Educause Security Discussion mailing list archives
Re: Security of Research Data
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Fri, 15 Sep 2006 16:07:55 -0700
In the event anyone missed it, 6 weeks ago there was a long thread entitled "Data Classification" that had many good examples of classification models, policies, etc. ~~~~~~~~~~~~~~~~~~ Brian Basgen IT Systems Architect, Security Pima Community College
-----Original Message----- From: Crawford, Tim M. [mailto:tcrawford () GSB STANFORD EDU] Sent: Wednesday, September 13, 2006 10:02 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security of Research Data You're right that Stanford does have a classification model in use today. Here's a link: http://www.stanford.edu/group/security/securecomputing/datacla ss_chart.h tml However, there are challenges to how it is applied to data. The challenge is in educating those that have access to retrieve research data (or other types) from external sources. In some cases, we (those in security or IT) don't know about the data. Tim -----Original Message----- From: Tracy Mitrano [mailto:tbm3 () CORNELL EDU] Sent: Wednesday, September 13, 2006 4:22 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security of Research Data Steve Schuster and I just had a meeting with people around the university yesterday on this issue! We have yet to determine the exact categories...and as you can see from the documents, it is a "so far" effort, not yet promulgated as policy. Georgia Tech and Stanford, among others, have what strike me as excellent models of finished data classification schemes...but as you say, one size does not fit all, so here at Cornell we are going through the exercise ourselves. I will ask Steve to chime in here because he is closer to those exact discussions -- although I hasten to add that sometimes being closer might also present some additional challenges because there are so many different interpretations that Steve has to broker the trees can get pretty think in that forest. Standing outside in the meadow I am getting increasingly partial to the idea of a serious set minimum data security standards for the devices that house sensitive data (greater than our current security policy provides) and then heavy data protections for all data marts in a our combined information systems that we manage for the university that inevitably include the most sensitive data and the greatest collection of it. In addition to those rules would be a set of recommended measures for the data that data stewards for shadow systems should apply. I am playing with the idea of "suggested" at the moment because I would imagine that they would become quite strict about applying them given the liabilities and their pressure in their units might have more force...it will also keep the responsibility on them and not so much on IT. The university policy process would encode that responsibility on them. Perhaps others have experience in this area? Please share? And Paul please understand that I am only at the chatting stage with you and thousands more about my morning ruminations from our meeting here yesterday. The saga will continue, and Steve may have a very different take on the matter too. Best, Tracy On Sep 13, 2006, at 6:54 AM, Howell, Paul wrote:Hi Tracy, After reading the link, it appears that you do not use labels to identify data of varying sensitivity & criticality, andthere is oneminimum security guideline. Did I miss read you policy andsupportingmaterials? This sort of 'one size fits all' approach would be verydifficult forus to implement. We've had a small effort underway to identify & recommendimprovementsto an existing data management/security policy. For yearsthis policyhas had well defined labels "Public, Private, Confidential' that people referred to. However, while the labels look good onpaper, wewere missing the operational part that allowed systemsaround campusto labeled & appropriate security guidelines applied. This is the focus of our efforts now, and why I was wondering what other universities are doing in this area. Regards. Paul Howell, CISSP Chief Information Technology Security Officer The University of Michigan Contact information is at: http://tinyurl.com/477bc-----Original Message----- From: Tracy Mitrano [mailto:tbm3 () CORNELL EDU] Sent: Tuesday, September 12, 2006 10:58 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security of Research Data Here is what we have so far on that matter, Paul, and notethat theminimum security standards will exist as a url (at thebottom on thepage) not hard copy in order to accommodate changes in technology that occur inevitably more quickly that the slow steps of institutional policy. http://www.cit.cornell.edu/oit/policy/drafts/InstData.html Best, Tracy On Sep 12, 2006, at 10:16 AM, Howell, Paul wrote:So labeling by itself doesn't add a lot of value. Cansome of theinstutions that have implemented operational activitiesincludingsecurity guidelines outline the approach used and how it works? Paul Howell, CISSP Chief Information Technology Security Officer The University of Michigan Contact information is at: http://tinyurl.com/477bc-----Original Message----- From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU] Sent: Monday, September 11, 2006 1:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security of Research Data We use "public", "regulated" and anything else is "confidential". It's not perfect, but it seems to be working so far, even thoregulateddata is automatically also confidential. We think it isimportantfor individuals who generate or manage or have access toregulateddata to know it - and also that they know what they areexpected todo to comply. Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer Brown University Box 1885, Providence, RI 02912 Connie_Sadler () Brown edu Office: 401-863-7266 -----Original Message----- From: Delaney, Cherry L. [mailto:cdelaney () PURDUE EDU] Sent: Wednesday, September 06, 2006 8:49 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security of Research Data We use Public, Sensitive and Restricted as our categoriesand theyare well defined. Cherry -----Original Message----- From: Howell, Paul [mailto:grue () UMICH EDU] Sent: Tuesday, September 05, 2006 9:14 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security of Research Data Does your campus community intuitively understand the labels "Confidential, Sensitive and Public", and what research (or other) data fit into each category? We've been using similar labels for a few years andstill encounterdifficulties communicating the security around terms such as "Confidential" & "Sensitive". A common question is which one is higher? We reverse the order here, "Sensitive, thenPrivate/Confidential,then Public", for example. I wish that there were generally recognized labels that we could all use and that were intuitive to the community. < paul-----Original Message----- From: Steve Brukbacher [mailto:sab2 () UWM EDU] Sent: Friday, September 01, 2006 6:31 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Security of Research Data We're encouraging people to think in terms of dataclassification,regardless of whether it is research data or HR data orany othersource. We have a high-level information securitypolicy pendingapproval. Underneath that will be a data classificationpolicy, systemconfig guidelines, etc. In our proposed data classification guidelines, we statethat researchdata should be considered sensitive data if it does notfall in to thehigher category of confidential (based on a 3-tieredclassificationscheme, (Confidential, Sensitive and Public). We've also implemented a file share program, Xythos to allow researchers to share information in a manner that is safer thansending thingin email attachments or opening up an FTP port on adepartmentalmachine or email an unencrypted CD through the mail. Itallows usersgranular control over what UWM users can access whatfolders/files andrelated permissions. It also allows for the creation oftickets orweb links to documents. While this gives whoever knowsthe linkaccess to the file, it can also be password protected. Asyou mightimagine, good user training will be key here. We're working on developing requirements for laptopencryption apps(preferably whole hard drive) as well and hope to havesomethingavailable to our users in the near future. We've seen anincrease inthe number of research programs going mobile, so we areresponding tothat increased risk. -- Steve Brukbacher, CISSP University of Wisconsin Milwaukee Information Security Coordinator UWM Computer Security Web Site www.security.uwm.edu Phone: 414.229.2224 Crawford, Tim M. wrote:I'm curious to know what strategies others use to addressresearch data.Is this something that you're addressing today? If so,how do youidentify and protect accordingly? Regards, Tim ______________________________________ /Tim M. Crawford/ /Associate Director, IT Operations/ /Stanford GraduateSchool ofBusiness/ /650.724.2447/ /tcrawford () gsb stanford edu/<blocked::mailto:tcrawford () gsb stanford edu>
Current thread:
- Re: Security of Research Data, (continued)
- Re: Security of Research Data Delaney, Cherry L. (Sep 06)
- Re: Security of Research Data Sadler, Connie (Sep 11)
- Re: Security of Research Data Howell, Paul (Sep 12)
- Re: Security of Research Data Tracy Mitrano (Sep 12)
- Re: Security of Research Data Crawford, Tim M. (Sep 12)
- Re: Security of Research Data Howell, Paul (Sep 13)
- Re: Security of Research Data Tracy Mitrano (Sep 13)
- Re: Security of Research Data Tracy Mitrano (Sep 13)
- Re: Security of Research Data Crawford, Tim M. (Sep 13)
- Re: Security of Research Data Joseph Clark (Sep 14)
- Re: Security of Research Data Basgen, Brian (Sep 15)
- Re: Security of Research Data Tom Siu (Sep 18)