Re: Data Classification: Legal criteria

[Brad Judy <Brad.Judy () COLORADO EDU>]

The easiest (perhaps not best) way to define "internal" is to define the
two extremes (public and confidential in your case) and then define
"internal" as all data that does not fit either of the other two
definitions.  Essentially, the extremes are well defined and the middle
ground is a catch-all.  

The advantage of this approach is that there is no data that defies
definition.  The problem with three concrete definitions is that there
will always be something that doesn't meet one of the definitions.  

The hardest part of the above approach, which you alluded to, is a good
definition for "public". 

Here is a link to our data classification definitions:
https://www.cu.edu/policies/General/IT-Sec_InfoClassification_P.pdf

Brad Judy

IT Security Office
University of Colorado at Boulder

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Basgen, Brian
Sent: Tuesday, March 18, 2008 12:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Data Classification: Legal criteria


 We are in the process of developing a data classification policy with
three types: public, internal, and confidential.

 The criteria or logic behind classifying confidential data is fairly
easy: FERPA, GLBA, PCI, etc, requires the confidentiality of certain
data types. Yet, I am not clear on the best external criteria to use for
classification of internal data. Peer institutions, "best practices" is
one thought, but I'm wondering what other objective criteria people have
employed for the justification of making certain kinds of data internal
as opposed to public. Let me know, thanks.  

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College