ISORA

State Law requires that every year we perform an audit of every computer on the UT network. This is done to ensure that data on our computers is protected from unauthorized use, and also to ensure that UT operations will not be adversely affected if a computer is stolen, or becomes damaged. This annual audit is conducted under the auspices of the Information Security Office is known as ISORA (Information Security Office Risk Assessment). ISORA usually starts in July, and must be completed usually by the beginning of the Fall semester.

ISORA starts by a one time scan of the computers in the CCBB machine room and offices. This actually is not quite true, as currently the scan is actually the entire SBS (School of Bioscience) network. We are then given the list of computers which have been seen in our area. Because people can come, and go as they desire we ask that you help us out by bringing students, and visitors to our offices so that we can collect the identifying information that we need to complete ISORA. In fact, even if ISORA is not currently in progress this should be done. We may be mailed if a security or network performance problem occurs, and we can then respond appropriately if we know who the "offender" is. Please note that personally owned computing devices are not exempt from ISORA or other security requirements, and that hooking such a device up to the UT network is done so with the knowledge that said device can be scanned, monitored, or otherwise examined to ensure compliance with UT policy.

According to ISORA, each computer must be classified according to the type of data that the computer is intended to store. The 3 classifications for data are Category I, Category II, and Category III. The definitions of these are as follows, and is taken from first reference below,

Category-I Data

University data protected specifically by federal or state law or University of Texas rules and regulations (e.g., HIPAA; FERPA; Sarbanes-Oxley, Gramm-Leach-Bliley; the Texas Identity Theft Enforcement and Protection Act; University of Texas System Business Procedure Memoranda; specific donor or employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to university contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.) are also included (see extended list of Category I data classification examples)

Category-II Data

University data not otherwise identified as Category-I data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.) Such data must be appropriately protected to ensure a controlled and lawful release.

Category-III Data

University data that are not otherwise identified as Category-I or Category-II data (e.g., publicly available). Such data have no requirement for confidentiality, integrity, or availability.

Here are some more web resources for the data classification scheme:

• Overview: http://www.utexas.edu/its/policies/opsmanual/dataclassification.php

• Extended list of Cat 1 Data: http://www.utexas.edu/its/policies/opsmanual/cat-1data.php

http://www.utexas.edu/its/glossary/ gives the definitions.

A system could also qualify for CAT I if its loss or downtime seriously impacts the operations of our department, or of the University. Note that UT policy has specific action items that must be taken if a system is specified as CAT I. This is to ensure that the system is appropriately protected, monitored, maintained, and that a disaster recovery plan is in place for the system. As part of ISORA, for each CAT I system we are expected to provide the list of steps taken to meet each of these policy requirements.

Ultimately, everyone must pick the right category level for their computer. We can offer some guidelines. First, you should decide whether or not your would be seriously impacted if your computer crashed, or whether you would find it inconvenient. The intent here is to know that if disaster struck, specific plans are in place to make sure UT stays operational. Also, specifying your computer as CAT II or CAT III doesn't mean you shouldn't back it up, secure it, and be prepared for hardware failures. Also, most of us should have little need to store CAT I data on our computers, so a better choice is to use ITS' Webspace, or Austin Disk Services services. Both have strengths, and weaknesses, but Austin Disk Services has the better overall features, and functionality. It does require payment, but we can use our TRAC account to pay for it once you provide us an account number, or you can create your own TRAC account.