Educause Security Discussion mailing list archives
Re: Data Classification: Legal criteria
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Tue, 18 Mar 2008 15:39:58 -0600
The easiest (perhaps not best) way to define "internal" is to define the two extremes (public and confidential in your case) and then define "internal" as all data that does not fit either of the other two definitions. Essentially, the extremes are well defined and the middle ground is a catch-all. The advantage of this approach is that there is no data that defies definition. The problem with three concrete definitions is that there will always be something that doesn't meet one of the definitions. The hardest part of the above approach, which you alluded to, is a good definition for "public". Here is a link to our data classification definitions: https://www.cu.edu/policies/General/IT-Sec_InfoClassification_P.pdf Brad Judy IT Security Office University of Colorado at Boulder -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian Sent: Tuesday, March 18, 2008 12:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Data Classification: Legal criteria We are in the process of developing a data classification policy with three types: public, internal, and confidential. The criteria or logic behind classifying confidential data is fairly easy: FERPA, GLBA, PCI, etc, requires the confidentiality of certain data types. Yet, I am not clear on the best external criteria to use for classification of internal data. Peer institutions, "best practices" is one thought, but I'm wondering what other objective criteria people have employed for the justification of making certain kinds of data internal as opposed to public. Let me know, thanks. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
Current thread:
- Data Classification: Legal criteria Basgen, Brian (Mar 18)
- <Possible follow-ups>
- Re: Data Classification: Legal criteria Chris Gauthier (Mar 18)
- Re: Data Classification: Legal criteria David Kovarik (Mar 18)
- Re: Data Classification: Legal criteria Basgen, Brian (Mar 18)
- Re: Data Classification: Legal criteria Doug Markiewicz (Mar 18)
- Re: Data Classification: Legal criteria Bill Badertscher (Mar 18)
- Re: Data Classification: Legal criteria David Kovarik (Mar 18)
- Re: Data Classification: Legal criteria Basgen, Brian (Mar 18)
- Re: Data Classification: Legal criteria Sherry, Cathy (Mar 18)
- Re: Data Classification: Legal criteria Brad Judy (Mar 18)
- Re: Data Classification: Legal criteria Gary Dobbins (Mar 18)
- Re: Data Classification: Legal criteria Ozzie Paez (Mar 18)
- Re: Data Classification: Legal criteria Valdis Kletnieks (Mar 18)
- Re: Data Classification: Legal criteria Ced Bennett (Mar 19)