Re: Data Classification: Legal criteria

[Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>]

Basgen, Brian wrote:
>  We are in the process of developing a data classification policy with
> three types: public, internal, and confidential.
>
>  The criteria or logic behind classifying confidential data is fairly
> easy: FERPA, GLBA, PCI, etc, requires the confidentiality of certain
> data types. Yet, I am not clear on the best external criteria to use for
> classification of internal data. Peer institutions, "best practices" is
> one thought, but I'm wondering what other objective criteria people have
> employed for the justification of making certain kinds of data internal
> as opposed to public. Let me know, thanks.

We are in the process of revamping our classification scheme as well.  Our approach (pending approval of course) will be to 
classify regulated data and leave everything else up to the data owner to classify.  FIPS 199 with some guidelines on 
mapping it to your classification scheme can be used to help data owners make the decision for themselves.  Some 
Universities have adopted the practice of assigning a default classification (e.g. Internal Use Only) to non-regulated data 
that has not been formally classified by its respective data owner.  I'm pushing for a similar practice here.