Re: Security of Research Data

["Crawford, Tim M." <tcrawford () GSB STANFORD EDU>]

You're right that Stanford does have a classification model in use
today. Here's a link:

http://www.stanford.edu/group/security/securecomputing/dataclass_chart.h
tml

However, there are challenges to how it is applied to data. The
challenge is in educating those that have access to retrieve research
data (or other types) from external sources. In some cases, we (those in
security or IT) don't know about the data.

Tim


-----Original Message-----
From: Tracy Mitrano [mailto:tbm3 () CORNELL EDU] 
Sent: Wednesday, September 13, 2006 4:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data

Steve Schuster and I just had a meeting with people around the
university yesterday on this issue!

We have yet to determine the exact categories...and as you can see from
the documents, it is a "so far" effort, not yet promulgated as policy.

Georgia Tech and Stanford, among others, have what strike me as
excellent models of finished data classification schemes...but as you
say, one size does not fit all, so here at Cornell we are going through
the exercise ourselves.

I will ask Steve to chime in here because he is closer to those exact
discussions -- although I hasten to add that sometimes being closer
might also present some additional challenges because there are so many
different interpretations that Steve has to broker the trees can get
pretty think in that forest.

Standing outside in the meadow I am getting increasingly partial to the
idea of a serious set minimum data security standards for the devices
that house sensitive data (greater than our current security policy
provides) and then heavy data protections for all data marts in a our
combined information systems that we manage for the university that
inevitably include the most sensitive data and the greatest collection
of it.  In addition to those rules would be a set of recommended
measures for the data that data stewards for shadow systems should
apply.  I am playing with the idea of "suggested" at the moment because
I would imagine that they would become quite strict about applying them
given the liabilities and their pressure in their units might have more
force...it will also keep the responsibility on them and not so much on
IT.  The  university policy process would encode that responsibility on
them.

Perhaps others have experience in this area?  Please share?

And Paul please understand that I am only at the chatting stage with you
and thousands more about my morning ruminations from our meeting here
yesterday.  The saga will continue, and Steve may have a very different
take on the matter too.

Best, Tracy


On Sep 13, 2006, at 6:54 AM, Howell, Paul wrote:

> Hi Tracy,
>
> After reading the link, it appears that you do not use labels to 
> identify data of varying sensitivity & criticality, and there is one 
> minimum security guideline.  Did I miss read you policy and supporting

> materials?
>
> This sort of 'one size fits all' approach would be very difficult for 
> us to implement.
>
> We've had a small effort underway to identify & recommend improvements

> to an existing data management/security policy.  For years this policy

> has had well defined labels "Public, Private, Confidential' that 
> people referred to.  However, while the labels look good on paper, we 
> were missing the operational part that allowed systems around campus 
> to labeled & appropriate security guidelines applied.  This is the 
> focus of our efforts now, and why I was wondering what other 
> universities are doing in this area.
>
> Regards.
>
> Paul Howell, CISSP
> Chief Information Technology Security Officer The University of 
> Michigan Contact information is at: http://tinyurl.com/477bc
>
>
> > -----Original Message-----
> > From: Tracy Mitrano [mailto:tbm3 () CORNELL EDU]
> > Sent: Tuesday, September 12, 2006 10:58 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Security of Research Data
> >
> > Here is what we have so far on that matter, Paul, and note that the 
> > minimum security standards will exist as a url (at the bottom on the
> > page) not hard copy in order to accommodate changes in technology 
> > that occur inevitably more quickly that the slow steps of 
> > institutional policy.
> >
> > http://www.cit.cornell.edu/oit/policy/drafts/InstData.html
> >
> > Best, Tracy
> >
> >
> > On Sep 12, 2006, at 10:16 AM, Howell, Paul wrote:
> >
> > > So labeling by itself doesn't add a lot of value.  Can some of the 
> > > instutions that have implemented  operational activities including 
> > > security guidelines outline the approach used and how it works?
> > >
> > > Paul Howell, CISSP
> > > Chief Information Technology Security Officer The University of 
> > > Michigan Contact information is at: http://tinyurl.com/477bc
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU]
> > > > Sent: Monday, September 11, 2006 1:42 PM
> > > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > > Subject: Re: [SECURITY] Security of Research Data
> > > >
> > > >
> > > > We use "public", "regulated" and anything else is "confidential".
> > > > It's
> > > > not perfect, but it seems to be working so far, even tho regulated 
> > > > data is automatically also confidential. We think it is important 
> > > > for individuals who generate or manage or have access to regulated 
> > > > data to know it - and also that they know what they are expected to

> > > > do to comply.
> > > >
> > > > Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer 
> > > > Brown University Box 1885, Providence, RI 02912 
> > > > Connie_Sadler () Brown edu
> > > > Office: 401-863-7266
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Delaney, Cherry L. [mailto:cdelaney () PURDUE EDU]
> > > > Sent: Wednesday, September 06, 2006 8:49 AM
> > > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > > Subject: Re: [SECURITY] Security of Research Data
> > > >
> > > > We use Public, Sensitive and Restricted as our categories
> > and they
> > > > are
> > > > well defined.
> > > >
> > > >
> > > > Cherry
> > > > -----Original Message-----
> > > > From: Howell, Paul [mailto:grue () UMICH EDU]
> > > > Sent: Tuesday, September 05, 2006 9:14 AM
> > > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > > Subject: Re: [SECURITY] Security of Research Data
> > > >
> > > >
> > > > Does your campus community intuitively understand the labels 
> > > > "Confidential, Sensitive and Public", and what research (or
> > > > other) data
> > > > fit into each category?
> > > >
> > > > We've been using similar labels for a few years and still encounter

> > > > difficulties communicating the security around terms such as 
> > > > "Confidential" & "Sensitive".  A common question is which one is 
> > > > higher?
> > > > We reverse the order here, "Sensitive, then Private/Confidential, 
> > > > then Public", for example.
> > > >
> > > > I wish that there were generally recognized labels that we could 
> > > > all use and that were intuitive to the community.
> > > >
> > > >
> > > > < paul
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Steve Brukbacher [mailto:sab2 () UWM EDU]
> > > > > Sent: Friday, September 01, 2006 6:31 PM
> > > > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > > > Subject: Re: [SECURITY] Security of Research Data
> > > > >
> > > > > We're encouraging people to think in terms of data classification,

> > > > > regardless of whether it is research data or HR data or any other 
> > > > > source.  We have a high-level information security policy pending 
> > > > > approval. Underneath that will be a data classification
> > > > policy, system
> > > >
> > > > > config guidelines, etc.
> > > > >
> > > > > In our proposed data classification guidelines, we state
> > > > that research
> > > >
> > > > > data should be considered sensitive data if it does not
> > > > fall in to the
> > > >
> > > > > higher category of confidential (based on a 3-tiered
> > classification
> > > > > scheme, (Confidential, Sensitive and Public).
> > > > >
> > > > > We've also implemented a file share program, Xythos to allow 
> > > > > researchers
> > > > >    to share information in a manner that is safer than
> > > > sending thing
> > > > > in email attachments or opening up an FTP port on a departmental 
> > > > > machine or email an unencrypted CD through the mail.  It
> > > > allows users
> > > > > granular control over what UWM users can access what
> > > > folders/files and
> > > >
> > > > > related permissions.  It also allows for the creation of
> > tickets or
> > > > > web links to documents.  While this gives whoever knows the link 
> > > > > access to the file, it can also be password protected.  As
> > > > you might
> > > > > imagine, good user training will be key here.
> > > > >
> > > > > We're working on developing requirements for laptop
> > encryption apps
> > > > > (preferably whole hard drive) as well and hope to have something 
> > > > > available to our users in the near future. We've seen an
> > > > increase in
> > > > > the number of research programs going mobile, so we are
> > > > responding to
> > > > > that increased risk.
> > > > >
> > > > >
> > > > > --
> > > > > Steve Brukbacher, CISSP
> > > > > University of Wisconsin Milwaukee
> > > > > Information Security Coordinator
> > > > > UWM Computer Security Web Site
> > > > > www.security.uwm.edu
> > > > > Phone: 414.229.2224
> > > > >
> > > > >
> > > > >
> > > > > Crawford, Tim M. wrote:
> > > > > > I'm curious to know what strategies others use to address
> > > > > research data.
> > > > > > Is this something that you're addressing today? If so, how do you

> > > > > > identify and protect accordingly?
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Tim
> > > > > >
> > > > > > ______________________________________
> > > > > > /Tim M. Crawford/
> > > > > > /Associate Director, IT Operations/ /Stanford Graduate School of 
> > > > > > Business/ /650.724.2447/ /tcrawford () gsb stanford edu/
> > > > > <blocked::mailto:tcrawford () gsb stanford edu>
> > > > > >