protect CJIS data.

6. Compliance All State of Colorado entities identified in the ‘Organizations Affected’ section of this standard are required to comply with this standard. Failure to comply with this standard may result in corrective and/or disciplinary action up to and including termination of employment.

7. Expiration This standard will remain in effect until the State Chief Information Security Officer (CISO) revises, changes or terminates it

Technical Standard Page 7 of 7 State of Colorado | Governor’s Office of Information Technology -