Educause Security Discussion mailing list archives
Re: Data classification
From: Melissa Guenther <mguenther () COX NET>
Date: Mon, 12 Jul 2004 08:23:41 -0700
Data Classification is the conscious decision to assign a level of sensitivity to data as it is being created, amended, enhanced, stored, transmitted or discarded. The classification of the data should then determine the extent to which the data needs to be controlled / secured and is also indicative of its value in terms of University Assets. The classification of data and documents is essential if you are to differentiate between that which is a little (if any) value, and that which is highly sensitive and confidential. When data is stored, whether stored, transmitted, received, created, amended or discarded, it should always be classified into an appropriate sensitivity level. For many, a simple 4 scale grade will suffice as follows: - I. Not Classified Requires no explanation or examples. II. Operational/Eligible for Public Release Available to employees for normal operational use. Available to the public based on appropriate request for disclosure of information. + General financial data + Student directory data (non-opt out) + NetID + Non-confidential personnel data III. Confidential Information that the organization and its employees have a legal, regulatory, or social obligation to protect. Intended for use solely within defined groups in the organization. + Employee ID + Student ID + Employee benefit information + Student non-directory information IV. Restricted Information intended solely for restricted use within the organization and is limited to those with an explicit, predetermined "need to know". Disclosure could result in severe personal or financial damage to individuals or the organization. + SSN + Passwords/PINS + Credit card numbers + Digitized signatures + Encryption keys + Medical Records -- Employee/Student/Research Subject ----- Original Message ----- From: "Slade Griffin" <slade () UTK EDU> To: <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Monday, July 12, 2004 7:54 AM Subject: [SECURITY] Data classification
All, Does anyone on this list deal with data classification? If so I would like to discuss what levels or classifications are used in the edu community. Thanks in advance. Slade Griffin ITSG University of Tennessee http://oit.utk.edu/infosec ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Data classification Slade Griffin (Jul 12)
- <Possible follow-ups>
- Re: Data classification Melissa Guenther (Jul 12)
- Re: Data classification Hedrick, Gregory W (Jul 12)
- Re: Data classification Bruhn, Mark S. (Jul 12)
- Re: Data classification Melissa Guenther (Jul 12)
- Re: Data classification Gary Flynn (Jul 12)
- Re: Data classification Brian Reilly (Jul 12)
- Re: Data classification Melissa Guenther (Jul 12)
- Re: Data classification Bruhn, Mark S. (Jul 12)
- Re: Data classification Melissa Guenther (Jul 12)
- Re: Data classification Melissa Guenther (Jul 12)