Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security of Research Data

From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Fri, 15 Sep 2006 16:07:55 -0700
 In the event anyone missed it, 6 weeks ago there was a long thread
entitled "Data Classification" that had many good examples of
classification models, policies, etc. 


~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Systems Architect, Security
Pima Community College
 
 
 


-----Original Message-----
From: Crawford, Tim M. [mailto:tcrawford () GSB STANFORD EDU] 
Sent: Wednesday, September 13, 2006 10:02 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data

You're right that Stanford does have a classification model 
in use today. Here's a link:

http://www.stanford.edu/group/security/securecomputing/datacla
ss_chart.h
tml

However, there are challenges to how it is applied to data. 
The challenge is in educating those that have access to 
retrieve research data (or other types) from external 
sources. In some cases, we (those in security or IT) don't 
know about the data.

Tim


-----Original Message-----
From: Tracy Mitrano [mailto:tbm3 () CORNELL EDU]
Sent: Wednesday, September 13, 2006 4:22 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data

Steve Schuster and I just had a meeting with people around 
the university yesterday on this issue!

We have yet to determine the exact categories...and as you 
can see from the documents, it is a "so far" effort, not yet 
promulgated as policy.

Georgia Tech and Stanford, among others, have what strike me 
as excellent models of finished data classification 
schemes...but as you say, one size does not fit all, so here 
at Cornell we are going through the exercise ourselves.

I will ask Steve to chime in here because he is closer to 
those exact discussions -- although I hasten to add that 
sometimes being closer might also present some additional 
challenges because there are so many different 
interpretations that Steve has to broker the trees can get 
pretty think in that forest.

Standing outside in the meadow I am getting increasingly 
partial to the idea of a serious set minimum data security 
standards for the devices that house sensitive data (greater 
than our current security policy
provides) and then heavy data protections for all data marts 
in a our combined information systems that we manage for the 
university that inevitably include the most sensitive data 
and the greatest collection of it.  In addition to those 
rules would be a set of recommended measures for the data 
that data stewards for shadow systems should apply.  I am 
playing with the idea of "suggested" at the moment because I 
would imagine that they would become quite strict about 
applying them given the liabilities and their pressure in 
their units might have more force...it will also keep the 
responsibility on them and not so much on IT.  The  
university policy process would encode that responsibility on them.

Perhaps others have experience in this area?  Please share?

And Paul please understand that I am only at the chatting 
stage with you and thousands more about my morning 
ruminations from our meeting here yesterday.  The saga will 
continue, and Steve may have a very different take on the matter too.

Best, Tracy


On Sep 13, 2006, at 6:54 AM, Howell, Paul wrote:


Hi Tracy,

After reading the link, it appears that you do not use labels to 
identify data of varying sensitivity & criticality, and 

there is one 

minimum security guideline.  Did I miss read you policy and 

supporting


materials?

This sort of 'one size fits all' approach would be very 

difficult for 

us to implement.

We've had a small effort underway to identify & recommend 

improvements


to an existing data management/security policy.  For years 

this policy


has had well defined labels "Public, Private, Confidential' that 
people referred to.  However, while the labels look good on 

paper, we 

were missing the operational part that allowed systems 

around campus 

to labeled & appropriate security guidelines applied.  This is the 
focus of our efforts now, and why I was wondering what other 
universities are doing in this area.

Regards.

Paul Howell, CISSP
Chief Information Technology Security Officer The University of 
Michigan Contact information is at: http://tinyurl.com/477bc



-----Original Message-----
From: Tracy Mitrano [mailto:tbm3 () CORNELL EDU]
Sent: Tuesday, September 12, 2006 10:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data

Here is what we have so far on that matter, Paul, and note 

that the 

minimum security standards will exist as a url (at the 

bottom on the

page) not hard copy in order to accommodate changes in technology 
that occur inevitably more quickly that the slow steps of 
institutional policy.

http://www.cit.cornell.edu/oit/policy/drafts/InstData.html

Best, Tracy


On Sep 12, 2006, at 10:16 AM, Howell, Paul wrote:


So labeling by itself doesn't add a lot of value.  Can 

some of the 

instutions that have implemented  operational activities 

including 

security guidelines outline the approach used and how it works?

Paul Howell, CISSP
Chief Information Technology Security Officer The University of 
Michigan Contact information is at: http://tinyurl.com/477bc




-----Original Message-----
From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU]
Sent: Monday, September 11, 2006 1:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data


We use "public", "regulated" and anything else is "confidential".
It's
not perfect, but it seems to be working so far, even tho 

regulated 

data is automatically also confidential. We think it is 

important 

for individuals who generate or manage or have access to 

regulated 

data to know it - and also that they know what they are 

expected to


do to comply.

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC IT Security Officer 
Brown University Box 1885, Providence, RI 02912 
Connie_Sadler () Brown edu
Office: 401-863-7266


-----Original Message-----
From: Delaney, Cherry L. [mailto:cdelaney () PURDUE EDU]
Sent: Wednesday, September 06, 2006 8:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data

We use Public, Sensitive and Restricted as our categories

and they

are
well defined.


Cherry
-----Original Message-----
From: Howell, Paul [mailto:grue () UMICH EDU]
Sent: Tuesday, September 05, 2006 9:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data


Does your campus community intuitively understand the labels 
"Confidential, Sensitive and Public", and what research (or
other) data
fit into each category?

We've been using similar labels for a few years and 

still encounter


difficulties communicating the security around terms such as 
"Confidential" & "Sensitive".  A common question is which one is 
higher?
We reverse the order here, "Sensitive, then 

Private/Confidential, 

then Public", for example.

I wish that there were generally recognized labels that we could 
all use and that were intuitive to the community.


< paul



-----Original Message-----
From: Steve Brukbacher [mailto:sab2 () UWM EDU]
Sent: Friday, September 01, 2006 6:31 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security of Research Data

We're encouraging people to think in terms of data 

classification,


regardless of whether it is research data or HR data or 

any other 

source.  We have a high-level information security 

policy pending 

approval. Underneath that will be a data classification

policy, system


config guidelines, etc.

In our proposed data classification guidelines, we state

that research


data should be considered sensitive data if it does not

fall in to the


higher category of confidential (based on a 3-tiered

classification

scheme, (Confidential, Sensitive and Public).

We've also implemented a file share program, Xythos to allow 
researchers
   to share information in a manner that is safer than

sending thing

in email attachments or opening up an FTP port on a 

departmental 

machine or email an unencrypted CD through the mail.  It

allows users

granular control over what UWM users can access what

folders/files and


related permissions.  It also allows for the creation of

tickets or

web links to documents.  While this gives whoever knows 

the link 

access to the file, it can also be password protected.  As

you might

imagine, good user training will be key here.

We're working on developing requirements for laptop

encryption apps

(preferably whole hard drive) as well and hope to have 

something 

available to our users in the near future. We've seen an

increase in

the number of research programs going mobile, so we are

responding to

that increased risk.


--
Steve Brukbacher, CISSP
University of Wisconsin Milwaukee
Information Security Coordinator
UWM Computer Security Web Site
www.security.uwm.edu
Phone: 414.229.2224



Crawford, Tim M. wrote:

I'm curious to know what strategies others use to address

research data.

Is this something that you're addressing today? If so, 

how do you


identify and protect accordingly?

Regards,

Tim

______________________________________
/Tim M. Crawford/
/Associate Director, IT Operations/ /Stanford Graduate 

School of 

Business/ /650.724.2447/ /tcrawford () gsb stanford edu/

<blocked::mailto:tcrawford () gsb stanford edu>
Previous By Date Next
Previous By Thread Next

Current thread: