Educause Security Discussion mailing list archives
Re: Data Classification
From: "Waller, Michael A. (HSC)" <Michael-Waller () OUHSC EDU>
Date: Fri, 28 Jul 2006 16:51:43 -0500
We've adopted a policy with four levels of classification and we call them simply 'Category A' through 'Category D'. 'A' data is of the highest importance and 'D' data is essentially public data that has no security implications. Throughout our policy docs, we define sensitive data as any data classified as 'A' or 'B' - that data is subject to additional security requirements. Any data protected by law or regulation (HIPAA, GLB, FERPA, etc.) falls into 'Category A' automatically. After that, we let the data owners classify their own data and assess its importance, with the caveat that they have to protect the data to the level of the assigned classification level. It's a relatively new policy, however, and we're in the very early stages of implementation. Data Classification Policy: http://www.ouhsc.edu/it/security/documents/Data_Classification_Policy.pd f Data Classification Standard: http://www.ouhsc.edu/it/security/documents/Data_Classification_Standard. pdf Mike Waller CISSP Information Technology, Information Security Services The University of Oklahoma Health Sciences Center From: Tom Siu [mailto:thomas.siu () CASE EDU] Sent: Friday, July 28, 2006 2:56 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Data Classification Hello, With some background in Department of Defense R&D, I have taken a tangent AWAY from the use of classifications that are the same as US Government classifications in the higher education domain, to avoid any misunderstandings when research grant and funding processes may be involved. Therefore, I don't have the words "confidential, secret, top-secret, tippy-top-secret" etc. in my taxonomy. I've got Tier1, Tier2, and Tier3. Using a little guidance from NIST SP 800-60 (http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V1-final.pdf) , here is the matrix that helps define the categorization of data. Tier Category Confidentiality Integrity Availability ----- ------------ ------------------- ----------- --------------- 1 Unrestricted low moderate low 2 Univ Internal moderate moderate moderate 3 Restricted high moderate moderate The CIA impacts are institution specific, but the categories seem to be germane to many .edu workspace. Regards, Tom |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||| Tom Siu Chief Information Security Officer Case thomas.siu () case edu www.case.edu/its |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||
Current thread:
- Data Classification Steve Brukbacher (Jul 26)
- <Possible follow-ups>
- Re: Data Classification James H Moore (Jul 26)
- Re: Data Classification Dick Jacobson (Jul 26)
- Re: Data Classification Christopher Misra (Jul 27)
- Re: Data Classification Krizi Trivisani (Jul 27)
- Re: Data Classification David C Smith (Jul 27)
- Data classification Theresa M Rowe (Jul 27)
- Data Classification Tom Siu (Jul 28)
- Re: Data Classification Waller, Michael A. (HSC) (Jul 28)
- Re: Data Classification Cam Beasley (Jul 28)
- Re: Data Classification Ced Bennett (Aug 02)
- Data classification Stewart, Ian (Sep 06)