Arkansas Administrative Code
Agency 200 - Office of Information Technology
Rule 200.00.05-003 - Data and System Security Classification Standard
Current through Register Vol. 49, No. 9, September, 2024
1.0 Purpose
This document presents a framework through which Arkansas' agencies, boards, commissions, and institutions of higher education can classify data and systems across the two spectrums of (1) data sensitivity and (2) data and system criticality. Once data is classified by the agency or institution of higher education, then appropriate security measures can be applied.
2.0 Scope
This standard statement applies to all state agencies, boards, commissions and institutions of higher education.
3.0 Background
The Arkansas Information Systems Act of 1997 (Act 914, 1997) gives the Office of Information Technology the authority to define standards, policies and procedures to manage the information resources within the state. This is accomplished through work with a multi-agency working group known as the Shared Technical Architecture Team.
In addition, Act 1042 of 2001 states that the Executive Chief Information Officer oversees the development of information technology security policy for state agencies. The State Security Office, under the state's Executive Chief Information Officer, defines an environment for strategic security architecture and sets security standards and policies for information technology in state government. In order to apply appropriate security measures, data must first be classified to determine its sensitivity and required availability.
4.0 References
5.0 Standard
Data Sensitivity Levels
LEVEL A - UNRESTRICTED
Unrestricted data is characterized as being open public data with no distribution limitations and to which anonymous access is allowed.
These data elements form information that is actively made publicly available by state government. It is published and distributed freely, without restriction. It is available in the form of physical documents such as brochures, formal statements, press releases, reports that are made freely available, and in electronic form such as internet web pages and bulletin boards accessible with anonymous access.
The greatest security threat to this data is from unauthorized or unintentional alteration, distortion, or destruction of this data. Security efforts appropriate to the criticality of the system containing this data must be taken to maintain its integrity. Examples of data at this sensitivity level include many agency public websites.
LEVEL B - SENSITIVE
These data elements are the information that is made available through open records requests or other formal or legal processes. This category includes the majority of the data contained within the state government electronic databases. Direct access to this data is restricted to authenticated and authorized individuals who require access to that information in the course of performing their duties.
Security threats to this data include unauthorized access, alteration and destruction concerns.
Examples:
Most data elements in state personnel records
Building code violations data
Driver history records
Collective bargaining data
Employment & training program data
Federal contracts data
Firearm permits data
Historical records repository data
Real estate appraisal data
Occupational licensing data
Personnel data
LEVEL C - VERY SENSITIVE
Data classified as being very sensitive is only available to internal authorized users and may be protected by federal and state regulations. Very sensitive data is intended for use only by individuals who require the information in the course of performing job functions. These data elements include those protected by federal and state statute or regulation. Access to these data elements is restricted to authenticated and authorized individuals who require access to that information in the course of performing their duties. These are the data elements removed from responses to information requests for reasons of privacy.
Security threats to this data include violation of privacy statutes and regulations in addition to unauthorized alteration or destruction. If this data were accessed by unauthorized persons, it could cause financial loss or allow identity theft. Unauthorized disclosure could provide significant gain to a vendor's competitors.
Examples:
Social Security numbers |
Credit card numbers |
Most home addresses |
Competitive bids |
Attorneys' files |
Civil investigative data |
Comprehensive law enforcement data |
Criminal history data |
Domestic abuse data |
Economic development assistance data |
Educational records |
Food assistance programs data |
Foster care data |
Head Start data |
Health and medical data |
Juvenile delinquent data |
Library borrower's records |
Counselors' data |
Signature imaging data |
Trade secrets data |
Welfare records/data |
LEVEL D - EXTREMELY SENSITIVE
Data classified as being extremely sensitive is data whose disclosure or corruption could be hazardous to life or health.
These data elements are the most sensitive to integrity and confidentiality risks. Access is tightly restricted with the most stringent security safeguards at the system as well as the user level. Failure to maintain the integrity and confidentiality could have severe financial, health or safety repercussions. Very strict rules must be adhered to in the usage of this data.
Examples of this data include the contents of state law enforcement investigative records and communications systems.
Criticality Levels
LEVEL 1 - NOT CRITICAL
These data and systems are necessary to state government but short-term interruption or unavailability is acceptable. They do not play any role in the scheme of the health, security, or safety of Arkansas' citizens.
LEVEL 2 - CRITICAL
These data and systems are required in order to administer functions within state government that need to be performed. Business continuity planning allows state government to continue operations in these areas within a certain period of time until the data and systems can be restored.
LEVEL 3 - EXTREMELY CRITICAL
These data and systems are critical to public health or safety and must be protected by a vital plan that would allow resumption of operations within a very short timeframe. These data and systems also require restoration of the original facilities to be able to resume business.
6.0 Procedures
Agencies and institutions of higher education should classify their data and systems according to the data and system classification standard and be able to demonstrate compliance.
7.0 Revision History
Date |
Description of Change |
5/15/2005 |
Original Standard Statement Published |
8.0 Definitions
Data is information maintained in any form within state agencies or institutions of higher education. Any grouping of data is classified at the level of its most sensitive or critical data element.
In this context, the term system is defined as a combination of hardware, software, and procedures necessary to support particular data. A server may have multiple systems and a system may require multiple servers.
9.0 Related Resources
10.0 Inquiries
Direct inquiries about this standard to:
Office of Information Technology
Shared Technical Architecture
124 West Capitol Avenue Suite 200, Little Rock, Arkansas 72201
Phone: 501-682-4300
FAX: 501-682-2040
Email: ITarch@mail.state.ar.us
OIT policies can be found on the Internet at: http://www.cio.arkansas.gov/techarch
11.0 Attachment
Data Sensitivity and System Criticality Grid
The following grid allows agencies to classify data and systems at the same time for criticality and sensitivity.